Guide to Snare for Windows-4.3

8/16/2019 Guide to Snare for Windows-4.3

1/56

Guide to

Snare for Windows

for v4.2/4.3


2/56

Guide to Snare for Windows

© Intersect Alliance Pty Ltd. All rights reserved worldwide.Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages inconnection with the use of this material. No part of this work may be reproduced or transmitted in any form or by anymeans ecept as epressly permitted by Intersect Alliance Pty Ltd. !his does not include those documents andsoftware developed under the terms of the "pen#ource $eneral Public Licence, which covers the #nare agents andsome other software.!he Intersect Alliance logo and #nare logo are registered trademarks of Intersect Alliance Pty Ltd. "ther trademarksand trade names are marks% and names of their owners as may or may not be indicated. All trademarks are theproperty of their respective owners and are used here in an editorial contet without intent of infringement.#pecifications and content are sub&ect to change without notice. !his product uses the '#A (ata #ecurity, Inc. )(*)essage+(igest Algorithm. !his product includes software developed by the "pen##L Pro&ect for use in the "pen##L!oolkit. http-www.openssl.org/

© Intersect Alliance, 0anuary 1234 Page 1 of *5 6ersion 4.1


3/56


About this guide!his guide introduces you to the functionality of the #nare agent for 7indows operating systems. !hedevelopment of 8#nare for 7indows8 will allow event logs collected by the 7indows operating systemincluding 1229, :P, 6ista, #erver 122;, #erver 122; '1, 7indows


4/56


Appendi, - pgrading an Eva#uation Agent to the Enterprise Agent.........................................5%



5/56


1. Introduction

!he team at Intersect Alliance have developed auditing and intrusion detection solutions on a widerange of platforms, systems and network devices including 7indows, Linu, #olaris, AI:, I'I:, PI:,heckpoint, II#, Apache, )6# AB1'AB/, and many more. 7e have in+depth eperience withinNational #ecurity and (efence Agencies, Binancial #ervice firms, Public #ector (epartments and#ervice Providers. !his background gives us a uniCue insight into how to effectively deploy host andnetwork intrusion detection and security validation systems that support and enhance anorganisation8s business goals and security risk profile.

Native intrusion detection and logging subsystems are often a blunt instrument at best, and when

your security team strives to meet departmental, organisational, industry or even national securitylogging reCuirements, a massive volume of data can be generated. "nly some of this data is useful inevaluating your current security stance. Intersect Alliance has written software 8agents8 for a widerange of systems that are capable of enhancing the native auditing and logging capabilities to provideadvanced log filtering, fast remote delivery using secure channels, remote control of agents from acentral collection server, and a consistent web based user interface across heterogeneousenvironments.

!hrough hard+won eperience collecting log data in enterprises worldwide, #nare8s capabilities haveevolved over many years to provide an unmatched cohesive approach to event log management in atrusted package, that is promoted as an industry standard solution for log collection and distributionby a wide range of event management applications #I=)s, #=)s, #I)s and L)s/ and #ervice providers

)##Ps/. !he agents have an enterprise+level feature set, yet are designed to be light on disk space,memory and P? to ensure that your servers can meet security reCuirements without compromisingtheir ability to stick to core business.

Agents are available for 7indows 1229:P6ista122;122; '17indows


6/56


2. Enterprise vs OpenSource

Intersect Alliance issues two types of agents-

• =nterprise Agents + licensed and supported by Intersect Alliance and its partners. If you needto address an audit or regulatory compliance reCuirement, work with sensitive or privateinformation or reCuire a supported security platform, then the #nare =nterprise Agents arerecommended.

• "pen#ource Agents E audit and event log collection with source code available under theterms of the $N? Public License. !he "pen#ource agents provide a stable solution, but donot include all the features offered by the =nterprise Agents.

7hen deciding which type of Agent your organisation should use, the following Cuestions should beconsidered-

3. Support E If you reCuire a supported security platform then you need to use the=nterprise Agent. !he "pen#ource agent is provided to the "pen#ource communityfree of charge and as issued. !he =nterprise Agents include maintenance, upgrades,and bug fies to the product and customer support for your organisation.

1. /o*p#ete and actua# E If your organisation needs to know that every log will becaptured and forwarded with integrity then you need to use the =nterprise Agents.!he "pen#ource agent does not support !P, custom event logs, ?! or registryaudits.

9. Sensitivit and /onfidentia#it E #hould your organisation work with sensitive data,

then you need to use the =nterprise Agents which includes the ability to support bestpractices and encryption protocols.

!he following table highlights the feature sets available in these agents.

Agent eature Enterprise OpenSource

)egu#ator /o*p#ianceFelps gather information to comply with NI#P"), PI, #": or otherregulations.

✔

7endor SupportProduct maintained, updated and supported for compliance. ✔

Windows2+12 8 Windows$Agent supported on all 7indows platforms, including 71231 and 7;platforms.

✔

/apture /usto* Windows Event (ogsapture and transmit all logs including Application and #ervices logs inaddition to the 7indows =vent Logs.

✔

Event (og /achingaching of events in case of a network disruption, ensuring that the eventsare not lost

✔

9/:

onfirmed log message delivery with #mart !P + no lost or missing logs.✔



7/56


Encrption with 9(S8SS(;or ES

Protecting the confidentiality and integrity of log messages in transit.✔


8/56


(og Server /onnection Status

!he urrent =vents page displays the connection status of the loggingservers/.

✔

A#ternate Ss#og destination options'B*414 compliant ✔

Ss#og destination options'B9354 compliant ✔ ✔

(ight on )esources3. #mall deployment footprint =.$.3.*)b/1. )inimal Fost resource reCuirements =.$.*J of P?/9. )inimal Fost memory reCuirements =.$. less than 12)b/

✔ ✔

)ea# 9i*e Event i#tering!he #nare Agents can find, filter and forward events which contribute tothe organisation%s security reCuirements, while ignoring others, thusgreatly reducing network traffic and back end server and analysisresources measured in =P#

✔ ✔

Insta##er=asy to use installer #ilent install option ✔ ✔

:KBire and forget message delivery. ✔ ✔

(oca#e ate Infor*ationIf your organisation has locations and different time@ones then the Agent

can optionally send events with a ?! timestamp and a ?# =nglish Localeto ensure the integrity of the log record from its source.

✔ ✔

Stabi#it!he event collection minimi@es any interference with the host8s operatingsystem and applications so that the service can be as stable andindependent as possible.

✔ ✔

(atenc and )ea# 9i*e"peration in real time mode, so as the events are generated, they areautomatically sent to the #I=) server without delay or the risk of

compromise of modification.

✔ ✔

)e*ote /ontro# Interface

#nare allows you to remotely control the agents when the auditeventlogging configuration of the target system needs to be dynamicallychanged.

