Snare 4.0.2.0 MSI with WiX

Dear Leigh,

Thank you for getting back to me.

Concerning the "take control..." option, from what you say the installer is NOT the one doing the scanning of the 'objectives', but the Snare service when it is started, so how is it signalled to the Snare service that it should do this? Is there a registry entry that needs to be changed by the installer?

Concerning these 'objectives' that are defined for Snare, I presume these are the registry values under HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService\Objective, aren't they? Is there any documentation as to the meaning of the different values? I notice that the installer by default creates the following ones:

"Objective0"="1 31 32 Logon_Logoff *** 0 * 0 0 * 0"
"Objective1"="0 31 32 Process_Events *** 0 * 0 0 * 0"
"Objective2"="2 31 32 User_Group_Management_Events *** 0 * 0 0 * 0"
"Objective3"="1 24 32 Reboot_Events *** 0 * 0 0 * 0"
"Objective4"="3 31 32 Security_Policy_Events *** 0 * 0 0 * 0"
"Objective5"="1 31 95 * *** 0 * 0 0 * 0"

and I would like to understand what they mean.

Again, thank you for getting back to me.

Yours,

    David del Campo

-----Original Message-----
From: Leigh Purdie [mailto:redphoenix@users.sf.net]
Sent: 30 January 2017 00:08
To: [snare:support-requests] 37@support-requests.snare.p.re.sf.net
Subject: [snare:support-requests] #37 Snare 4.0.2.0 MSI with WiX

G'day David,

If the 'take control of your eventlog configuration' option is turned on, when
Snare is started, it will scan through the 'objectives' you have created, and
check the underlying windows audit configuration to make sure that the
associated switches are turned on.

For example, if you have defined a 'login' objective within Snare, and 'take
control' is turned on, Snare will ask windows to turn on the switch that makes
sure login events are generated, so they can be processed and analysed by
Snare.
If you have defined a file-related objective, and want to monitor
c:\secret_directory, then Snare will ask windows to turn on 'file' events, and
also activate file-auditing on the c:\secret_directory path (note though, that
due to the way windows works, this tends to happen at objective-creation
time, rather than at snare startup, for file-related objectives)

If you do not have 'take control' turned on, Snare will just assume that you
know what you're doing, and that you have already configured your local
event configuration (either directly, or through policies defined on your AD);
it won't attempt to modify your local audit settings to turn on the switches
that guarantee delivery of the events that you might need (according to your
snare objective list).

Regards,

Leigh.

---

** [support-requests:#37] Snare 4.0.2.0 MSI with WiX**

Status: open
Group: v1.0_(example)
Created: Thu Jan 26, 2017 03:40 PM UTC by David del Campo Last
Updated: Thu Jan 26, 2017 03:40 PM UTC
Owner: nobody

I am trying to create a Snare for Windows 4.0.2.0 MSI using WiX (I only need
x64, so I do not need to compile the binaries, just copy them from a manual
installation). As all the documentation I can find is related to the Enterprise
product I was wondering if there was information on how to create the MSI
for the Open Source client.

I have more or less created a MSI that:

-places the files in "Program Files"
-creates and configures the Snare service -starts the service, and -creates the
Registry branch.

I would be especially interested in knowing what does the "Do you want
Snare to take control of your EventLog Configuration?" option do.

Thank you for your help.

Yours,

David del Campo

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/snare/support-requests/37/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/