# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. snare = { plugin_version = "2.1.1" info.1.manufacturer = "Intersect Alliance" info.1.device = "Snare" info.1.version = "" # 2006-08-14 - 1.1beta - msg - Added support for a space at the end of the line # 2006-11-17 - 1.2beta - GMF - Added extraction of "period plus eight spaces" actions. # - Improved parsing of subfields in message field # (variable number of spaces) # - Added support for [A-Za-z]:.* field values (Windows pathnames) # 2007-09-14 - 1.2 - KBB - Renumbered per new beta policy and renamed from beta_snare.cfg # 2012-02-03 - 2.0 - KBB - Added support for multiline variant # 2012-09-1703 - 2.1 - MSG - Added support for subcategory fields that contain colons. # 2014-03-25 - 2.1.1 - GMF - Added support for variant spaces of some fields [ThreadID:1301992] log.format.format_label = "Snare Log Format" log.format.autodetect_regular_expression = "MSWinEventLog(<009>| )" log.format.parse_only_with_filters = "true" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "syslog_server" log.fields = { event_code = "" type = "" category = "" user_name = "" server_name = "" action = "" domain = "" logon_id = "" logon_guid = "" logon_type = "" logon_process = "" authentication_package = "" workstation_name = "" new_process_id = "" process_id = "" creator_process_id = "" image_file_name = "" caller_user_name = "" caller_domain = "" caller_logon_id = "" caller_process_id = "" transited_services = "" source_network_address = "" source_port = "" primary_user_name = "" primary_domain = "" primary_logon_id = "" handle_id = "" target_account_name = "" target_account_id = "" target_domain = "" privileges = "" accesses = "" restricted_sid_count = "" access_mask = "" object_server = "" object_type = "" object_name = "" operation_id = "" client_user_name = "" client_domain = "" client_logon_id = "" member_name = "" member_id = "" server = "" service = "" # From message "The Windows Firewall has detected an application listening for incoming traffic" name = "" path = "" identifier = "" user_account = "" user_domain = "" rpc_server = "" ip_version = "" ip_protocol = "" port_number = "" allowed = "" user_notified = "" # From message "A security-enabled global group was changed" subject = "" security_id = "" account_name = "" account_domain = "" group = "" group_name = "" group_domain = "" changed_attributes = "" member = "" additional_information = "" event_type = "" level = "" event_description = "" computer_name = "" subcategory = "" } # log.fields log.filter_initialization = `bool multiline = false;` log.parsing_filters.parse = ` # Convert tabs to <009>, since some versions of Snare use that v.message = replace_all(v.syslog_message, '<009>', ' '); # Extract headers if ( matches_regular_expression( v.message, 'MSWinEventLog ([0-9]+) ([^ ]*) ([0-9]*) ([^ ]*) ([0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]+) *$' ) or # Handle multiline here too, e.g. # Dec 13 13:00:00 CHSEXCH01 MSWinEventLog 5 Security 1621779 Tue Dec 13 12:59:55 2011 538 Security ABCDEFG\John.Jones N/A Audit Success ABC01 2 User Logoff: matches_regular_expression( v.message, 'MSWinEventLog ([0-9]+) ([^ ]*) ([0-9]*) ([^ ]*) ([0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) [0-9]+ ([^:]+)(:)$') or # Some lines have subcategory fields that contain a colon. The parsing filter above didn't have a $ after the last :, and was treating it as the end of a multi-line. The following filter parses that type of line properly. # 2012-09-14 11:01:16 Kernel.Error sec-app2 Sep 14 11:01:16 SEC-APP2 MSWinEventLog<009>3<009>Application<009>118<009>Fri Sep 14 11:01:16 2012<009>1<009>WinVNC4<009><009>N/A<009>Error<009>SEC-APP2<009>0<009>HTTPServer: untrapped: End of stream<013> matches_regular_expression( v.message, 'MSWinEventLog ([0-9]+) ([^ ]*) ([0-9]*) ([^ ]*) ([0-9]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) [0-9]+ (.+)')) then ( set_collected_field('', 'event_type', $2); # If this is multiline, accept the previous collected entry if (multiline) then rekey_collected_entry('', 'previous'); # If the line ends with :, this must be multiline if ($12 eq ':') then multiline = true; v.timestamp = $4; set_collected_field('', 'event_code', $5); set_collected_field('', 'category', $6); set_collected_field('', 'user_name', $7); set_collected_field('', 'level', $8); set_collected_field('', 'event_description', $9); set_collected_field('', 'computer_name', $10); set_collected_field('', 'subcategory', $11); v.message = $13; # Extract the timestamp into the date and time fields if (matches_regular_expression(v.timestamp, '^[A-Za-z]* ([A-Za-z]*) ([0-9]+) ([0-9:]+) ([0-9]+)$')) then ( set_collected_field('', 'date', $2 . '/' . $1 . '/' . $4); set_collected_field('', 'time', $3); ); # Extract the action, by looking for an action followed by a colon and five spaces # e.g. # 2006-11-15 15:53:27 User.Info 172.16.48.62 Nov 15 15:53:15 kerticyctus.cag.local MSWinEventLog<009>1<009>Security<009>26<009>Wed Nov 15 15:53:10 2006<009>540<009>Security<009>SYSTEM<009>User<009>Success Audit<009>KERTICYCTUS<009>Logon/Logoff<009><009>Successful Network Logon: User Name: KERTICYCTUS$ Domain: CAG Logon ID: (0x0,0x460EA9) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {5e93d484-5afc-c612-e790-a41f2d6e9772} <009>5 if ( matches_regular_expression(v.message, '^([^:]+): (.