✔ ✔

4ative OS Audit /ontro#

!he #nare agents are able to configure the native event sub+system, and if so desired, allow the generation of only specific events reCuired by thesecurity policy.

✔ ✔

pgrading?pgrade option to preserve eisting configuration settings ✔ ✔

© Intersect Alliance, 0anuary 1234 Page ; of *5 6ersion 4.1


9/56


3. Overview of the Snare Agents

#nare operates through the actions of a single componentM the SnareCore service based applicationsnarecore.exe/. !he SnareCore service interfaces with the 7indows event logging sub+system toread, filter and send event logs from the primary Application, #ystem and #ecurity event logs to aremote host. Please note that where available, the agent is also capable of reading, filtering andsending logs from the (N# #erver, Bile 'eplication #ervice, (B#+'eplication and (irectory #ervice logs,as well as any ustom event log sources such as those under Applications and #ervices Logs. Inaddition to regular event logs, SnareCore will collect ?#G connect and disconnect notifications.

"nce gathered, the logs are then filtered according to a set of ob&ectives chosen by the

administrator, and passed over a network using the ?(P or !P protocol, using optional !L###Lencryption, to a remote server. !he SnareCore service can be remotely controlled and monitoredusing a standard web browser see Bigure 3a and Bigure 3b for eample screens/.

The Custom event log capability, TCP protocol capability, TLS/SSL support and the ability tosend events to multiple hosts is only available to users who have purchased the Enterprise

Agents. See Chapter About !ntersect Alliance "or "urther details.

!he SnareCore service reads event log data from the core 7indows event sources listed above, plus?#G device notifications. SnareCore converts the binaryencoded event log record to a human+readable format. If a ##L"$ or #nare #erver is being used to collect the event log records, the eventrecords will be !AG delimited. !his format is further discussed in Appendi# A =vent output format on

page 45. !he net result is that a raw event, as processed by the #nareore service may appear asfollows-E,a*p#e>

Test_Host MSWinEventLog 0 Security 3027 Fri May 24 09:30:43 2013 93Security !"#inistrator $ser Success !u"it LE%7&WS' (etai)e"Trac*ing ! +rocess ,as e-ite":'rocess .(: %% $ser /a#e:!"#inistrator (o#ain: LE%7&WS' Logon .(: 0-00-%2

© Intersect Alliance, 0anuary 1234 Page O of *5 6ersion 4.1


10/56



Bigure 3a )ain event window 7indows 1229/

Bigure 3b )ain event window 7indows


11/56


4. Instaing and running Snare

#nare is provided as a single+file self+etracting archive, and has been designed with an installationwi@ard and advanced silent install options to allow for easy installation and configuration of allcritical components. !he self+etracting archive installs all components of #nare, including icons,changelog documentation, and the snarecore.ee binary.

!he snarecore.ee binary implements the KSnare/ore service, which is responsible for readingevent log records, filtering the events according to the ob&ectives, providing a web based remotecontrol and monitoring interface and providing all the necessary logic to allow the binary to act as aservice defined in any of the supported versions of 7indows including 54 bit versions/.

"rganisations that wish to remotely deploy pre+configured #nare agents to workstations and servers,without physically moving from system to system, may appreciate the )#I )icrosoft Installer utitlity/functionality. !he #nare =nterprise Agent supports being used as a single smart )#I for all 7indowsplatforms and releases ensuring simplified and error free distribution. 'efer to documentation on theIntersect Alliance website, Snare for Windows Custom MSI.

Creating a $S! "ile "or Snare is only available to users who have purchased the Enterprise Agents. See Chapter About !ntersect Alliance "or "urther details.

4.1 Wi!ard Insta

(ownload the #nare=nterpriseAgent+7indows+v{ersion!+#?PP+)ultiArch.ee file from the IntersectAlliance website where {ersion! is the most recent version of the file available/.

=nsure you have administrator rights, double+click the #nare=nterpriseAgent+7indows+v{ersion!+#?PP+)ultiArch.ee file. !his is a self etracting archive, and will not reCuire 7inip or otherprograms. ou will be prompted with the following screens-

Weco"e to the Snare Setup Wi!ard



12/56


!his screen provides a brief overview of the product you are about to install. 7here available, select

KNet to continue the installation, KGack to return to the previous screen or Kancel to abort theinstallation.

#icense $age

!he License Page displays the =nd ?ser License Agreement =?LA/ for supported versions of the agentor the $N? $eneral Public License $PL/ for the "pen#ource release. Please read the documentcarefully and if you accept the terms of the agreement, select KI accept the agreement and the

KNet button will be enabled allowing the installation to continue.

E%isting Insta &'pgrade on()

If the 7i@ard detects a previous install of the #nare agent, you will be asked how to proceed.#electing KQeep the eisting settings will leave the agent configuration intact and only update the#nare files. !he 7i@ard will then skip directly to the 'eady to Install screen. #electing K'einstallwill allow the configuration wi@ard to continue and replace your eisting configuration with thevalues you input. Note that replacing the configuration does not happen immediatelyM it takes placeafter selecting the KInstall button on the 'eady to Install screen.



13/56


Auditing

!he #nare agent has the ability to automatically configure the audit settings of the local machine tomatch the configured ob&ectives. !o enable this feature, select Kes.

NB: VERY IMPORTANT: IF YOU DO NOT SELECT THIS OPTION AND/OR THE WINDOWS

ACTIVE DOMAIN GROUP POLICIES OVERWRITE THE AUDIT SETTINGS, THEN YOU

WILL NEED TO MANUALLY ENSURE THAT THE WINDOWS AUDIT SETTINGS MATCH

YOUR DESIRED OBJECTIVE CONFIGURATION.

Service Account

!he #nare agent reCuires a service account to operate. !he default option is to use the in+built##!=) account.

*etwor+ ,ontro Interface

!his screen provides a means to configure the #nare Agent8s web interface, named the 'emoteontrol Interface for first time use. "ther settings that may be set include network configurationsettings that are also available from the 'emote ontrol Interface R Network onfiguration screen.



14/56


#elect from the following options to configure the Snare web interface-● KEnab#e Web Access

#elect this option to enable the web interface.!he following options may also be configured-

○ 4o ? isab#e password!he web interface will operate without a password, allowing unauthenticated access tothe configuration options.

○ @es ? :#ease enter a passwordA userpassword combination will be reCuired to access the web interface. !he user isalways Ksnare and the password will be set to tet supplied in the KPassword field.

○ (oca# access on##electing KLocal access only will configure the web interface to restrict access to localusers only. 'emote users will be unable to contact the web interface.

!he following settings are available from version 4.9.2-

○ se &ost I: Address Override for source address=nabling this setting will use the first network adapator as listed in the networkconfiguration as the source of the IP address.

