Intersect Alliance, part of the Prophecy International Holdings Group, is a team of leading information technology security specialists. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have and continue to be used in the most sensitive areas of Government and business sectors.
Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems.
Intersect Alliance welcomes and values your support, comments, and contributions.
For more information on the Enterprise Agents, Snare Server and other Snare products and licensing options, please contact us as follows:
The Americas +1 (800) 834 1060 Toll Free | +1 (303) 771 2666 Denver
Asia Pacific +61 8 8211 6188 Adelaide Australia
Europe and the UK +44 (797) 090 5011
Email intersect@intersectalliance.com
Visit www.intersectalliance.com
Event output format
The SnareMSSQL service reads data from the Windows operating system via the Trace Logs. It converts the binary audit data into text format and separates information out into a series of TAB delimited tokens. The token delimiter may not be specified as something other than TAB. A 'token' is simply data, such as 'date' or 'user'. Groups of tab separated tokens make up an audit event, which may look something like this, depending on whether the SnareMSSQL service has SYSLOG header functionality active.
Example:
flash.InterSect.localMSSQLLog2011-01-13 14:56:42.67009.00.139914053MSSQLSERVER/masterINTERSECT\David MohrTextData,-- network protocol: LPC set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed NTUserName,David Mohr
The format of the event log record is as follows:
Hostname (as entered using the SNARE front end).
Event Log Type. 'MssqlLog' for SNARE for Microsoft SQL Server.
Date and Time. This is the timestamp for when the event was issued.
Version. The version of MS SQL server being monitored.
Event Class. This is the Microsoft SQL Server Event ID, indicating what action was taken.
Event Sub Class. The sub-class provides more specific information about the action undertaken.
SPID. The Session Process ID.
Instance/Database Name. The name of the active database when the event was generated.
UserName. The user that caused the event. This is either a Windows username or a Microsoft SQL Server username
Text. This is the text verbatim from the trace log event. Newlines and Tabs are replaced with spaces.
SnareMSSQL registry configuration description
Details on the audit configuration are discussed in the Audit Configuration section. The purpose of this section is to discuss the makeup of the configuration items in the registry. The SNARE configuration registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Intersect Alliance\SnareMSSQL, and this location may not be changed. If the configuration key does not exist, the SnareMSSQL service will create it during installation, but will not actively audit events until a correctly formatted objective(s) is present.
SNARE can be configured in several different ways, namely:
Via the remote control interface (Recommended).
By manually editing the registry (NOT Recommended).
The format of the audit configuration registry subkeys is discussed below.
Registry Path |
Setting Description |
[Config] |
This subkey stores the general agent configuration data. |
Delimiter |
REG_SZ Stores the field delimiting character, ONLY if syslog header has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the SNARE front end or the web pages. |
Clientname |
REG_SZ If no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate. |
TracePath |
REG_SZ The location where SNARE will store its trace files. |
OutputFilePath |
REG_SZ The location where SNARE will store a local copy of audit events. |
FileExport |
REG_DWORD Determines whether event records should be written to OutputFilePath. Set this value to 1 to enable file logging. Will default to FALSE (0) if not set. |
FileSize |
REG_DWORD The size, in megabytes, of any files written to OutputFilePath. |
TraceSize |
REG_DWORD The size of any trace files written by MS SQL Server |
TraceCount |
REG_DWORD The number of trace files maintained by MS SQL Server |
LookupTimeout |
REG_DWORD The frequency, in minutes, with which the SnareMSSQL agent will recheck the members of any groups specified in the User Search Filter |
Heartbeat |
REG_DWORD The frequency, in minutes, with which the agent will send out a heartbeat message. A value of zero (0) will disable this feature. |
AgentLog |
REG_DWORD A flag determining which Agent Logs should be recorded: Service (1), Trace (2) and Debug(4). |
UseUTC |
REG_DWORD Timestamp logs using Coordinated Universal Time instead of local time if set to 1. |
Registry Path |
Setting Description |
|---|---|
[Objective] |
This subkey stores all the filtering objectives. |
Objective# (where # is an integer number) |