*)$') ) then ( set_collected_field('', 'action', $1); v.message = $2; ); # Extract the action, by looking for an action followed by a period and eight spaces # e.g. # 2006-11-15 15:43:42 User.Warning 172.16.48.62 Nov 15 15:43:31 kerticyctus.cag.local MSWinEventLog<009>3<009>Security<009>24<009>Wed Nov 15 15:43:26 2006<009>861<009>Security<009>SYSTEM<009>User<009>Failure Audit<009>KERTICYCTUS<009>Detailed Tracking<009><009>The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Snare\SnareCore.exe Process identifier: 3840 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 3754 Allowed: No User notified: No <009>3 if (matches_regular_expression(v.message, '^([^.]*)[.] (.*)$')) then ( set_collected_field('', 'action', $1); v.message = $2; ); # Chop off final tab-separate integer, if any #2014-02-17 09:23:42 Local7.Debug 12.34.56.78 CORPDOMC1.corp.local MSWinEventLog 1 Security 48581450 Mon Feb 17 09:23:41 2014 4737 Microsoft-Windows-Security-Auditing CORP\App_XenApp65_RemoteDesktopClient N/A Success Audit CORPDOMC1.corp.local Security Group Management A security-enabled global group was changed. Subject: Security ID: S-1-5-21-899140638-1880287713-836549130-12928 Account Name: abcd Account Domain: CORP Logon ID: 0x118434f18 Group: Security ID: S-1-5-21-899140638-1880287713-836549130-27450 Group Name: App_XenApp65_RemoteDesktopClient Group Domain: CORP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 48553775 if (matches_regular_expression(v.message, '^(.*) [0-9]+$')) then v.message = $1; #2014-02-17 09:23:42 Local7.Debug 12.34.56.78 CORPDOMC1.corp.local MSWinEventLog 1 Security 48581450 Mon Feb 17 09:23:41 2014 4737 Microsoft-Windows-Security-Auditing CORP\App_XenApp65_RemoteDesktopClient N/A Success Audit CORPDOMC1.corp.local Security Group Management A security-enabled global group was changed. Subject: Security ID: S-1-5-21-899140638-1880287713-836549130-12928 Account Name: abcd Account Domain: CORP Logon ID: 0x118434f18 Group: Security ID: S-1-5-21-899140638-1880287713-836549130-27450 Group Name: App_XenApp65_RemoteDesktopClient Group Domain: CORP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 48553775 if (matches_regular_expression(v.message, '^([^.]*)[.] (.*)$')) then ( set_collected_field('', 'action', $1); v.message = $2; ); # Chop off leading Subject without value #2014-02-17 09:23:42 Local7.Debug 12.34.56.78 CORPDOMC1.corp.local MSWinEventLog 1 Security 48581450 Mon Feb 17 09:23:41 2014 4737 Microsoft-Windows-Security-Auditing CORP\App_XenApp65_RemoteDesktopClient N/A Success Audit CORPDOMC1.corp.local Security Group Management A security-enabled global group was changed. Subject: Security ID: S-1-5-21-899140638-1880287713-836549130-12928 Account Name: abcd Account Domain: CORP Logon ID: 0x118434f18 Group: Security ID: S-1-5-21-899140638-1880287713-836549130-27450 Group Name: App_XenApp65_RemoteDesktopClient Group Domain: CORP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 48553775 # if (matches_regular_expression(v.message, '^Subject: ([^ ]+.*)$')) then # v.message = $1; if (!multiline) then ( # Extract the name/value pairs from the message field. The format is "Name: Value" with pairs separated by multiple spaces (usually 4 or more?). while (matches_regular_expression(v.message, '^([^:]*): ([^:]*) *(.*)$') or # Here's one that has two spaces after the colon, and 3+ between values #2014-02-17 09:23:42 Local7.Debug 12.34.56.78 CORPDOMC1.corp.local MSWinEventLog 1 Security 48581450 Mon Feb 17 09:23:41 2014 4737 Microsoft-Windows-Security-Auditing CORP\App_XenApp65_RemoteDesktopClient N/A Success Audit CORPDOMC1.corp.local Security Group Management A security-enabled global group was changed. Subject: Security ID: S-1-5-21-899140638-1880287713-836549130-12928 Account Name: abcd Account Domain: CORP Logon ID: 0x118434f18 Group: Security ID: S-1-5-21-899140638-1880287713-836549130-27450 Group Name: App_XenApp65_RemoteDesktopClient Group Domain: CORP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 48553775 matches_regular_expression(v.message, '^([^:]*): ([^:]*) *(.*)$') or # Subject and Group here have no value, and are just folloed by three spaces: #2014-02-17 09:23:42 Local7.Debug 12.34.56.78 CORPDOMC1.corp.local MSWinEventLog 1 Security 48581450 Mon Feb 17 09:23:41 2014 4737 Microsoft-Windows-Security-Auditing CORP\App_XenApp65_RemoteDesktopClient N/A Success Audit CORPDOMC1.corp.local Security Group Management A security-enabled global group was changed. Subject: Security ID: S-1-5-21-899140638-1880287713-836549130-12928 Account Name: abcd Account Domain: CORP Logon ID: 0x118434f18 Group: Security ID: S-1-5-21-899140638-1880287713-836549130-27450 Group Name: App_XenApp65_RemoteDesktopClient Group Domain: CORP Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 48553775 matches_regular_expression(v.message, '^([^:]*): ()([^:]*:.