○ estination address!he name or IP address can be entered and comma delimited when several addresses are

reCuired.○ :ort

onfigure the port, for eample #nare #erver users should only send events to port 5353in native ?(P or !P, or 5359 for !L###L, and #yslog via port *34.

○ :rotoco##elect the protocol ?(P,!P,!L#/ you would like the agent to use when sending events.

N"!=- If the =nable 7eb Access option is N"! selected, all configuration changes will need tobe made by directly modifying registry settings and the service will need to be restarted forany changes to take effect.



15/56


Seect -estination #ocation

!his screen provides a means to select the folder where the #nare Agent will be installed. If thefolder name specified does not eist, it will be created. It is important that this folder has at leastenough space available to install the agent.Gy default, the installation wi@ard will install #nare under the "rogram #iles folder. If a differentdestination is desired, one may be selected via the KGrowse button, or by typing the full path namedirectly into the bo.

Seect Start enu oder

#elect the program group within the Start Menu under which a shortcut to the #nare Agent8s remotecontrol interface will be created.

© Intersect Alliance, 0anuary 1234 Page 3* of *5 6ersion 4.1


16/56


0ead( to Insta

!his screen provides a final summary of the chosen installation options. If the options listed areincorrect, select the KGack button to return to previous screens and change their configuration.#elect the KInstall button to proceed with the listed choices, or Kancel to abort the installationwithout making any changes. !he KGack button may be used to return to the previous screen.

Infor"ation

!his screen provides basic copyright information and last minute documentation which may not beincluded within this manual.



17/56


,o"peting the Snare Setup Wi!ard

!his is the final screen of the installation wi@ard. Gy default, a 'eadme.tt file will be opened afterselecting KBinish. Please review this readme for details of the changes made to the agent.

© Intersect Alliance, 0anuary 1234 Page 3< of *5 6ersion 4.1


18/56


4.2 Sient Insta!he silent install option is provided for system administrators wishing to automate the process of installing #nare for 7indows.

,o""and ine options

!he #nare installer has a number of command line options to support silent, automated installations-

• 87erSi#ent E !he 7i@ard will be hidden for the duration of the installation process. Anymessage boes will still be displayed.

• 8Suppress


19/56


4. =nsure you have administrator rights, open a command prompt and browse to the directory

where #nare is installed.*. 'un the following commands-

• Snare/ore.e,e -,=port the information and error messages, along with the INB file contents to the screen.

• Snare/ore.e,e -, F!%&"ileC=port the information and error messages to the screen and write the INB file contentsto I$#file for use with the LoadInf command line option.

5. Bollow the prompts carefully and where reCuired, enter the necessary password informationfor either the #ervice Account andor the #ensitive Information encryption.


20/56


4.3 0unning Snare?pon installation of the #nare agent, an 8Intersect Alliance8 menu item is available from the AllPrograms 7indows menu. !he #nare remote control launch menu is then available from AllPrograms+SIntersect Alliance+S#nare for 7indows.

!he 'emote ontrol Interface may also be accessed via a web browser from the local machine byvisiting the ?'L http>88#oca#host>61618. !he 'emote ontrol Interface is turned on by default, andalso password protected for security reasons. !he default username and password are-serna*e- snare:assword- snare

If +ou previousl+ configured a password, +ou will need this to log in, along with the username- snare-.

Note- !he default password is not encrypted at this time. =nsure you change the default #narepassword immediately after installation so that it is encrypted, for security purposes. It isrecommended you use a strong comple password of at least 31 characters. !o update the passwordgo to the 'emote ontrol onfiguration page and update the password.

Issues with SnareCore service

Bor events to be passed to a remote host, the SnareCore service must be running. =nsure theSnareCore service is active by selecting #ervices from the Ad*inistrative 9oo#s or /o*puter


21/56


4.4 Evauation ersionIntersect Alliance offers a trial version of the agents providing full functionality for a limited time forevaluation purposes. If this version is installed, the following will be included in the header of eachscreen-

!his indicates on what date, and the number of days the agent will cease to log to a server. 7henthis date is passed, the following will be displayed-

!he (atest Events page will continue to update with current events, however no further events will

be transmitted to the server.

!o continue en&oying the benefits of #nare, please contact Intersect Alliance to purchase a licensedsolution.

#ee Appendi ( for upgrading your =valuation Agent to the =nterprise Agent.



22/56


. Setting the audit configuration

!he configurations for #nare for 7indows agents is stored in the system registry. !he registry is acommon storage location of configuration parameters for 7indows programs and other applications.!he registry location contains all the details reCuired by #nare to successfully eecute. Bailure tospecify a correct configuration will not 8crash8 the SnareCore service, but may result in selectedevents not being able to be read and the agent not working as specified.

Note manual editing of the registry location is possible, but care should be taken to ensure that itconforms to the reCuired #nare format. Also, any use of the web based 'emote ontrol Interface tomodify selected configurations, will result in manual configuration changes being overwritten. (etails

on the configuration format for the registry can be viewed in Appendi# ' ( #nare 7indows registryconfiguration description on page 4


23/56


Bigure 1 Network onfiguration 7indow

● )verride detected *%S %ame with+ an be used to override the name that is given to thehost when 7indows is first installed. ?nless a different name is reCuired to be sent in theprocessed event log record, leave this field blank and the #nareore service will use thedefault host name set during installation. Note that eecuting the command hostname on acommand prompt window will display the current host name allocated to the host.

(ynamic (N# Names feature E%TE-P-!SE AE%T )%L0 !he =nterprise Agent automaticallyre+Cueries the (N# server for any IP Address changes every ten minutes.

● 1se 2ost !P Address )verride "or source address+ 3Available v4.56=nabling this setting willuse the first network adapator as listed in the network configuration as the source of the IPaddress. !he agent will periodically about ten minutes/ check this setting and pick up any

changes that occur via a manual change of IP or (FP reassignment. !he value of the IP



24/56


25/56


checkbo is set then the system will also select the reCuired event log parameters to meet

those ob&ectives see below/ which have been set. !his will alleviate any problems associatedwith ensuring that the correct audit event categories have been selected, based on thoseevent I(s which are reCuired to be filtered. !his is also the most optimi@ed setting in terms of system performance.

%'+ ;E- !$P)-TA%T+ !& )1 *) %)T SELECT T2!S )PT!)% A%*/)- T2E

● E#port Snare Log data to a "ile:+ Log events to a file separate to the event viewer logfiles/. Note that if this selection is made the log files must be managed, since #nare will notrotate or otherwise manage these files. Bailure to do so may result in a huge amount of disk

space being taken up by this log file. It may also pose a security risk as access to the file will

© Intersect Alliance, 0anuary 1234 Page 1* of *5 6ersion 4.1

Bigure 9 'egistry Auditing


26/56


need to be managed. !he log can be found in system91 directory, e.g.

c-UwindowsUsystem91ULogBilesU#nare.

