Modular Objective Templates v8.0.0
- Andrew Madge
- Leigh Purdie (Unlicensed)
- Anonymous
The following modular objective templates can be used as a basis for your own objectives.
The objective types may be altered via configuring your objective, and selecting 'Change Type' in the top right corner. This will display a list of Objective Types to select from.
| Log Type: ACF2Log This objective displays information relating to ACF2 account modifications. ACF2 logs can be collected from an IBM MVS mainframe, and analysed using the Snare Central. The logs from the ACF2 mainframe are collected via FTP or SCP file transfer into the /data/SnareCollect/ACF2Log/ directory on the Snare Central. |
| Log Type: ACF2Log For each CHANGE, DELETE or INSERT, this objective displays the details of the ACF2 changes on an MVS host. |
| Log Type: ACF2Log The Infostore database (ACF60STO) is a sensitive repository of ACF2 information. |
| Log Type: ACF2Log This objective displays events relating to changes to Rules. |
| Log Type: ACF2Log This objective monitors access to MVS resources that are considered to be sensitive. Use the RESOURCE field to narrow your search criteria. A ReturnCode of VIOLATION, or *VIO, indicates a failed attempt to access the resource |
| Log Type: ACF2Log This objective displays those ACF2 users on an MVS host which have been created or deleted. |
| Log Type: ACF2Log This objective displays information relating to ACF2 user login failures. |
| Log Type: AIXAudit This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect process events. |
| Log Type: AIXAudit Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses. |
| Log Type: AIXAudit This objective is used to monitor user login actions on AIX servers. Note that FTP access is also counted as a 'login', but protocols such as SSH or VNC may not generate a login event. It is important that the 'Configure' section of the objective be used to define from which system(s) the login events are required, so that the user(s) of this objective are not flooded with too many login events. This will especially be the case in agencies that are of a significant size, and are collecting events from numerous AIX hosts. |
| Log Type: AIXAudit This objective is used to monitor access to the root account through the /bin/su utility. |
 | Log Type: AppleBSM This objective is used to monitor failed access to a target account through the /bin/su utility. |
| Log Type: AppleBSM This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to collect process events. |
| Log Type: AppleBSM Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare agents must be configured to report on file accesses. |
 | Log Type: AppleBSM This objective is used to monitor user login actions on Apple servers. |
| Log Type: AppleBSM This objective is used to monitor failed access to a target account through the /bin/su utility. |
| Log Type: Browser Display configuration change and agent restart messages from Snare Browser agents. |
| Log Type: Browser Display cookie related events from Snare Browser agents. |
| Log Type: Browser Display inappropriate material, accessed through a browser. WARNING INAPPROPRIATE CONTENT MAY BE DISPLAYED WITH THIS RANDOM SAMPLE. The images are linked directly to the target site. This means that your UserID will download the images through your proxy server (if enabled), which means you may appear in your own logs. Please also note that: |
| Log Type: Browser Scan for access to social media and related sites. Please unlock this objective, and modify according to your requirements. |
| Log Type: ConfigurationCheck Compare the current CISCO Pix or Router configuration to an authorised version. The objective will attempt to connect to the device using the 'telnet' protocol and display the current configuration. The current configuration will also be compared against an authorized 'Master' and changes will be highlighted. Two passwords in the "Configure" section (connect, and enable) are used to retrieve the configuration. |
 | Log Type: F5Violations Display events tagged as violations, from F5 ASM logs. |
| Log Type: GauntletFirewallLog The Gauntlet firewall generates events based on the email addresses that have been sent through the firewall. This objective allows the user to report on email information derived from the Gauntlet Firewall logs. |
| Log Type: GenericSyslog This objective can be used to monitor session volume notification events from custom applications that report the data to Snare Central. The output component included with this objective will trigger when the number of sessions grows by a predermined amount per source server. Notification events are assumed to be delivered in 1 minute intervals. |
| Log Type: GenericSyslog This objective looks for SU or Sudo log entries in the Generic Syslog log source. |
| Log Type: IPTablesFirewall Display non-dropped packets that have a source address of a non-routable IP block |
| Log Type: IPTablesFirewall Display dropped packets that have a source address of a non-routable IP block |
| Log Type: IPTablesFirewall Display non-dropped packets that have a source address of a routable IP block |
| Log Type: IPTablesFirewall Display dropped packets that do not have a source address of a routable IP block |
| Log Type: IrixSAT This objective reports on selected Irix audit events which indicate general administrative activity, such as sat_chroot, sat_mount, sat_clock_set, sat_hostname_set, sat_domainname_set, sat_hostid_set, sat_control, sat_bsdipc_snoop_ok, sat_bsdipc_snoop_fail, and sat_ae_audit. |
| Log Type: IrixSAT This objective monitors the mount or unmounting of disk volumes on Irix. This may be useful in those instances where it is required that access to specific volumes (such as floppy disks) be closely monitored. |
| Log Type: IrixSAT This objective is used to monitor access to processes or applications that are considered to be sensitive. |
| Log Type: IrixSAT Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses. |
| Log Type: IrixSAT This objective is used to monitor user login actions on Irix servers. Note that FTP access is also counted as a 'login', but protocols such as SSH or VNC may not generate a login event. |
| Log Type: IrixSAT This objective is used to monitor access to the root account through the /bin/su utility. |
| Log Type: LinuxAudit This objective is used to monitor account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies the /etc/passwd or /etc/group files, will not be detected by this objective. |
| Log Type: LinuxAudit This objective is used to monitor access to files that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect file events. |
