Specifications

Guide to Snare for Linux

Appendix B - Event Output Format

The Snare dispatcher receives data from the native Linux audit subsystem.

The native audit daemon reports data in such a way that:

● It is 'programmatically' difficult to determine how many 'lines' make up an audit event. Some

lines can be repeated, with slightly different values.

● You can have multiple, identical tokens for an event (e.g. two “path=” tokens)

● Event lines may be interleaved (i.e. you might get two lines from event # 1000, then one line

from event # 1001, then another line from event # 1000).

● Some filename characters are translated into their HEX equivalents which will make

matching filenames difficult.

Snare for Linux uses an internal cache to amalgamate all lines relating to an individual event, into

“one line per event” format, once appropriate filtering/event selection has taken place. An event

will look like this once processed by Snare:

localhost.localdomain LinuxKAudit 2 event,execve,Jun 20 06:10:03

sequence,345199 uid,4294967295,unknown euid,0,root gid,0,root

egid,0,root process,,/sbin/auditctl return,0,yes name,null

exe,/sbin/auditctl success,yes return,0 syscall,11,execve uid,unknown

euid,root gid,root egid,root arch, name,null a0,80ca7f8 a1,80ca980

a2,80ca8a8 a3,0 items,2 ppid,24047 pid,24051 uid,0 suid,0 fsuid,0

sgid,0 fsgid,0 tty,none comm,auditctl key,obj-0-0 a0,/sbin/auditctl

a1,-v cwd,/ item,0 inode,37751 dev,03:02 mode,0100750 ouid,0 ogid,0

rdev,00:00 item,1 inode,17644 dev,03:02 mode,0100755 ouid,0 ogid,0

rdev,00:00

Snare for Linux presents the information in a series of token/data groups. Three different field

separators are used in order to facilitate follow-on processing - TABS separate 'tokens', COMMAS

separate data within each token. A 'token' is a group of related data, comprising a 'header', and a

series of comma separated fields which make up data that relates to the header. Examples of

tokens from the above event include:

• syscall,11,execve

• /sbin/auditctl