● 1se Coordinated 1niversal Time 1TC0:+ E%TE-P-!SE AE%T )%L0 =nables ?!timestamp format for events instead of local machine time @one format.

● Enable active 1S' auditing:+ E%TE-P-!SE AE%T )%L0 A series of plug and play and driveevents can be captured and managed by an ob&ective. A new ob&ective is reCuired to capture?#G events as ?#G events will N"! be captured by default.

● EPS -ate Limit+ E%TE-P-!SE AE%T )%L0 !his is a hard limit on the number of =vents sentby the agent per second to any destination server. !his =P# rate limit applies only to sendingthe events N"! capturing the events. !he =P# rate limit is to help to reduce the load on slownetwork links or to reduce the impact on the destination #I=) servers during unepected high

event rates. Bor eample, if =P# rate limit is set to *2 as below/ then #nare for 7indows willonly send maimum *2 log messages in a second to any destination server.

● %oti"y on EPS -ate Limit+ E%TE-P-!SE AE%T )%L0 If this option is selected then amessage will be sent to the server when agent reaches the =P# rate limit. !he message alsoinclude the =P# rate limit value.

● EPS %oti"ication -ate Limit+ E%TE-P-!SE AE%T )%L0 !his is the time in minutes/,during that if agent reaches the =P# limit multiple times then only one =P# rate limit messagewill be sent to the server. !his setting only works if K%oti"y on EPS -ate Limit8 is checked.Bor eample, if =P# notification rate limit is set to 32 minutes then only one =P# notificationmessage will be sent to destination servers/ regardless of how many times #nare for 7indowsreaches the =P# rate limit.

● Enable SSL) 2eader:+ !he ##L"$ function is a ?NI: based service that allows for eventrecords to be processed remotely, but has the reCuirement that the event records need to bein a specific format. !his feature will allow the event log record to be formatted so as to be

accepted by a ##L"$ server. Is there a reCuirement to incorporate a ##L"$ headerV #ome##L"$ services cannot correctly parse our default ##L"$ header, so an alternative headerse a#ternate header is also available E%TE-P-!SE AE%T )%L0. #electing this option isrecommended with Arc#ight and other #I=) systems. #nare #erver users should only sendevents to port 5353, or 5359 for !L###L, and should N"! enable this option.

● SSL) &acility+ #pecifies the subsystem that produced the message. !he list displaysdefault facility levels that is compatible with ?ni.

● SSL) Priority+ If 8##L"$8 is used, the agent can be configured to use a static, or dynamicpriority value. If 8(ynamic8 is selected as the ##L"$ priority value, the priority sent to theremote ##L"$ server, will mirror the #nare 8criticality8 value of the matched ob&ective. Noteyou may wish to ensure the K8Per"orm a scan o" ALL ob9ectives, and display the ma#imum

criticality:8 checkbo is also selected/.



27/56


● Truncate List+ E%TE-P-!SE AE%T )%L0 #ome events generated by windows can be

triggered often and contain verbose information which may not be of much interest to theaudit subsystem. !o reduce the load on the target servers, these events may be truncated.!his means the event isn8t discarded from an audit point of view, but reduces the amount ofunnecessary message detail sent across the network. =ach line in this tet bo will compareto each event tet and begin the truncation from the first character of the match.

Bor eample placing the following tet in the tet bo-

to complete the installation

would cause an event like below-

Windows update Hotfix for Windows (KB2664825) requires a computer restart tocomplete the installation (!ommand line" ##!"$windows$%&s'atie$wusaexe#

#!"$ro*ram+ata$ac,a*e!ache$-./5.B0.+--5804+2.4.+1B-55+8B43.8.4--6$pac,a*es$localdsu$Windows60KB2664825/x64msu# 7quiet 7norestart#)

to become-

Windows update Hotfix for Windows (KB2664825) requires a computer restart truncated 222 &tes9

© Intersect Alliance, 0anuary 1234 Page 1< of *5 6ersion 4.1


28/56


.2 Oectives ,onfiguration

A ma&or function of the #nare system is to filter events. !his is accomplished via the advancedauditing 8ob&ectives8 capability. Any number of ob&ectives may be specified and are displayed on theOb0ectives /onfiguration page Bigure 4/. !hese ob&ectives will be processed by the agent in theorder they appear, that is, top to bottom. ?se the up and down arrows in the Order column toreorgani@e your ob&ectives into the appropriate order. An ob&ective may be viewed or modified withinthe /reate or


29/56


Note that the groups above are provided to service the most common security ob&ectives that are

likely to be encountered. If other event types are reCuired, then the An eventsJ ob&ective willallow fully tailored ob&ectives to be set. Brom each of these groups, a level of importance can beapplied. !hese criticality levels are critica#, priorit, warning, infor*ation and c#ear. !hese securitylevels are provided to enable the #nare user to map audit events to their most pressing businesssecurity ob&ectives and to Cuickly identify the criticality of an event via the coloured buttons on the#nare remote control interface, on the "b&ective onfiguration page as shown in Bigure *.

Bigure * reate or )odify an "b&ective

!he following filters can be applied to incoming audit events-

● Bilter on the EventI *51,4*


30/56


level events, this field is ignored and automatically managed by the agent.

● Genera# Search 9er* field!his allows the user to further refine a search based on the event record payload. Bor mosthigh level events, this option will search all the fields of an event record, ecept the header.Bor simple searches i.e. not a regular epression/, there is N" need to use the wildcardcharacter at the start or end of this field as it is automatically added to the search termwhen the ob&ective is saved. !he eception to this rule is when the Access a fi#e or directorhigh level event is selected and the Auto*atica## set fi#e audit configuration option isenabled. In this situation, the Genera# Search field is used to identify the file, directory orregistry location that reCuires auditing.

E,a*p#e> !o monitor for a file being opened for reading, the ob&ective Access a fi#e or director

would be selected and the actual directory would be entered into this field as follows-/>LE,a*p#e U. !he agent will then recursively apply auditing to the destination folder, ensuringthat any files or directories below />LE,a*p#e would be sub&ect to audit and trapped.

9ip> If setting a file search parameter, it is important that the B?LL D?ALIBI=( directory name isentered so that the #nare system can set the appropriate auditing. Bor eample,-U!=)PU#='=!UW will work, but #='=!W will not.

!he search string may be treated as a Perl ompatible 'egular =pression if the checkbo isselected. !his allows more powerfulrefined tet matching and targeted b&ectives allowingsophisticated forensic analysis and reporting, particularly when small details get lost in noisylog environments. #ome common useful regular epressions include-

=vent contains email address-

([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})

=vent contains ?'L- (https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?

=vent contains IP address- (?:(?:25[0-5]2[0-!][0-9][0"]?[0-9][0-9]?)\.){#}(?:25[0-5]2[0-!][0-9][0"]?[0-9][0-9]?)

