Activity for Snare Lite (SIEM & Logging Software)
-
Leigh Purdie posted a comment on discussion snare-users
Thanks Chawakorn, If you start snarecore.exe from powershell as local administrator, do you get any crash log data? (if not, add the '-d' flag, and check if there are any differences).
-
chawakorn thammaytha posted a comment on discussion snare-users
Error Log from Windows "The Snare service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service." This alert occurs every 10 seconds. Snare version 4.3.4 I will reinstall snare, but I can't seem to fix this problem.
-
Nando posted a comment on discussion snare-users
Hello. We had installed and running the snare agent into a windows machine. That image was cloned and deployed in another machine. But the agent in that machine is not working. Any idea please ?
-
pawit modified a comment on discussion snare-users
-
-
how to send ip address with log file to log server. now in log file have a hostname but i want change to ip address. snare can do it ?. thank for help
-
Snare Lite (SIEM & Logging Software) released /readme.txt
-
Snare_User posted a comment on discussion snare-users
Any ideas? Thanks again.
-
Tried with rules that matched the case of the username, but they still wouldn't exclude. Also tried with removing the exclusions containing asterisks, but the usernames still didn't exclude. Attached is a sanitized screenshot. Does it look properly configured? Thanks again.
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mnasterisk,asterisk$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Also noticed that I am unable to move the Objectives up and down buttons to make one Objective higher...
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mnasterisk,asterisk$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Also noticed that I am unable to move the Objectives up and down buttons to make one Objective higher...
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mnasterisk,asterisk$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Noticed that I am now unable to move the Objectives up and down in around to make one Objective...
-
All 4 of the Objectives are at the top. Each have the any event ID selected as well as various event IDs listed in the any event ID field as well as exclusions for the user IDs: abcdef,ghijkl,mn,$ Is there a limit to the number of event IDs allowed on each line? I noticed that some seemed to truncate, so I created additional Objectives as needed, but was curious. Will continue testing. Noticed that I am now unable to move the Objectives up and down in around to make one Objective higher or lower....
-
A plain old "*$" exclusion should work for you, based on the comments from the dev team. I've implemented a (horribly simplified/cut down) proof of concept here: https://onlinegdb.com/HyIsG7qxM .. just to make sure the code is doing what I think it's doing. The line in particular: if(wildmatch("*$","Testing$",1)) { ... is doing the check - it returns a "Yep match found" when I ask it to compare "*$" and "Testing$". The order of objective matches is important in the agent - can you make sure that...
-
A plain old "*$" (without the space - blame sourceforge formatting) exclusion should work for you, based on the comments from the dev team. I've implemented a (horribly simplified/cut down) proof of concept here: https://onlinegdb.com/HyIsG7qxM .. just to make sure the code is doing what I think it's doing. The line in particular: if(wildmatch("*$","Testing$",1)) { ... is doing the check - it returns a "Yep match found" when I ask it to compare "*$" and "Testing$". The order of objective matches...
-
A plain old "$" exclusion should work for you, based on the comments from the dev team. I've implemented a (horribly simplified/cut down) proof of concept here: https://onlinegdb.com/HyIsG7qxM .. just to make sure the code is doing what I think it's doing. The line in particular: if(wildmatch("*$","Testing$",1)) { ... is doing the check - it returns a "Yep match found" when I ask it to compare "*$" and "Testing$". The order of objective matches is important in the agent - can you make sure that the...
-
Ahh, yes - you're correct. Apologies; I wrote the piece of code many years ago that does the user match exclusion (and probably that text in the guide), and I still forgot that it was a wildcard match! I'll check with the current devs to see whether they have suggestions.
-
I tried that, but it didn't seem to work. I was re-checking the Snare guide, and it stated: The match terms (EventID Match, General Match and User Match) are the filter expressions and are defined to be any value (except TAB) which includes DOS wildcard characters. Note that these are NOT regular expressions with the exception of the General Match term. This has the option of interpreting the search string as a Perl Compatible Regular Expression by selecting the checkbox next to it. If it is not...
-
Heya, Try the following: (^.\$$|^abc.def$|^ghi.*) [EDIT: That regex isn't displaying correctly in sourceforge even though it's ok when I edit the reply... please see link for correct regex) https://regex101.com/r/Ioclr5/1
-
Heya, Try the following: (^.\$$|^abc.def$|^ghi.*) https://regex101.com/r/Ioclr5/1
-
Tried multiple variations, but never was able to get it to work. Has anyone else been successful on the syntax? Would like to exclude the usernames similar to the following: "$,abcdef,ghi*" "$" would be for any username ending in $, such as computer_name$, machine$. If $ is not possible, would Snare understand something like the hostname variable or %computername% to at least exclude local machine logins? "abc*def" would be for multiple usernames that begin and end with the same characters, with...
-
Tried multiple variations, but never was able to get it to work. Has anyone else been successful on the syntax? Would like to exclude the usernames similar to the following: $,abcdef,ghi* $ would be for any username ending in $, such as computer_name$, machine$. If $ is not possible, would Snare understand something like the hostname variable or %computername% to at least exclude local machine logins? abc*def would be for multiple usernames that begin and end with the same characters, with only the...
-
-
-
G'day David, Correct on both counts. No, outside of the source code itself, there...
-
David del Campo posted a comment on ticket #37
Dear Leigh, Thank you for getting back to me. Concerning the "take control..." option,...
-
G'day David, If the 'take control of your eventlog configuration' option is turned...
