Snare Reporting large number of events of type 5156

Owned by Carlos Osorio
Nov 12, 2020
1 min read


With the Snare Enterprise Agent for SecureWorks, the Agent is not in control of the auditing and is operating strictly in collection mode. The Snare Enterprise Agent can also have the option to control the auditing disabled. The Agent’s objectives then can be configured to send or filter out events to be sent to the SecureWorks destination and the Agent will do what it is instructed to do based upon those objectives.

SUMMARY

In order for the agent to send logs to the destination it must have access to the network resource to send the logs. If the auditing is set to report on “success” for “Filtering Platform Connection”, an event will be created whenever something in the system successfully accesses the network connection. The problem here is that the Snare Service itself in reporting on an event seen in the log needs to access the network connection to report the event, thereby creating a “Filtering Platform Connection Success” event that will also be reported on by Snare. As you can see, this can create a bit of an overhead loop.
 
So to prevent these excess events it is recommended that the “Success” option in the "Filtering Platform Connection" be unchecked.
 
Having this option set is somewhat redundant anyway as the Windows Firewall log would be capturing these events.
 
Please see the links below for some articles and blogs related to the event and the setting:
 
https://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx?tduid=(8c7d3febf7c734509bc7caaa46478d90)(256380)(2459594)(TnL5HPStwNw-sonCeF3ZglJR0hrRIZY1Kw)()
 
https://social.technet.microsoft.com/Forums/windowsserver/en-US/c6a8cab6-6ab8-44ca-97f1-9ab7cd8d1cba/windows-filtering-platform?forum=winserver8gen https://technet.microsoft.com/en-us/library/dn487458(v=ws.11).aspx
 
https://networksavy.wordpress.com/2011/05/11/windows-filtering-platform-audit-noise/
 
http://actualreverend.blogspot.com/2010/11/windows-auditing-can-be-annoying-shut.html