=vent contains he+numbers- $?([a-%0-9]{6}[a-%0-9]{#})

● ser Search 9er*An event record may be selected or discarded based on a userid, or partial match of a userid.If no users are entered AN( the Inc#ude Search 9er* sers radio button has been selected,then ALL users will be audited. If a term is entered in this field, then an event record will betrapped or discarded based on a valid match and whether the Inc#ude or E,c#ude radiobuttons have been selected. !here is no need to use the wildcard character at the start andend of this field as it is automatically added when the ob&ective is saved. )ultiple users maybe entered using a comma separated list.



31/56


32/56


●

Identif the event tpes to be captured7indows uses many different audit event types, including #uccess Audit, Bailure Audit,Information, 7arning, =rror, ritical, 6erbose, Activity !racing. Gelow is an eample of alogged event in =vent 6iewer. !he /evel* field displays this event type as Information.

If it is unclear which type of event is reCuired, then selecting all of the check bo2es willensure that no events are lost. Note if none of the checkboes are selected, then N" eventswill be trapped.

● Identif the Event (ogs7indows collects logs from a number of event log sources. "n 7indows #ervers, all siprimary event logs may be found, however on pre+6ista 7orkstation installations only three of these event logs #ecurity, #ystem and Application/ are available. ollecting events from7indows Logs is available for "pen#ource agents, however collecting logs for ustom =ventLogs and Applications and #ervices Logs is only available with the Enterprise Agents. 'eferto the 7indows =vent 6iewer in Bigure 5.


Bigure 5 7indows =vent 6iewer


33/56


If in doubt, there will be no harm done in selecting all event log types, ecept that

SnareCore will now read from, and attempt to filter, from all the selected event logs and thiswill have some slight negative performance impact. Please note, if any high level eventecept for An eventsJ is selected, then this item is ignored as it is set automatically by thehigh level event.

• Custom Event Log E%TE-P-!SE AE%T )%L0 + Bor custom logs, when you create ormodify an ob&ective, you will need to select this check bo and then specify the specificname of the log in the #ource #earch !erm.

!o find the specific name, open the =vent 6iewer, browse to the event log you wish tocapture, and open the Properties dialog. Bor eample, the $roup Policy as seen below.Fere you will see the full name, e.g. )icrosoft+7indows+$roupPolicy"perational.

ou only need to enter the first part leading up to the forward slash in the #ource#earch!erm, H)icrosoft+7indows+$roupPolicyH in the Biltering "b&ective onfigurationas shown below.



34/56


After saving your configuration, and as your epected events are logged, the latestevents will then display the custom logs.

"nce the above parameter settings have been finali@ed for your "b&ective, click O to save theconfiguration to the registry. !o ensure the SnareCore service has received the new configuration,the SnareCore service )?#! be restarted via the Windows Services contro# pane# or via the App#the #atest audit configuration menu item in the 'emote ontrol Interface.



35/56


.3 anaging the Agent configuration

Snare Agent anage"ent ,onsoe

!he most effective and simplest way to configure the #nareore service is to use the #nare webbased 'emote ontrol Interface, see Chapter 7 $etwor8 Control Interface. If remote control isenabled, the process of configuring large numbers of agents can be further simplified by takingadvantage of the #nare #erver Agent


36/56


#uper group policy is useful when different types of #nare agents #nare =pilog, #nare for 7indows

and #nare for )##DL/ are running on a network. ?sing super group policy, network domainadministrators can update the settings of all types of #nare agents running on a network using)icrosoft X $roup Policy =ditor.Bor eample, network domain administrators can use )icrosoft X $roup Policy =ditor to update alltypes of #nare agents on network to send the log to #nare #erver running at 32.3.3.3 on !P port5353. "nce this super group policy is applied, all #nare agents will then send logs to #nare #erverrunning at 32.3.3.3 on !P port 5353.

#nare for 7indows group policy is also useful when there is a need to update the settings of all #narefor 7indows running in a network. #nare for 7indows group policy only updates the settings of all#nare for 7indows.Bor eample, network domain administrators can use )icrosoft X $roup Policy =ditor to update all

#nare for 7indows agents on network to send the log to #nare #erver running at 32.3.3.3 on !P port5353. "nce this #nare for 7indows group policy is applied, all #nare for 7indows agents will nowsend logs to the #nare #erver running at 32.3.3.3 on !P port 5353.

Gelow is a sample of an Administrative !emplate A()/ file that can be loaded into a $roup Policy"b&ect to assist with selecting and setting configuration options.

L!SS M!H./E!TE56 88.nterSect !))iance !u"itService Settings

i; version 'L!./ 88 ontains e-a#+)es o; "i;;erent +o)icy ty+es?@n@nS,ou)""is+)ay +o)icy settings t,e sa#e as @n!(M> Fi)e A E-a#+)e 'o)icysettings category?

en"i;

!TE56 88on;igBsets +o)icy un"er So;tCare@'o)[email protected] !))iance@!u"itService@on;ig

'5L. 885verri"e "etecte" (/S /a#ei; version


37/56


5. Audit event viewer functions

=vents collected by the agent that meet the filtering reCuirements as per the Audit /onfiguration,will be displayed in the 8Latest =vents8 window illustrated in Bigure


38/56


6. 7eart8eat and Agent #og

!he agent can send out regular heartbeats, letting the collecting device know that the agent isworking without having to make contact. Agent logs are available which allow the agent to sendstatus messages to the collection device, such as memory usage, service start and stop messages, andany errors or warnings triggered during operations. onfiguration for heartbeat and logs is performedon the #nare FeartGeat and Agent Log onfiguration page by selecting the 2eart'eat and Agent Logmenu item see Bigure ; /.!he parameters are discussed in detail below-

● Agent (ogging Options. #elect the type of agent logs reCuired-

Service logs E relate to the running agent service . #ervice tracking enables the agent to send

audit events related to the agent service operations including starting, stopping, web serverstarted, memory usage and configuration fingerprints.

Policy Change logs E logs when operating system parameters are modified, such as 7ritingAgentLog 'egistry, 7riting "b&ective 'egistry. !he Policy hange tracking tells the agent tosend an audit event any time it attempts to make a change to the local security policy and itwill also report on any attempts to access the agent web interface or write agentconfiguration changes.

*ebug logs provide low level trace information used to debug the agent, and usually notreCuired on a production machine.

● Agent &eartbeat reNuenc. !he freCuency in which notification is sent to the server on thestate of the agent. !he freCuency can be in minutes, hours or days. Gy default the heartbeatfreCuency is disabled.

