How to configure Snare Agents for QRadar


SUMMARY

The configuration settings are outlined below for sending events to IBM's QRadar in:

  • Snare Enterprise Agent for Windows

  • Snare Central Server Reflector

Snare Enterprise Agent for Windows

From your Snare Enterprise Agent, navigate to the Destination Configuration page and update the following settings:

  • Under Network Destinations set:
    To send logs to QRadar via Snare Central:

    • Domain/IP to your Snare Central destination

    • Port to 6161

    • Protocol to UDP or TCP (recommended)

    • Format to SNARE

      To send logs directly to QRadar:

    • Domain/IP to your QRadar destination

    • Port to 514

    • Protocol to UDP or TCP (recommended)

    • Format to SYSLOG (RFC3164) or other.  LEEF may be use though the Port will require updating.

  • Under Hostname Options set:

    • Select the Host IP As Source checkbox. On saving the page the field Override Hostname will be populated.

  • Select Update Destinations to save your page settings

  • Click Apply Configuration & Restart Service menu item to update the registry.

Snare Central Server

The Snare Central Server Collector / Reflector is a very flexible tool for filtering and editing event log data. It is capable of filtering events on a per-destination basis. It can convert data from one format to another, and it can even modify the event information on the fly to suit your target SIEM server or syslog destination.

Navigate to System : Administrative Tools : Configure Collector/Reflector and select Settings > Destinations.  Update the following:

  • Enter the destination FQDN or IP address

  • Type in 514 for Port

  • Select TCP for Protocol to ensure no events are lost

  • Select Destination Format QRadar

  • Apply filtering or data tagging in the additional fields as needed

When sending logs to Snare Central to then be reflected to QRadar it is best to send the logs using Snare format to Snare Central then use the QRadar log format as above. The Agent should also use the host IP as a source override as it makes it easier for QRadar to parse out the logs from the reflector.