| Log Type: LinuxAudit This objective is used to monitor group account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies the /etc/passwd or /etc/group files, will not be detected by this objective. |
| Log Type: LinuxAudit This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect process events. |
| Log Type: LinuxAudit This objective is used to monitor user login actions on Linux servers. |
| Log Type: LinuxAudit This objective is used to monitor user account management actions on Linux Servers. Note that the Linux audit subsystem will only generate events when an account or group, is modified using account management binaries. Situations where a root user manually modifies the /etc/passwd or /etc/group files will not be detected by this objective. |
| Log Type: MSDNSServer This objective is used to retrieve DNS traffic from/to IP. |
 | Log Type: MSDNSServer This objective is used to monitor DNS over TCP suspicious usage. |
| Log Type: MSDNSServer This objective is used to monitor DNS Server Response Failure. |
| Log Type: MSDNSServer This objective is used to monitor Non Existent Domains DNS Queries Only. |
| Log Type: NetScreenFirewall Display IP spoofing notifications from Netscreen Firewalls. |
| Log Type: NetScreenFirewall Display Large ICMP Packet notifications from Netscreen Firewalls. |
| Log Type: NetScreenFirewall Display port scan notifications from Netscreen Firewalls. |
| Log Type: NetworkMapper This objective allows you to scan your network for open services. New systems, or systems with unauthorized ports, will be highlighted for your attention. In addition, an optional network security scan can be conducted against any hosts that are found. The report may be displayed in tabular format, which is useful for the analysis of many hosts on any given network. In both "iconized" and "tabular" formats, an authorized "port list" can be configured on a host-by-host basis. Future scans against the host in question will highlight any changes in port activation or deactivation. The network scanner can be configured to scan both TCP and/or UDP port ranges. Warning UDP scanning is very slow and should be used with care. This is because UDP will always have to wait for a timeout to determine if a port is closed. If this timeout is too short, then it will miss valid ports and not correctly report. This objective uses the free Open Source tool, NMAP. NMap is used to determine the open ports on one or more hosts. Further details are available from: http://www.insecure.org/ |
| Log Type: NortelVPNRouter This objective will watch for configuration changes to Nortel VPN Routers - such as the creation, destruction, or modification of particular configuration items. |
| Log Type: NortelVPNRouter This objective will scan for failed attempts to access the VPN device by searching for events that include "Failed Login Attempt" or "failed to log in". |
| Log Type: NortelVPNRouter This objective will scan for successful logins to the VPN device by searching for events that include "logged in from", "logged into group" or "login by using". |
| Log Type: ObjectAccess This objective monitors access to ACF2 Objects that are considered to be sensitive. Use the OBJECT field to narrow your search criteria. |
| Log Type: ObjectAccess This objective monitors access to Lotus Notes Database Resources. Use the OBJECT field to narrow your search criteria. |
 | Log Type: PANFirewall |
| Log Type: PIXLog Display user authentication events |
| Log Type: RACFLog This objective monitors access to RACF resources that are considered to be sensitive. A ReturnCode of 0 implies a failed attempt to access the resource. Use the RESOURCE field to narrow your search criteria. |
| Log Type: RACFLog This objective displays information relating to RACF user logins. |
| Log Type: SOCKSLog This objective looks for failed authentication events from a SOCKS server. |
| Log Type: SolarisBSM This objective is used to monitor failed access to a target account through the /bin/su utility. |
| Log Type: SolarisBSM This objective is used to monitor access to processes or applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to collect process events. |
| Log Type: SolarisBSM Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses. |
| Log Type: SolarisBSM This objective is used to monitor user login actions on Solaris servers. |
| Log Type: SolarisBSM This objective is used to monitor access to a target account through the /bin/su utility. |
 | Log Type: SonicWall Display events that have a category that indicates dropped packets |
| Log Type: Tru64Audit Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses. |
| Log Type: Tru64Audit This objective is used to monitor user login actions on Tru64 servers. |
| Log Type: Tru64Audit This objective is used track access to a target account through the /bin/su utility. |
| Log Type: UniversalLog This objective allows you to search for reports that have been read. |
| Log Type: UniversalLog This objective allows you to search for reports that have been printed. |
| Log Type: UniversalLog This objective allows you to monitor the search terms used in Universal Log data, based on a 'Query' event in the 'Message' field. |
| Log Type: UniversalLog This objective allows you to monitor user logins reported in the Universal Log data. |
| Log Type: UserGroupSnapshot This objective displays account expiry settings (in days) by system and/or domain. Please note that this objective requires Snare for Windows version 2.6.2 or later. |
| Log Type: UserGroupSnapshot This objective takes snapshots of the applicable group memberships and compares them to a specified list to report on authorized and unauthorized group members. The Snare Central will regularly query the specified server(s) to determine the members of all groups. This is then used by these objectives to determine which users have been authorized to be members of this group, and which are not. |
| Log Type: UserGroupSnapshot This objective displays those users who have settings configured on their account that are considered sensitive or important from a security viewpoint. These attributes are queried on a regular basis by connecting to specified Snare Agents. The updated information will be displayed in these reports, on a scheduled basis, as required by the users of these objectives. |
| Log Type: WebLog Display inappropriate material, accessed through an organisational proxy server, by searching for a range of defined words, in the URLs that are logged by a proxy server. Warning INAPPROPRIATE CONTENT MAY BE DISPLAYED WITH THIS RANDOM SAMPLE. The images are linked directly to the target site. This means that your UserID will download the images through your proxy server (if enabled), which means you may appear in your own logs.
