# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. snare = { plugin_version = "1.2" info.1.manfacturer = "Intersect Alliance" info.1.device = "Snare" info.1.version = "" # 2006-08-14 - 1.1beta - msg - Added support for a space at the end of the line # 2006-11-17 - 1.2beta - GMF - Added extraction of "period plus eight spaces" actions. # - Improved parsing of subfields in message field # (variable number of spaces) # - Added support for [A-Za-z]:.* field values (Windows pathnames) # 2007-09-14 - 1.2 - KBB - Renumbered per new beta policy and renamed from beta_snare.cfg log.format.format_label = "Snare Log Format" log.format.autodetect_regular_expression = "MSWinEventLog(<009>| )" log.format.parse_only_with_filters = "true" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "syslog_server" log.fields = { event_code = "" type = "" category = "" user_name = "" server_name = "" action = "" domain = "" logon_id = "" logon_guid = "" logon_type = "" logon_process = "" authentication_package = "" workstation_name = "" new_process_id = "" process_id = "" creator_process_id = "" image_file_name = "" caller_user_name = "" caller_domain = "" caller_logon_id = "" caller_process_id = "" transited_services = "" source_network_address = "" source_port = "" primary_user_name = "" primary_domain = "" primary_logon_id = "" handle_id = "" target_account_name = "" target_account_id = "" target_domain = "" privileges = "" accesses = "" restricted_sid_count = "" access_mask = "" object_server = "" object_type = "" object_name = "" operation_id = "" client_user_name = "" client_domain = "" client_logon_id = "" member_name = "" member_id = "" server = "" service = "" # From message "The Windows Firewall has detected an application listening for incoming traffic" name = "" path = "" identifier = "" user_account = "" user_domain = "" rpc_server = "" ip_version = "" ip_protocol = "" port_number = "" allowed = "" user_notified = "" event_type = "" level = "" event_description = "" computer_name = "" subcategory = "" } # log.fields log.parsing_filters.parse = ` # Convert tabs to <009>, since some versions of Snare use that v.message = replace_all(v.syslog_message, '<009>', ' '); # Extract headers if ( matches_regular_expression( v.message, 'MSWinEventLog ([0-9]+) ([^ ]*) ([0-9]*) ([^ ]*) ([0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]+) *$' )) then ( # set_collected_field('', 'unknown_field', $1); set_collected_field('', 'event_type', $2); # set_collected_field('', 'line_number', $3); # set_collected_field('', 'timestamp', $4); v.timestamp = $4; set_collected_field('', 'event_code', $5); set_collected_field('', 'category', $6); set_collected_field('', 'user_name', $7); set_collected_field('', 'level', $8); set_collected_field('', 'event_description', $9); set_collected_field('', 'computer_name', $10); set_collected_field('', 'subcategory', $11); v.message = $13; # Extract the timestamp into the date and time fields if (matches_regular_expression(v.timestamp, '^[A-Za-z]* ([A-Za-z]*) ([0-9]+) ([0-9:]+) ([0-9]+)$')) then ( set_collected_field('', 'date', $2 . '/' . $1 . '/' . $4); set_collected_field('', 'time', $3); ); # Extract the action, by looking for an action followed by a colon and five spaces # e.g. # 2006-11-15 15:53:27 User.Info 172.16.48.62 Nov 15 15:53:15 kerticyctus.cag.local MSWinEventLog<009>1<009>Security<009>26<009>Wed Nov 15 15:53:10 2006<009>540<009>Security<009>SYSTEM<009>User<009>Success Audit<009>KERTICYCTUS<009>Logon/Logoff<009><009>Successful Network Logon: User Name: KERTICYCTUS$ Domain: CAG Logon ID: (0x0,0x460EA9) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {5e93d484-5afc-c612-e790-a41f2d6e9772} <009>5 if ( matches_regular_expression(v.message, '^([^:]+): (.*)$') ) then ( set_collected_field('', 'action', $1); v.message = $2; ); # Extract the action, by looking for an action followed by a period and eight spaces # e.g. # 2006-11-15 15:43:42 User.Warning 172.16.48.62 Nov 15 15:43:31 kerticyctus.cag.local MSWinEventLog<009>3<009>Security<009>24<009>Wed Nov 15 15:43:26 2006<009>861<009>Security<009>SYSTEM<009>User<009>Failure Audit<009>KERTICYCTUS<009>Detailed Tracking<009><009>The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Snare\SnareCore.exe Process identifier: 3840 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 3754 Allowed: No User notified: No <009>3 if (matches_regular_expression(v.message, '^([^.]