Bigure ; FeartGeat and Agent Log

© Intersect Alliance, 0anuary 1234 Page 9; of *5 6ersion 4.1


39/56


9. 0e"ote contro and "anage"ent functions

!he SnareCore service is a separate, standalone component of the #nare system. !he #nare 'emoteontrol Interface can be used to interact with a number of aspects of its operation. Primarily, theinterface is used to develop and set the audit, network and ob&ectives configuration, as described inthe previous sections, however, options are available to manage the SnareCore service.

!he SnareCore service can be reloaded directly from the menu item App# the (atest Audit/onfiguration. !his will instruct the SnareCore service to re+read all the configuration settings, clearthe buffers and essentially restart the service. !his function is useful to apply any saved changes thathave been made to the audit configuration. !he user can therefore select when to activate a new

configuration by selecting this menu item. Please note, this option does not restart the 7indowsservice, but instead performs all the operations as if the service had been restarted.

!he SnareCore service status can be viewed by selecting the 7iew Audit Service Status menu item.!his will display whether the SnareCore service is active as well as information relating to thearchitecture of the machine and the running binary file as shown in Bigure O .

Bigure O Audit #tatus Page

© Intersect Alliance, 0anuary 1234 Page 9O of *5 6ersion 4.1


40/56


A significant function of the SnareCore service is its ability to be remote controlled. !his facility has

been incorporated to allow all the functions previously available through the front end #nare tool, tobe available through a standard web browser. !he SnareCore service employs a custom designed webserver to allow configuration through a browser, or via an automated custom designed tool. !heparameters which may be set for remote control operation are shown in Bigure 32 and discussed indetail below-

● )estrict re*ote contro# of S4A)E agent to certain hosts. !his feature indicates whether toallow remote control of the #nare Agent. !his option is also configurable at the time ofinstallation. =nabling this option will allow the #nare Agent to be remote controlled fromanother machine via a web browser or the #nare #erver8s Agent )anagement onsole. If theremote control feature is unselected, it may only be turned on by enabling the correctregistry key on the hosted P in which the #nare Agent has been installed.

●

I: Address a##owed to re*ote contro# S4A)E. 'emote control actions may be limited to agiven host. !his host, entered as an IP address in this field, will only allow remoteconnections to be effected from the stated IP address. Note that access control based onsource IP address is prone to spoofing, and should be considered as a security measure used incon&unction with other countermeasures.

● )eNuire a password for re*ote contro# Indicate whether a password will be set so that onlyauthorised individuals may access the remote control functions.

● :assword to a##ow re*ote contro# of S4A)E. If above checkbo is set, set the password. Ifaccessing the remote control functions through a browser or custom designed tool, note thatthe userid is 8snare8, and the password is whatever has been set through this setting. !hispassword is stored in an encrypted form in the registry, using the )(* hashing algorithm.

● /hange Web Server defau#t 6161J port. !he default SnareCore web server port 5353/ maybe changed using this setting, if it conflicts with an established web server.

● Web Server :ort. Normally, a web server operates on port ;2. If this is the case, then a userneed only type the address into the browser to access the site. If however, a web server isoperating on port say/ 5353, then the user needs to type http>88*site.co*>6161 to reachthe web server. Note the new server port, as it will need to be placed in the ?'L needed toaccess the #nare agent.


Bigure 32 'emote ontrol onfiguration


41/56


:. 0etrieving user and group infor"ation

!he SnareCore service also has the ability to retrieve local and domain users, groups and groupmembership from accounts local to the host that is running the agent and from the domain for whichit is a member if any/. !he host that is running the #nare agent must be a member of the domain,and have the ability to read user and group information, for the 8domain usersgroup8 feature towork. !his feature is available through the remote control web page and can be accessed throughany standard web browser. !he menu structure on the remote web pages Bigure 33/ shows theselections-

• 8Local ?sers8

• 8Local $roups8

• 8Local $roup )embers8• 8(omain $roup )embers8

WNote for advanced users only- !here is a fifth option called K'egistry (ump which is disabled bydefault. !his option will only be displayed if the (7"'( registry keyFQ=TL"ALT)AFIN=U#"B!7A'=UInter#ect AllianceUAudit#erviceUonfigU=nable'eg(ump eists andis set to 3.

#electing any of these items will then display the relevant details. Bor eample, Bigure 31 shows theoutput of selecting 8Local ?sers8. !he output from these commands has been designed with no F!)Lmarkup to assist automated services, such as the #nare #erver, to interrogate the users, groups andgroup membership.


Bigure 33 ?ser and $roup )enu


42/56


In the case of 8Local ?sers8 or 8(omain ?sers8, the output shows a number of tab delimited entries, perline. !hese entries should be interpreted as follows-

1sernameM *escription> S!*> Attributes> Settings> !hese attributes include items such as (on8tepire the password token will be- ("N!T=:PI'=TPA##7(/M Account (isabled token will be-A"?N!(I#AGL=/M No Password token will be- PA##7(TN"!'=D(/. !he settings are KPassword agein seconds since last reset - )aimum password age in seconds - Account =piry as seconds elapsedsince 22-22-22 3 0anuary, 3O !*> roup $embers.!he group member list will be shown when selecting the 8Local $roup )embers8 or 8(omain $roup)embers8 menu item from the remote control web page. Additionally, the group members will bedisplayed as a comma separated list of usernames. As stated previously, the 8(omain $roup )embers8and associated membership displayed via the web browser will only be displayed if the host that isrunning the #nare agent is a member of a 7indows domain.


Bigure 31 "utput of 8Local ?sers8


43/56


1;. Snare Server

!he #nare #erver is a log collection, analysis, reporting, forensics, and storage appliance that helpsyour meet departmental, organisational, industry, and national security reCuirements andregulations. It integrates closely with the industry standard #nare agents, to provide a cohesive, end+to+end solution for your log+related security reCuirements.

!he #nare #erver, as shown in Bigure 39 collects events and logs from a variety of operating systems,applications and appliances including, but not limited to- 7indows N! through 1231/, #olaris, AI:,Iri, Linu, !ru54, AB1, 'AB, I#" 'outers, I#" PI: Birewall, yber$uard Birewall, heckpointBirewall3, $auntlet Birewall, Netgear Birewall, IP!ables Birewall, )icrosoft I#A #erver, )icrosoft II#

#erver, Lotus Notes, )icrosoft Proy #erver, Apache, #Cuid, #nort Network Intrusion (etection#ensors, IG) #"Q# #erver, and $eneric #yslog (ata of any variety.

Bigure 39 7elcome to the #nare #erver



44/56


#ome of the key features of the #nare #erver include-> Ability to collect any arbitrary log data, either via ?(P or !P

> #ecure, encrypted channel for log data using !L###L or 9(=#

> Proven technology that works seamlessly with the #nare agents

> #nare reflector technology that allows for all collected events to be sent, in real time, to astandbybackup #nare #erver, or a third party collection system

> Ability to continuously collect large numbers of events. #nare #erver collection rateseceed 52,222 events per minute using a low end, workstation class, Intel based P on a322)bps network.

