The Web UI crashes after installation of Snare Windows agent

Owned by Carlos Osorio
Nov 09, 2020
2 min read


SUMMARY

Aug 18, 2015

Symptoms

After installation of the Snare agent, when trying to start the agent it crashes.  No web GUI (remote control interface) is displayed.

What to provide your Snare Support team

Debug log is required to assess your issue.  To retrieve the log from a command prompt logged in as ADMINISTRATOR navigate to your snare installation folder e.g. c:\program files\snare, and type:

>net stop snare >snarecore -c -d9 > mydebug.log

(and let it run for a few minutes, then Ctrl-C)

>net start snare   and attach the output, ie mydebug.log.

If the debug log has following 'failed to subscribe' error in it then you may proceed to the resolution, otherwise send your Snare Support team the debug log:

[Snare 4.2.10](3056 - 30/03/2015 13:42:52): Failed to subscribe to 'Security' events. Error = 0x5

 

Why am I having this issue?

The user/group associated with Snare service must have at least read access to minimum Security, System and Applications logs. If the user/group associated with Snare agent cannot access any of these logs then agent (currently) will exit/crash.

 

What should I do next?

Run the following commands from an administrative command prompt:

Each command will generate a .txt file

wevtutil gl application >> sddl.txt wevtutil gl security >> sddl.txt wevtutil gl setup >> sddl.txt wevtutil gl system >> sddl.txt  

The output of these command will tell us in SDDL language that which group(s)/user(s) have access to these log sources and what is the level of access.  From here it will help us understand what the permission is and how to resolve it.

For example, analysing the following SDDLs:

Application:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

System:

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

Security:

channelAccess: O:BAG:SYD:(D;; 0xf0007;;;AN)(A;; 0x7;;;SO)(A;; 0x1;;;AO)

The simple explanation is that "Event Log Readers" group/users does not have access to Security logs and technical explanation is following.

Note that following line of SDDL that DOES NOT exists for Security logs

(A;;0x1;;;S-1-5-32-573)

For reference you can lookup the SID information on the following links, for "Event Log Readers" is S-1-5-32-573 (http://support.microsoft.com/en-us/kb/243330) or user PsGetSID <user/group name> to get SID (https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx) and 0x1 means generic access (http://www.netid.washington.edu/documentation/domains/sddl.aspx).

Currently (as per their SDDL), Anonymous logins (AN) are denied access, and only the  Server Operators (SO) and Account Operators (AO) have access to security logs.

Resolution

To fix the problem, we must give access to "Event Log Readers" group to security logs.  Login to machine as administrator and do the following from an administrative command prompt.

  1.  wevtutil gl security >> sddl.txt

  2.  Now open sddl.txt and copy the text after channelAccess: As per current SDDL as follows: O:BAG:SYD:(D;; 0xf0007;;;AN)(A;; 0x7;;;SO)(A;; 0x1;;;AO)

  3.  Now append (A;;0x1;;;S-1-5-32-573) in this line, such as O:BAG:SYD:(D;; 0xf0007;;;AN)(A;; 0x7;;;SO)(A;; 0x1;;;AO)(A;;0x1;;;S-1-5-32-573)

  4.  Now running following command on command prompt: wevtutil sl security /ca:O:BAG:SYD:(D;; 0xf0007;;;AN)(A;; 0x7;;;SO)(A;; 0x1;;;AO)(A;;0x1;;;S-1-5-32-573)

  5.  To confirm that SDDL on security logs have been updated successfully, run the following command again: wevtutil gl security

  6. The channelAccess: must be as follows:  O:BAG:SYD:(D;; 0xf0007;;;AN)(A;; 0x7;;;SO)(A;; 0x1;;;AO)(A;;0x1;;;S-1-5-32-573)

  7. Now install or restart the Snare agent and it should work.