*)$') or matches_regular_expression(v.message, '^([^:]*): ([A-Za-z]:[^:]*) +(.*)$') or matches_regular_expression(v.message, '^([^:]*): ([^:]*) *()$') or) ( v.fieldname = $1; v.fieldname = lowercase(v.fieldname); v.fieldname = replace_all(v.fieldname, ' ', '_'); set_collected_field('', v.fieldname, $2); v.message = $3; ); ); # if !multiline # Accept this log entry. If it's multline, this is only the first line of it, we can't accept the current event yet. But we know the previous event is done, so accept that. if (multiline) then accept_collected_entry('previous', false); # If it's not multiline, we now have everything about this event; accept it. else accept_collected_entry('', false); ); # If matches normal layout # If it's just a field value alone on the line, collect it else if (matches_regular_expression(current_log_line(), '^ ([^:]+): +([^ ].*)$')) then ( v.fieldname = $1; v.fieldname = lowercase(v.fieldname); v.fieldname = replace_all(v.fieldname, ' ', '_'); set_collected_field('', v.fieldname, $2); ); ` log.filters = { mark_entry = { value = "events = 1;" label = "$lang_admin.log_filters.mark_entry_label" comment = "$lang_admin.log_filters.mark_entry_comment" } # mark_entry } # log.filters database.fields = { event_code = "" type = "" category = "" user_name = "" server_name = "" action = "" domain = "" logon_id = "" logon_guid = "" logon_type = "" logon_process = "" authentication_package = "" workstation_name = "" new_process_id = "" process_id = "" creator_process_id = "" image_file_name = "" caller_user_name = "" caller_domain = "" caller_logon_id = "" caller_process_id = "" transited_services = "" source_network_address = "" source_port = "" primary_user_name = "" primary_domain = "" primary_logon_id = "" handle_id = "" target_account_name = "" target_account_id = "" target_domain = "" privileges = "" accesses = "" restricted_sid_count = "" access_mask = "" object_server = "" object_type = "" object_name = "" operation_id = "" client_user_name = "" client_domain = "" client_logon_id = "" member_name = "" member_id = "" server = "" service = "" name = "" path = "" identifier = "" user_account = "" user_domain = "" rpc_server = "" ip_version = "" ip_protocol = "" port_number = "" allowed = "" user_notified = "" # From message "A security-enabled global group was changed" subject = "" security_id = "" account_name = "" account_domain = "" group = "" group_name = "" group_domain = "" changed_attributes = "" member = "" additional_information = "" event_type = "" level = "" event_description = "" computer_name = "" subcategory = "" } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = "true" requires_log_field = "false" type = "int" display_format_type = "integer" entries_field = "true" } # events } # database.numerical_fields create_profile_wizard_options = { report_groups = { date_time_group = "" actions_group = { event_code = "true" event_description = "" type = "true" action = "true" category = "true" subcategory = "" operation_id = "true" event_type = "" level = "" } processes_group = { process_id = "true" new_process_id = "true" creator_process_id = "true" logon_id = "true" logon_type = "true" logon_process = "true" } users_group = { domain = "true" workstation_name = "true" user_name = "true" caller_user_name = "true" caller_domain = "true" caller_logon_id = "true" caller_process_id = "true" source_network_address = "true" source_port = "true" primary_user_name = "true" primary_domain = "true" primary_logon_id = "true" target_account_name = "true" target_account_id = "true" target_domain = "true" handle_id = "true" client_user_name = "true" client_domain = "true" client_logon_id = "true" member_name = "true" member_id = "true" logon_guid = "true" } server_group = { server_name = "true" server = "true" service = "true" computer_name = "" } authentication_group = { authentication_package = "true" privileges = "true" accesses = "true" restricted_sid_count = "true" access_mask = "true" } other_group = { image_file_name = "true" transited_services = "true" object_server = "true" object_type = "true" object_name = "true" name = "true" path = "true" identifier = "true" user_account = "true" user_domain = "true" rpc_server = "true" ip_version = "true" ip_protocol = "true" port_number = "true" allowed = "true" user_notified = "true" # From message "A security-enabled global group was changed" subject = "" security_id = "" account_name = "" account_domain = "" group = "" group_name = "" group_domain = "" changed_attributes = "" member = "" additional_information = "" } } # report_groups } # create_profile_wizard_options } # snare