Snare for Windows Vista version 1.1.4
Copyright (c) 2010 InterSect Alliance Pty Ltd.
Snare is a program that facilitates the central collection and processing of
Windows Vista Event Log information. All three primary event logs (Application,
System and Security) are monitored. Event information is converted to tab
delimited text format, then delivered over UDP to a remote server.
Snare is currently configured to deliver audit information to a SYSLOG server
running on a remote (or local) machine. A configuration utility allows you to set
the appropriate syslog target and priority, as well as the target DNS or IP address
of the server that should receive the event information. It should be noted that many
syslog servers are not designed to cope with the sorts of volume of data that multiple
snare agents can potentially generate.
The Snare service will automatically start after you have completed the initial
configuration process. It is recommended that you configure each of your event logs
to 'overwrite as required' (this is the default in Vista)
We also recommend that you configure appropriate access controls on the Snare
registry entries using regedt32.exe - perhaps restricting the permission to read
or modify the keys and values to Local or Domain Administrators only.
Snare stores it's registry settings in:
Please remember that event monitoring is a complex area in most modern operating
systems, and is not often very granular. Turning on significant event monitoring
for a system can often produce unpredictable results, and could seriously detract
from the resources available to the rest of your system or network.
We recommend that you have a good understanding of exactly what event information
is going to be used for, proir to enabling event monitoring on your servers.
Snare Vista 0.1 - initial customer release (beta).
Snare Vista 0.2 - Added feature to exclude events
- Modified event IDs for Vista compatibility
Snare Vista 0.3 - Added Workaround for "file not found" bug
- Added Silent install option (/silent and /verysilent)
Snare Vista 1.0 - Improved audit control (especially Object Access events
and Packet Filtering) resulting in lower resource usage
- Improved memory and handle usage
Snare Vista 1.0.1 - Changed default objectives to reduce resource usage
Snare Vista 1.0.2 - Added code to clear existing audit settings on install
Snare Vista 1.1.0 - Added new features to manage default audit settings on
c:\Windows. Use "snarecore.exe -s" to strip the default
settings and "snarecore.exe -r" to restore them.
Snare Vista 1.1.1 - Fixed auditing inheritance for auditing sub-folders.
- Added feature to strip CR and LF characters from user and group
- Fixed objective matching bug when an event matches all available
- Extended supported features (see website for details).
- Fixed potential buffer truncation.
- Improved backend objective handling, significantly reducing CPU
Snare Vista 1.1.2 - Further speed improvements
- Added support for DNS Server, Directory Service and DFS replication event logs
- Added support for custom event logs (supported feature)
- Fixed startup error when STATUS registry settings value were invalid (e.g. imported
settings from a Windows 2003 agent). Invalid values are now ignored and monitoring
will continue from the end of the event log
- Added capability to reorder objectives
- Fixed problem matching event IDs under certain conditions
- Added target arch/actual arch reporting to the Status window
- Updated objective order processing, now top to bottom. This means any exclusion
objectives should be moved to the top of the list
- Config/LeaveRetention(DWORD) added to prevent agent from setting "overwrite as needed"
- Fixed minor string error in remote control interface
- Included extra user account flags in local/domain users
- Stripped special HTML characters from records shown in Latest Events
- Corrected "empty" comments in Domain/Local Users
- All user/group reports now use pre-Windows 2000 names (eg group names in DomainGroupMembers).
- Fixed DomainUsers report where non-DCs would use local account SIDs in DomainUsers report
- Modified the objective rules to allow "Access a file or directory" to configure any
path if "handle file audit settings" is disabled
- Strip spaces from destination address in Network Configuration
Snare Vista 1.1.3 - Added option to exclude General Match in Objective Configuration
(internal) - Updated event handling to prevent memory overloading
- Improved username recognition (meaning the username field should be populated more often)
Snare Vista 1.1.4 - Updated Keyword handling to correctly identify and tag Audit Success/Failure events
- Update Level handling to improve multilingual support
- - - -
Except where otherwise documented (ie: RSA MD5 code in MD5.h / MD5.c):
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Library General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Alternative licencing conditions can be negotiated directly with the
InterSect Alliance team, should you wish to include the Snare code
within your commercial products.
InterSect Alliance Pty Ltd