Specifications
Guide to Snare for Linux
[Objectives]
This section describes the format of the objectives.
Objectives are composed of:
1. Criticality - an integer between 0 and 4 that
indicates the severity of the event. 0 is
'clear', 4 is "critical”. Any integer less than 0
will cause the line to be rejected.
2. The match function will either be include
match=”<value>” or exclude match!
=”<value>”. The value follows standard
regular expression format.
3. The event - this must either correspond to
a valid syscall event, or a series of events
separated by commas, and may be
surrounded with round brackets (). Note
that the embedded web server will convert
the generic "groups" in the Audit
Configuration window to the required
events. For example, the abstracted group
'Administrative Events', will result in the
event entry:
'event=(reboot,settimeofday,clock_settime,
setdomainname,sethostname)'
being written.
4. Audit Filter Term – The filter expressions to
apply to the audit rule. It must match the
filter expressions as documented in the
auditctl Unix man page. Eg uid=root,
success=1
5. Return – either Success, Failure or * to
indicate both Success and Failure
6. Regex Match – An optional string to match.
This can be a regular expression or .* to
indicate all events. Eg .*/bin.*
Note that whitespace will be trimmed from the start and
end of items.
criticality=1 match=”.*/bin.*”
event=execve uid=maria,sucess=1
criticality=1 match!=”.*/bin.*”
event=execve
uid=maria,success=1
Report at criticality level 1, whenever the user 'maria',
attempts to execute a binary within /sbin,
Using match!=”.*/bin.*” will make an exclude rule
to not send events that contain this string match.
criticality=0 for Clear (ordinary security level), 1
for Information, 2 for Warning, 3 for Priority, 4 for
Critical.
© InterSect Alliance, September 2014 Page 28 of 30 Version 4.1