> Ability to drill down from top level reports. !his reduces the amount of data Kclutter andallows a system administrator to fine tune the reporting ob&ectives.

> Ability to 8clone8 eisting ob&ectives in order to significantly tailor the reportingcriteria.

!hese reports, along with all #nare #erver ob&ectives, may be scheduled and emailed todesignated staff.

> !he #nare #erver uses etensive discriminators for each ob&ective, allowing systemadministrators to finely tune reporting based on inclusion or eclusion of a wide variety of parameters.

> 6ery simple download and installation

> Bleibility when dealing with uniCue customer reCuirements

> A strategic focus on low end hardware means that #nare can achieve outstanding resultswith minimal hardware cost outlay

> #nare gives you useful data, out of the bo, with default ob&ectives tuned for commonorganisational needs

> Ability to manage =nterprise Agents

> All future #nare #erver versions and upgrades included as part of an annual maintenancefee.

!he #nare #erver is an appliance solution that comes packaged with a hardened, minimal version of the Linu operating system to provide baseline computing functionality, which means you do notneed to purchase additional operating system licenses, database licenses, or install additionalapplications in order to get up and running. Like your android phone, or your home router, anyoperating+system level management and maintenance is either automated, or is available within theweb+based interface.

Bor further information on the #nare #erver refer to the Snare Server 9ser :uide on the IntersectAlliance website.



45/56


11. Aout Intersect Aiance

Intersect Alliance, part of the Prophecy International Foldings $roup, is a team of leadinginformation technology security specialists. In particular, Intersect Alliance are noted leaders in keyaspects of I! #ecurity, including host intrusion detection. "ur solutions have and continue to be usedin the most sensitive areas of $overnment and business sectors.

Intersect Alliance intend to continue releasing tools that enable users, administrators and clientsworldwide to achieve a greater level of productivity and effectiveness in the area of I! #ecurity, bysimplifying, abstracting andor solving comple security problems.

Intersect Alliance welcomes and values your support, comments, and contributions.

Bor more information on the =nterprise Agents, #nare #erver and other #nare products and licensingoptions, please contact us as follows-

9he A*ericas Y3 ;22/ ;94 3252 !oll Bree R Y3 929/


46/56


Appendi% A < Event output for"at

!he SnareCore service reads data from the 7indows operating system via the =vent Logs. It convertsthe binary audit data into tet format, and separates information out into a series of !AG delimitedtokens. !he token delimiter may not be specified as something other than !AG. A 8token8 is simplydata, such as 8date8 or 8user8. $roups of tab separated tokens make up an audit event, which may looksomething like this, depending on whether the SnareCore service has ##L"$ header functionalityactive.E,a*p#e>

!estTFost )#7in=ventLog 2 #ecurity 921< Bri )ay 14 12-92-49 1232 *O9 #ecurityAdministrator ?ser #uccess Audit L=*5


47/56


Appendi% 8 < Snare Windows registr(

configuration description

(etails on the audit configuration are discussed in the Audit /onfiguration section. !he purpose of this section is to discuss the makeup of the configuration items in the registry. !he #nareconfiguration registry key is located at &E@M(O/A(M


48/56


(e)i#iter This is of type REG_SZ and stores the field delimiting character,

ONLY if syslog header has been selected. If more than one char,only first char will be used. If none set, then TAB will be used. Thisis a HIDDEN field, and only available to those users that wish to seta different delimiter when using the SYSLOG header. This selectionoption will not be found in the Snare front end or the web pages.

EnaD)e6eg(u#+ This value is of type REG_DWORD and determines whether a linkto 'Registry Dump' appears on the main GUI display. Set this valueto 1 to allow access to the link. If this is set to any other value, or ifthe key itself is removed, the link will be obscured.

EnaD)e$S This value is of type REG_DWORD, and determines whether Snare

should actively capture USB auditing events (XP/2003/2008/2012only). Set this value to 0 for no, or 1 for Yes. Will default to FALSE(0) if not set.

Fi)e!u"it This value is of type REG_DWORD, and determines whether Snareis to automatically set the file system audit configuration. Set thisvalue to 0 for no, or 1 for Yes. Will default to TRUE (1) if not set.

Fi)eE-+ort This value is of type REG_DWORD, and determines whether Snarewill write a log file to the system32 path. USE WITH CARE!!

Leave6etention This value is of type REG_DWORD and determines whether Snare

should leave the existing Log Retention settings as they are on eachevent log. Set this value to 0 for no, or 1 for Yes. Will default toFALSE (0) if not set.

$se$T This value is of type REG_DWORD and determines whether Snareshould use UTC timestamps instead of the local system time whensending events. Set this value to 0 for no, or 1 for Yes. Will defaultto FALSE (0) if not set.

5DJectiveI This subkey stores all the filtering objectives.

5DJective C,ere is a seria) nu#Der

This section describes the format of the objectives. Objectives are oftype REG_SZ, of no greater than 1060 chars, and is composed ofthe following string (the figures in the brackets represent themaximum size of the strings that can be entered):

Criticality(DWORD);Event Type (DWORD);Event LogType(DWORD);EventID Match [256];GeneralMatch[512];UserMatchType(DWORD);UserMatch[256];EventIDMatchType(DWORD);GeneralMatchType(DWORD);SourceName Match[256];SourceNameMatchType(DWORD);TruncateList[2048];

Criticality - an integer between 0 and 4 that indicates

© Intersect Alliance, 0anuary 1234 Page 4; of *5 6ersion 4.1


49/56


the severity of the event. Critical = 4, Priority = 3,

Warning = 2, Information = 1, Clear = 0

User Match Type: =0 (Include users that match usersearch term type; =1 for Exclude)

EventID Match Type: =0 (Include events that matchthe entire objective; =1 for Exclude)

Event Type: Success = 16, Failure = 8, Error = 4,Information = 2, Warning = 1. (These values arecheckboxes, hence the sum of the selected values isrecorded).

Event Log Type: Custom = 64, Security = 32, System= 16, Application = 8, Directory Service = 4, DNSServer = 2, File Replication = 1. (These values arecheckboxes, hence the sum of the selected values isrecorded).

The match terms (EventID Match, General Matchand User Match) are the filter expressions and aredefined to be any value (except TAB) which includesDOS wildcard characters. Note that these are NOTregular expressions with the exception of the General

Match term. This has the option of interpreting thesearch string as a Perl Compatible RegularExpression by selecting the checkbox next to it. If itis not selected, the default simple search is used.

NOTE: Semicolons are actually "TAB" characters.