Objectives are of type REG_BINARY and contain an encrypted copy of the individual settings comprising an objective. |
|
|
[Network] |
This subkey stores the general network configurations. |
Destination |
REG_SZ A comma separated list of destinations, which should be a maximum of 100 characters each. It details the IP address or hostname which the event records will be sent (NB: multiple hosts only available in supported agent). |
DestPort |
REG_DWORD The Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified. |
Syslog |
REG_DWORD Determines whether a SYSLOG header will be added to the event record. Set this value to 0 for no SYSLOG header (default via agent console). Will default to TRUE (1) if not set. |
SyslogDest |
REG_DWORD The SYSLOG Class and Criticality. This value will default to 13 if not set, or out of bounds. |
SocketType |
REG_DWORD Determines the protocol used (0 for UDP, 1 for TCP) |
CacheSizeM |
REG_DWORD The size, in megabytes, of the cache maintained by the SnareMSSQL agent if communication with the network destination is lost (TCP only). |
EncryptMsg |
REG_DWORD Determines if outgoing messages should be encrypted. |
RateLimit |
This value is of type REG_DWORD, and determines the upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents. |
NotifyMsgLimit |
This value is of type REG_DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents. |
NotifyMsgLimitFrequency |
This value is of type REG_DWORD, and determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents. |
|
|
[Remote] |
This subkey stores all the remote control parameters. |
Allow |
REG_DWORD Determines the availability of the remote control feature. If not set or out of bounds, will default to 0/NO (ie; not able to be remote controlled). |
WebPort |
REG_DWORD The web server port, if it has been set to something other than port 6161. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6161. |
WebPortChange |
REG_DWORD Set to either 0 or 1 to signal whether the web port should be changed or not. 0 = no change. |
Restrict |
REG_DWORD Determines whether the remote users should be restricted via IP address or not. 0 = no restrictions. |
RestrictIP |
REG_SZ The comma separated list of IP address allowed to access the web interface. |
AccessKey |
REG_DWORD Determines whether a password is required to access the remote control interface. It is set to either 0 or 1, with 0 signifying no password is required. |
AccessKeySet |
REG_SZ Stores a hash of the password. |
Objectives and security event IDs
The SNARE application has a number of built in Objectives. These Objectives have been designed to 'trap' certain Microsoft SQL Server event IDs, allowing the user to easily create some of the more common objectives without having to know the specific event Ids they require. The terms listed with square brackets can be used in the Event ID Search Term.
The following table lists the individual events belonging to each high level event groupMore information on these events can be found at http://msdn2.microsoft.com/en-us/library/ms186265.aspx.
Event ID |
Event Name |
Event Description |
||
Query Tracking [query] |
|
|
|
|
40 |
SQL:StmtStarting |
Occurs when the Transact-SQL statement has started. |
||
41 |
SQL:StmtCompleted |
Occurs when the Transact-SQL statement has completed. |
||
Login/Logout [loginout] |
|
|
|
|
14 |
Audit Login |
Occurs when a user successfully logs in to SQL Server. |
||
15 |
Audit Logout |
Occurs when a user logs out of SQL Server. |
||
20 |
Audit Login Failed |
Indicates that a login attempt to SQL Server from a client failed. |
||
Transaction Tracking [transaction] |
|
|
|
|
50 |
SQL Transaction |
Tracks Transact-SQL BEGIN, COMMIT, SAVE, and ROLLBACK TRANSACTION statements. |
||
181 |
TM: Begin Tran starting |
Occurs when a BEGIN TRANSACTION request starts. |
||
182 |
TM: Begin Tran completed |
Occurs when a BEGIN TRANSACTION request completes. |
||
183 |
TM: Promote Tran starting |
Occurs when a PROMOTE TRANSACTION request starts. |
||
184 |
TM: Promote Tran completed |
Occurs when a PROMOTE TRANSACTION request completes. |
||
185 |
TM: Commit Tran starting |
Occurs when a COMMIT TRANSACTION request starts. |
||
186 |
TM: Commit Tran completed |
Occurs when a COMMIT TRANSACTION request completes. |
||
187 |
TM: Rollback Tran starting |
Occurs when a ROLLBACK TRANSACTION request starts. |
||
188 |
TM: Rollback Tran completed |
Occurs when a ROLLBACK TRANSACTION request completes. |
||
191 |
TM: Save Tran starting |
Occurs when a SAVE TRANSACTION request starts. |
||
192 |
TM: Save Tran completed |
Occurs when a SAVE TRANSACTION request completes. |
||
Use of User Rights – Privileges [user-rights-use-priv] |
|
|
|
|
132 |
Audit Server Principal Impersonation Event |
Occurs when there is an impersonation within server scope, such as EXECUTE AS LOGIN. |