*)[.] (.*)$')) then ( set_collected_field('', 'action', $1); v.message = $2; ); # Extract the name/value pairs from the message field. The format is "Name: Value" with pairs separated by multiple spaces (usually 4 or more?). while (matches_regular_expression(v.message, '^([^:]*): ([^:]*) *(.*)$') or matches_regular_expression(v.message, '^([^:]*): ([A-Za-z]:[^:]*) +(.*)$') or matches_regular_expression(v.message, '^([^:]*): ([^:]*) *()$')) ( v.fieldname = $1; v.fieldname = lowercase(v.fieldname); v.fieldname = replace_all(v.fieldname, ' ', '_'); set_collected_field('', v.fieldname, $2); v.message = $3; ); # Accept this log entry accept_collected_entry('', false); ); # If matches normal layout ` log.filters = { mark_entry = { value = "events = 1;" label = "$lang_admin.log_filters.mark_entry_label" comment = "$lang_admin.log_filters.mark_entry_comment" } # mark_entry } # log.filters database.fields = { event_code = "" type = "" category = "" user_name = "" server_name = "" action = "" domain = "" logon_id = "" logon_guid = "" logon_type = "" logon_process = "" authentication_package = "" workstation_name = "" new_process_id = "" process_id = "" creator_process_id = "" image_file_name = "" caller_user_name = "" caller_domain = "" caller_logon_id = "" caller_process_id = "" transited_services = "" source_network_address = "" source_port = "" primary_user_name = "" primary_domain = "" primary_logon_id = "" handle_id = "" target_account_name = "" target_account_id = "" target_domain = "" privileges = "" accesses = "" restricted_sid_count = "" access_mask = "" object_server = "" object_type = "" object_name = "" operation_id = "" client_user_name = "" client_domain = "" client_logon_id = "" member_name = "" member_id = "" server = "" service = "" name = "" path = "" identifier = "" user_account = "" user_domain = "" rpc_server = "" ip_version = "" ip_protocol = "" port_number = "" allowed = "" user_notified = "" event_type = "" level = "" event_description = "" computer_name = "" subcategory = "" } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = "true" requires_log_field = "false" type = "int" display_format_type = "integer" entries_field = "true" } # events } # database.numerical_fields create_profile_wizard_options = { report_groups = { date_time_group = "" actions_group = { event_code = "true" event_description = "" type = "true" action = "true" category = "true" subcategory = "" operation_id = "true" event_type = "" level = "" } processes_group = { process_id = "true" new_process_id = "true" creator_process_id = "true" logon_id = "true" logon_type = "true" logon_process = "true" } users_group = { domain = "true" workstation_name = "true" user_name = "true" caller_user_name = "true" caller_domain = "true" caller_logon_id = "true" caller_process_id = "true" source_network_address = "true" source_port = "true" primary_user_name = "true" primary_domain = "true" primary_logon_id = "true" target_account_name = "true" target_account_id = "true" target_domain = "true" handle_id = "true" client_user_name = "true" client_domain = "true" client_logon_id = "true" member_name = "true" member_id = "true" logon_guid = "true" } server_group = { server_name = "true" server = "true" service = "true" computer_name = "" } authentication_group = { authentication_package = "true" privileges = "true" accesses = "true" restricted_sid_count = "true" access_mask = "true" } other_group = { image_file_name = "true" transited_services = "true" object_server = "true" object_type = "true" object_name = "true" name = "true" path = "true" identifier = "true" user_account = "true" user_domain = "true" rpc_server = "true" ip_version = "true" ip_protocol = "true" port_number = "true" allowed = "true" user_notified = "true" } } # report_groups } # create_profile_wizard_options } # snare