/etCor*I This subkey stores the general network configurations.

ac,eSiKeM This value is of type REG_DWORD, and determines the size of theWindows Event Log (if CacheSizeSet is 1). The value must be

between 1 and 1024. This feature only appears in supportedagents.

ac,eSiKeSet This value is of type REG_DWORD, and determines if the agentshould set the Windows Event Log size (0 for No, 1 for Yes). Thisfeature only appears in supported agents.

(estination This sub key is of type REG_SZ and is a comma separated list ofdestinations, which should be a maximum of 100 characters each. Itdetails the IP address or hostname which the event records will besent (NB: multiple hosts only available in supported agent).

© Intersect Alliance, 0anuary 1234 Page 4O of *5 6ersion 4.1


50/56


(est'ort This value is of type REG_DWORD, and determines the Destination

Port number. This value must be in 1-65535 range. Will default to514 if a SYSLOG header has been specified.

Encry+tMsg This value is of type REG_DWORD, and determines if encryptionshould be used (0 for No, 1 for Yes). This feature only appears insupported agents.

/oti;yMsgLi#it !his value is of type '=$T(7"'( having value 2 or 3, anddetermines whether to send or not the =P# notification to server3 means send and 2 means not to send/ whenever agent reaches=P# 'ateLimit. !his feature only appears in supported agents.

/oti;yMsgLi#itFreuency !his value is of type '=$T(7"'(, and determines the freCuencyof events per second notification. !he value is treated in minutesand only one =P# notification message is sent to server regardlessof how many times agent reaches =P# limit during these minutes.!his feature only appears in supported agents.

6ateLi#it This value is of type REG_DWORD, and determines the upper limitfor events per second (EPS) that the agent will send to server. Thisfeature only appears in supported agents.

Sys)og This value is of type REG_DWORD, and determines whether aSYSLOG header will be added to the event record. Set this value to

0 for no SYSLOG header. Will default to TRUE (1) if not set.

Sys)og(est This value is of type REG_DWORD, and determines the SYSLOGClass and Criticality. This value will default to 13 if not set, or out ofbounds.

Soc*etTy+e This value is of type REG_DWORD, and determines the protocolused (0 for UDP, 1 for TCP, 2 for TLS/SSL). This feature onlyappears in supported agents.

TruncateList This is a CRLF separated list of strings which result in eventtruncation if matched in the event text.

6e#oteI This subkey stores all the remote control parameters.

!ccessey This value is of type REG_DWORD and is used to determinewhether a password is required to access the remote controlfunctions. It is set to either 0 or 1, with 0 signifying no password isrequired.

!ccesseySet This is of type REG_SZ, and stores the actual password to be used,in encrypted format.

© Intersect Alliance, 0anuary 1234 Page *2 of *5 6ersion 4.1


51/56


!ccesseySetSnare1 This is of type REG_SZ, and stores the DIGEST password to be

used (username “snare”), in encrypted format.

!ccesseySetSnare2 This is of type REG_SZ, and stores the DIGEST password to beused (username “Snare”), in encrypted format.

!ccesseySetSnare3 This is of type REG_SZ, and stores the DIGEST password to beused (username “SNARE”), in encrypted format.

!))oC "Allow" is of type REG_DWORD, and set to either 0 or 1 to allowremote control If not set or out of bounds, will default to 0/NO (ie; notable to be remote controlled).

6estrict This value is of type REG_DWORD, and set to either 0 or 1 to signalwhether the remote users should be restricted via IP address or not.0 = no restrictions.

6estrict.' This is of type REG_SZ and is the IP address set from above.

WeD'ort This value is the web server port, if it has been set to somethingother than port 6161. It is of type REG_DWORD. If not set or out ofbounds, it will default to port 6161.

WeD'ort,ange This value is of type REG_DWORD, and set to either 0 or 1 to signalwhether the web port should be changed or not. 0 = no change.

© Intersect Alliance, 0anuary 1234 Page *3 of *5 6ersion 4.1


52/56


Appendi% , < Oectives and securit( event I-s

!he #nare application has a number of built in "b&ectives. !hese "b&ectives have been designed to8trap8 certain #ecurity Log event I(s and enable the user to create some of the more commonob&ectives without having to know which event I(s they reCuire. Bor each high level event, the7indows :P1229 event I(s will be listed in blue and the 6ista122;7indows< and above event I(swill be listed in green. As a rule of thumb, to find the eCuivalent 7indows :P1229 event I( on anewer 7indows operating system, &ust add 42O5.

● (ogon of (ogoff .

+ *1;, *1O, *92, *93, *91, *99, *94, *9*, *95, *9


53/56


● i#tering Events.

+ *3*1, *3*9, *3*4, *3**, *3*5, *3**


54/56


5;2MIdentifies the account used for the successful logon attempt

5;3MA domain account log on was attempted5;1MA user has reconnected to a disconnected !erminal #ervices session5;9MA user disconnected a !erminal #ervices session without logging off Audit Ob0ect Access Success and ai#ureJ wi## generate>*52MAccess was granted to an already eisting ob&ect*53MA handle to an ob&ect was allocated*51MA handle to an ob&ect was closed*59MAn attempt was made to open an ob&ect with the intent to delete it*54MA protected ob&ect was deleted*5*MAccess was granted to an already eisting ob&ect type*55M"b&ect "peration52;MA user right was assigned

Audit :o#ic /hange Success and ai#ureJ wi## generate>52OMA user right was removed532MA trust relationship with another domain was created533MA trust relationship with another domain was removed531MAn audit policy was changed539MIP#ec policy agent started534MIP#ec policy agent disabled53*MIP#ec policy changed535MIP#ec policy agent encountered a potentially serious failure53


55/56


54*Momputer ob&ect added

545Momputer ob&ect changed54


56/56


Appendi% - < 'pgrading an Evauation Agent

to the Enterprise Agent

!his path is aimed at customers with the #nare =valuation Agent for 7indows installed, and aftertheir purchase of the =nterprise version, would like to update their agents without losing theircustomised settings configured during their trial.

(ownload the #nare=nterpriseAgent+7indows+v{ersion!+#?PP+)ultiArch.ee file from the IntersectAlliance #ecure Area website where {ersion! is the most recent version of the file available/.

=nsure you have administrator rights, double+click the #nare=nterpriseAgent+7indows+v{ersion!+#?PP+)ultiArch.ee file. ou will be prompted with the following screens-

3. 7elcome to the #nare #etup 7i@ard screen+ #elect KNet to continue the installation.

1. License Page + #elect I accept the Agreement and click KNet.

9. =isting Install screen

4. !he 7i@ard will detect the previous install of the #nare agent. #elect ?eep the e#isting

settings to leave the agent configuration intact, and only update the #nare eecutable files.

*. 'eady to Install screen E set the destination directory if reCuired, and click KInstall.

5 Information screen click KNet

Guide to Snare for Windows-4.3

Documents

Transcript of Guide to Snare for Windows-4.3