[Certificate]
| This subkey stores SSL/TLS certificates configuration values.
|
DestinationCertPreference | This value is of type REG_SZ, and defines the required level of SSL/TLS certificate verification when connecting to a remote destination server. Note: SSL/TLS certificate verification is not relevant if UDP or TCP protocols are used to connect to the destination. Accepted values are:
ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates.
STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the associated Destination#Host setting, as an IP address will not work. |
DestinationCertPreferenceSAM | This value is of type REG_SZ, and defines the required level of SSL/TLS certificate verification when connecting to a Snare Agent Manager server. Accepted values are:
ANY - (Default) Require an SSL/TLS certificate to be presented, but accept the certificate even if the chain of trust cannot be authenticated, or the hostname does not match the presented certificate. This is useful for self-signed certificates.
STRICT - Require an SSL/TLS certificate to be presented, and have both a valid chain of trust and also a hostname matching the certificate. A hostname must be provided in the SAM1IP setting, as an IP address will not work. |
WebCertID | The thumbprint of the certificate to be used for HTTPS web user interface interactions. By default, Snare Agent generates a self-signed certificate. Customer is welcome to replace it with a CA-signed certificate for improved security. |
|
|
[Config]
| This subkey stores the general agent configuration data.
|
AgentLog
| This value is of type REG_DWORD and sets the level of tracing sent by the agent. Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9). |
CachePath
| This is the disk cache path where the agent will temporarily save all unsent events if the agent needs to restart. Agent will read and send the events on next start.
|
Checksum
| This
value is of type REG_DWORD, and determines whether the agent includes an
MD5 Checksum of the contents of each audit record, with the record in
question. Set this value to 0 for no, or 1 for Yes. Will default to
FALSE (0) if not set. Note that the checking application will need to
strip the final delimiter, plus the MD5 Checksum, from the record before
evaluating the record against the checksum.
|
Clientname
| REG_SZ
If no value has been set, "hostname" command output will be displayed.
Must be no more than 100 chars, otherwise will truncate. |
EventSourceId | This is of type REG_SZ and stores the Windows Registry path
from where to read the Event Source Id text/value. If the value in
EventSourceIdType is 2 (Registry Path), then the text/value in the
registry, specified by the path, is included in each event.
|
EventSourceIdText | This is of type REG_SZ and directly stores the Event Source Id
text/value. If the value in EventSourceIdType is 1 (Free Text), then
this text/value is included in each event.
|
EventSourceIdType | This is of type REG_DWORD and stores the option related to specifying Event Source Id: 0(NONE), 1(Free Text), 2(Registry Path).
|
FileSize | This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum. |
HeartBeat | REG_DWORD The frequency, in minutes, with which the agent will
send out a heartbeat message. A value of zero (0) will disable this
feature. |
HeartBeatFileExport | This value determines whether heartbeats are logged to a file. Set this value to 0 for no, or 1 for Yes.
|
HeartBeatOutputPath
| This is the path where the heartbeat messages are exported to, if selected.
|
HostGUID
| This value is of type REG_SZ
|
HostIP
| This value is of type REG_SZ |
LookupTimeout
| REG_DWORD The frequency, in minutes, with which the SnareMSSQL
agent will recheck the members of any groups specified in the User
Search Filter.
|
MemCheckLimit
| REG_DWORD This is the maximum memory the MSSQL agent can utilize during any stage of execution (2-200 minutes). |
MemCheckTimeout
| REG_DWORD The frequency, in minutes, when the memory usage limit of the MSSQL agent will be checked.
|
MSSQLPortNumbers
| REG_SZ REG_DWORD. |
TLS13Minimum
| REG_DWORD When disabled (0), Snare Agent supports TLS 1.2 and TLS 1.3 for web connections. When enabled (1), TLS 1.2 is explicitly disabled; browsers connecting to the agent website must support at least TLS 1.3 for ssl connections.
|
TraceCount
| REG_DWORD The number of trace files maintained by Microsoft SQL Server.
|
TracePath
| REG_SZ The location where SNARE will store its trace files.
|
TraceSize
| REG_DWORD The size of any trace files written by MS SQL Server
|
UnencryptedObj | REG_DWORD If set to one it will store the audit policy in plain text in the registry, otherwise if set to zero, the audit policy will be encrypted in the registry. This setting may be used for standalone or cluster mode.
|
UpgradePath
| This value is of type REG_SZ. The automatically generated path in which temporary upgrade files are stored. |
UseHostIP
| This value is of type REG_DWORD and determines whether Snare should use IP address (as set in HostIP) instead of the hostname in the events' header when sending events. Set this value to 0 for No, or 1 for Yes. Will default to FALSE (0) if not set.
|
UseUTC
| REG_DWORD Timestamp logs using Coordinated Universal Time instead of local time if set to 1.
|
|
|
[Objective]
| This subkey stores all the filtering audit policies (formerly known as objectives)
|
Objective# (where # is an integer number)
| Audit Policies are of type REG_BINARY and contain an encrypted copy of the individual settings comprising an audit policy.