||
133 |
Audit Database Principal Impersonation Event |
Occurs when an impersonation occurs within the database scope, such as EXECUTE AS USER or SETUSER. |
||
170 |
Audit Server Scope GDR Event |
Indicates that a grant, deny, or revoke event for permissions in server scope occurred, such as creating a login. |
||
171 |
Audit Server Object GDR Event |
Indicates that a grant, deny, or revoke event for a schema object, such as a table or function, occurred. |
||
172 |
Audit Database Object GDR Event |
Indicates that a grant, deny, or revoke event for database objects, such as assemblies and schemas, occurred. |
||
112 |
Audit App Role Change Password Event |
Occurs when a password of an application role is changed. |
||
102 |
Audit Statement GDR Event |
Occurs every time a GRANT, DENY, REVOKE for a statement permission is issued by any user in SQL Server. |
||
103 |
Audit Object GDR Event |
Occurs every time a GRANT, DENY, REVOKE for an object permission is issued by any user in SQL Server. |
||
Use of User Rights Data Manipulation Language (DML) [user-rights-use-dml] |
|
|
|
|
114 |
Audit Schema Object Access Event |
Occurs when an object permission (e.g. INSERT or UPDATE) is used, successfully or unsuccessfully. |
||
Use of User Rights – Data Manipulation Language (DML) including SELECT |
|
|
|
|
114 |
Audit Schema Object Access Event |
Occurs when an object permission (SELECT) is used, successfully or unsuccessfully. |
||
Use of User Rights- Data Definition Language [user-rights-use-ddl] |
|
|
|
|
113 |
Audit Statement Permission Event |
Occurs when a statement permission (such as CREATE TABLE) is used. |
||
118 |
Audit Object Derived Permission Event |
Occurs when a CREATE, ALTER, and DROP object commands are issued. |
||
Account Admin [account-admin] |
|
|
|
|
104 |
Audit AddLogin Event |
Occurs when a SQL Server login is added or removed |
||
105 |
Audit Login GDR Event |
Occurs when a Windows login right is added or removed |
||
106 |
Audit Login Change Property Event |
Occurs when a property of a login, except passwords, is modified |
||
107 |
Audit Login Change Password Event |
Occurs when a SQL Server login password is changed. Passwords are not recorded. |
||
108 |
Audit Add Login to Server Role Event |
Occurs when a login is added or removed from a fixed server role |
||
109 |
Audit Add DB User Event |
Occurs when a login is added or removed as a database user (Windows or SQL Server) to a database |
||
110 |
Audit Add Member to DB Role Event |
Occurs when a login is added or removed as a database user (fixed or user-defined) to a database |
||
111 |
Audit Add Role Event |
Occurs when a login is added or removed as a database user to a database |
||
Object Access [object-access] |
|
|
|
|
128 |
Audit Database Management Event |
Occurs when a database is created, altered, or dropped. |
||
129 |
Audit Database Object Management Event |
Occurs when a CREATE, ALTER, or DROP statement executes on database objects, such as schemas. |
||
130 |
Audit Database Principal Management Event |
Occurs when principals, such as users, are created, altered, or dropped from a database. |
||
131 |
Audit Schema Object Management Event |
Occurs when server objects are created, altered, or dropped. |
||
134 |
Audit Server Object Take Ownership Event |
Occurs when the owner is changed for objects in server scope. |
||
135 |
Audit Database Object Take Ownership Event |
Occurs when a change of owner for objects within database scope occurs. |
||
152 |
Audit Change Database Owner |
Occurs when ALTER AUTHORIZATION is used to change the owner of a database and permissions are checked to do that. |
||
153 |
Audit Schema Object Take Ownership Event |
Occurs when ALTER AUTHORIZATION is used to assign an owner to an object and permissions are checked to do that. |
||
164 |
Object:Altered |
Occurs when a database object is altered. |
||
173 |
Audit Server Operation Event |
Occurs when Security Audit operations such as altering settings, resources, external access, or authorization are used. |
||
175 |
Audit Server Alter Trace Event |
Occurs when a statement checks for the ALTER TRACE permission. |
||
176 |
Audit Server Object Management Event |
Occurs when server objects are created, altered, or dropped. |
||
177 |
Audit Server Principal Management Event |
Occurs when server principals are created, altered, or dropped. |
||
178 |
Audit Database Operation Event |
Occurs when database operations occur, such as checkpoint or subscribe query notification. |
||
180 |
Audit Database Object Access Event |
Occurs when database objects, such as schemas, are accessed. |
A comprehensive list of events generated by Microsoft SQL Server can be found on the Microsoft Developer Network at http://msdn2.microsoft.com/en-us/library/ms186265.aspx