-
Snare 4.0.2.0 MSI with WiX
-
Chris Conley created a blog post
Congrats to the winner!
-
twoo posted a comment on a blog post
awesome!
-
Win a Free Drone
-
Snare on the IBM App Exchange
-
Reducing the Logging Noise
-
Snare Enterprise Updates
-
Snare Enterprise Updates
-
I tried *\$, but am still getting logons where the username contains $.
-
Chris Schubert posted a comment on discussion snare-users
Have you tried escaping the dollar sign? Something like this - *\?
-
I would like to exclude usernames containing special characters, such as machine...
-
SteveC created a blog post
Snare Agents Security Advisory – Agent Denial of Service
-
Anthony Arbuckle modified a comment on discussion snare-users
Webconsole is accessible and can be edited and saved, but cannot be applied to running...
-
Webconsole is accessible and can be edited and saved, but cannot be applied to running...
-
Kevin Butters posted a comment on discussion snare-users
Hi I've come across multiple open source Windows Snare installation failures. With...
-
Yap Sheu Hann posted a comment on discussion snare-users
anyone?
-
The Snare server can collect and collate and forward log data to ArcSight Peter From:...
-
Tom Frye posted a comment on discussion snare-users
Is it possible to forward the syslog logs collected by the BACKLOG server to an ArchSight...
-
You may refer to this attachment on the details:
-
Hi David, I not sure what you mean by "truncating the log at 1k long" It just explicitly...
-
David Lang posted a comment on discussion snare-users
On Tue, 30 Dec 2014, Yap Sheu Hann wrote: Guys, please help me. For Windows Active...
-
Guys, please help me. For Windows Active Directory log event id 566 and 642, there...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Daniel posted a comment on discussion snare-users
Hello i have a problem with de service of Agent Snare for Windows (V.4.0.2) open...
-
PCI DDS Compliance v 3.0
-
PCI DDS Compliance v 3.0
-
Benjamin Close modified a wiki page
Home
-
Position Available – Snare Consultant
-
Position Available – Snare Consultant
-
CARLO posted a comment on discussion snare-users
Thank you for your reply. It seems (imho) that Windows7 by default does not log logon/logoff...
-
Paulo Nogueira posted a comment on discussion snare-users
Well... will be wise to read more about it. I may be wrong, but i think u are confusing...
-
Hello, I am a newbe, sorry for my stupid questions. Can you help me? My network is...
-
Paolo posted a comment on discussion snare-users
The Snare is not getting the logs sorted by date properly because when you reach...
-
Simon created ticket #41
Snare For Windows 4.0.2.0 Changing Order of Filters results in Invalid Request
-
Bob Trielfer posted a comment on discussion snare-users
Setup snare to forward logs to a central log server. During the snare setup I set...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Thanks Benjamin. So if the newest EventRecordID is 10001 and the oldest EventRecordID...
-
Nothing official.. however the basic diagram is: audit subsystem -> snare agent ->...
-
The agent does not currently have the ability to rewrite portions of a message like...
-
pedro serrano posted a comment on discussion snare-users
Hi all, is possible to customize the configuration of the agent to replace the "program"...
-
Snarenewbee posted a comment on discussion snare-users
does anyone have a data flow diagram on how snare talks etc.. new guy here .. th...
-
The DWORD stored in the status registry entries is not a date/time but a reference...
-
Just confirming there is active objectives. If there is no objectives there will...
-
I went to the registry and under HKLM\Software\InterSect Alliance\AuditService\Status...
-
David Sheumaker posted a comment on discussion snare-users
We have Snare 4.0.0 installed on all our servers. All of our server function correctly...
-
Raghavendra Kiran posted a comment on discussion snare-users
I'm glad to inform you that the solution you have adviced has worked and we were...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
We have tried that, but it did not work. We left the Syslog value as 1 and also made...
-
Thank you very much for your advice. We have verified the register settings on some...
-
Snare sends logs in the original syslog format (RFC3164), whilst spec compliant,...
-
We are using Symantec SSIM system for collecting syslogs from WINDOWS 2003/2008 servers....
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
I've seen this issue too. I've had better success with IE than Chrome/Firefox/etc....
-
I've seen this issue too. I've had better success with IE than Chrome/Firefox/etc....
-
Florian modified a comment on discussion snare-users
I have the same problem. Windows 7, SNARE Version 4.0.2.0, Google Chrome Browser
-
I have the same problem.
-
Rampreet posted a comment on discussion snare-users
Hi, We are using Epilog for Unix platform for fetching logs of an application CRM....
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Hi - At this time, Enterprise version 1.6.1 of the Epilog agent supports wildcards...
-
David Blaine posted a comment on discussion snare-users
No it doesn't support wildcards. Really would be nice if it did. Anyone want to modify...
-
Christine Walter posted a comment on discussion snare-users
I am also testing Epilog 1.6, and find that when I create a log configuration for...
-
Ed Gallagher posted a comment on discussion snare-users
New to Snare, but I am trying to collect only the Windows Security event logs from...
-
Epilog 1.6.0 registry key and %SystemRoot%
-
SAID-AZZA created ticket #35
Can not start SNARE on AIX 5.1
-
patriot3w posted a comment on discussion snare-users
I'm sending logs to one SIEM but all funny characters when viewing the events. Those...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
-
Hi all, we want to monitor registry changes on our systems by users of the Administrator...
-
Anonymous modified a comment on ticket #21
The line of code that I think is giving the problem is the following: GetDateFormat(LOCALE_SYSTEM_DEFAULT,0,&st,"ddd...
1 >