Manual configuration of an audit policies is unsupported.
|
|
|
[Network]
| This subkey stores the general network configurations.
|
CacheSize
| This value is of type REG_DWORD, and determines the desired count of events in the memory cache. If this is set then CacheSizeM cannot be altered. |
CacheSizeM
| This value is of type REG_DWORD, and determines the size of the in memory cache. The value must be between 1 and 1024.If this is set then CacheSize cannot be altered.
|
CheckTime | Number of seconds the agent will internally reload its settings,
drop and reestablish network connection. Minimum set time is 300 seconds
(5 minutes), maximum is 3600 seconds (1 hour). |
Destination1Delimiter
| The delimiter to be used in the events written to this network destination, including, tab, comma, vertical bar, space and any custom character. By default the delimiter is a tab character.
|
Destination1Format
| The format in which the events are sent to the destination:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9).
|
Destination1Host | This value is of type REG_SZ and is the IP or hostname of the destination server/SIEM.
|
Destination1mTLSCertID
| This value is of type REG_SZ and is the ID of the client's certificate. Client will present the certificate in mutual TLS communication to prove its identity to the server in communication. |
Destination1Port
| This
value is of type REG_DWORD, and determines the Destination Port number.
This value must be in 1-65535 range. Will default to 514 if a SYSLOG
header has been specified.
|
Destination1SocketType | This value is of type REG_DWORD, and determines the protocol used
(0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH, 4 for mTLS). This feature only appears in
supported agents. |
Destination1TLSAuthKey | This value is of type REG_SZ and is used when Destination1SocketType is 3 i.e. TLS_AUTH. |
FileOutput1Delimiter | The delimiter to be used in the events written to this file destination, including, tab, comma, vertical bar, space and any custom character. By default the delimiter is a tab character. |
FileOutput1FileName | The path and location of the file the events are sent to.
|
FileOutput1Format | The format to write to the log file. Available formats are:
Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7), DEVO (8), DEVO JSON (9).
|
NotifyMsgLimit
| This
value is of type REG_DWORD having value 0 or 1, and determines whether
to send or not the EPS notification to server (1 means send and 0 means
not to send) whenever agent reaches EPS RateLimit. This feature only
appears in supported agents.
|
NotifyMsgLimitFrequency
| This
value is of type REG_DWORD, and determines the frequency of events per
second notification. The value is treated in minutes and only one EPS
notification message is sent to server regardless of how many times
agent reaches EPS limit during these minutes. This feature only appears
in supported agents.
|
RateLimit
| This
value is of type REG_DWORD, and determines the upper limit for events
per second (EPS) that the agent will send to server. This feature only
appears in supported agents. |
SyslogFacility | This value represents the SYSLOG facility for SYSLOG format |
SyslogTAGTerminator
| This value is of type REG_DWORD, having value of 0 or 1, and determines whether to use TAB as SYSLOG (RFC3164) TAG Terminator. SYSLOG (RFC3164) IEFT standard allows all alphanumeric characters considered the part of TAG. It is strongly recommended to keep it as 1, else Destination#Delimiter will be used as TAG terminator.
|
|
|
[Remote]
| This subkey stores all the remote control parameters.
|
AccessKeyAuth
| REG_SZ Stores a hash of the password.
|
Allow
| REG_DWORD
Determines the availability of the remote control feature. If not set
or out of bounds, will default to 0/NO (i.e. not able to be remote
controlled). |
LockTime | This value is of type REG_DWORD and is used to determine the lock duration in minutes after maximum failed login attempts. |
MaxFailAttempt | This value is of type REG_DWORD and is used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime). |
Restrict
| REG_DWORD Determines whether the remote users should be restricted via IP address or not. 0 = no restrictions. |
RestrictIP
| This is of type REG_SZ and is the IP address set from above. |
WebPort
| REG_DWORD The web server port, if it has been set to something other than port 6161. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6161.
|
|
|
[SAM]
| Stores the Snare Agent Manager settings
|
|---|
SAM1AuthKey
| Key used by the agent to communicate with the Snare Agent Manager.
|
SAM1IP
| The IP/hostname of where SAM is installed, that will communicate with the agent.
|
SAM1Port
| The port number the agent uses to communicate with SAM, port 6262.
|
SAM1Token
| Token provided by SAM to the agent.
|
|
|
[State]
| This section stores data managed internally by the Agent. |
SAMCToken
| Token provided by SAM to the agent.
|
AgentLocked | This value is of type REG_DWORD and is set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts. |
AgentLockEndTime | This is of type REG_SZ and is used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts. |
LoginAttempts | This value is of type REG_DWORD and is used to determine the number of consecutive failed login attempts. |