|
| Log Type: WebLog Query Proxy Server Logs. |
| Log Type: WebLog Display URLs that are generally associated with cross site scripting attacks. |
| Log Type: WinApplication This objective is used to monitor crashed applications. |
| Log Type: WinApplication |
| Log Type: WinApplication This objective is used to monitor administrative activity using the NetIQ product. |
| Log Type: WinApplication This objective is used to monitor group administrative activity using the NetIQ product. |
| Log Type: WinApplication This objective is used to monitor user administrative activity using the NetIQ product. |
 | Log Type: Oracle |
| Log Type: Oracle |
| Log Type: Oracle |
| Log Type: Oracle |
| Log Type: Oracle |
 | Log Type: WinApplication The Windows File Protection service monitors critical system files and attempts to prevent unauthorized software from modifying or replacing these files. This objective is used to monitor WFP warning events. |
| Log Type: WinSecurity This objective displays Windows accounts (in specified domains) that have been recently created or deleted. |
| Log Type: WinSecurity This objective displays Windows groups that have been recently created or deleted. |
| Log Type: WinSecurity This objective is used to monitor failed user login actions on Windows servers. |
| Log Type: WinSecurity Monitor access to file and directories that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on file accesses. |
| Log Type: WinSecurity This objective shows modifications to specified sensitive Windows groups. |
 | Log Type: WinSecurity This objective shows changes to the members of sensitive Windows Groups. |
| Log Type: WinSecurity This objective is used to monitor interactive account login and logoff events. This includes workstation locked/unlocked events and screen saver invoked/dismissed events. |
| Log Type: WinSecurity This objective displays Windows local accounts that have been added to the Local Administrators Group. |
| Log Type: WinSecurity This objective checks to see if the Windows event logs were cleared. Note that the Snare Agent must be configured to collect these events. The clearing of an event log may indicate that a user is attempting to cover their tracks. |
| Log Type: WinSecurity This objective displays Windows Type 3 host to host network logins and Type 10 RDP network logins. |
| Log Type: WinSecurity Although the Snare for Windows agent is able to configure the hosts audit sub-system, this objective keeps an eye on events which indicate an attempt to change the underlying audit configuration. Changes to the underlying audit subsystem may indicate a user that is attempting to hide their "tracks", or attempting to obscure their (potentially) unauthorized activity. |
| Log Type: WinSecurity Monitor when new processes are created. |
 | Log Type: WinSecurity Display Oracle startup and shutdown events. |
 | Log Type: WinSecurity |
 | Log Type: WinSecurity |
| Log Type: WinSecurity Monitor access to applications that are considered to be sensitive. Note that to use this objective, the Snare Agents must be configured to report on process execution. |
| Log Type: WinSecurity |
| Log Type: WinSecurity |
| Log Type: WinSecurity |
| Log Type: WinSecurity This objective shows modifications to specified sensitive Windows users. |
| Log Type: WinSecurity This objective is used to monitor user login actions on Windows servers. |
| Log Type: WinSecurity This objective displays any differences between Windows and ACF2 account creation details. In particular, the objective will display: |
| Log Type: WinSystem This objective checks to see if the Windows Application, System or another non-security event log was cleared. Note that the Snare agent must be configured to collect these events. |
| Log Type: WinSystem Display Windows machines that have reported a corrupt event log, during the reporting period. Corrupt event log reporting is only available in Snare for Windows version 3.0.0 and above. |
