-
Notifications
You must be signed in to change notification settings - Fork 0
/
Fullyconfigured.inf
171 lines (157 loc) · 40.5 KB
/
Fullyconfigured.inf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
[Setup]
Lang=default
Group=InterSect Alliance
NoIcons=0
Dir="C:\Program Files\Snare\"
Version=5.7.1
[Service]
Account="LocalSystem"
Password=""
[Config]
AdvancedAudit=1
AgentKey="5D209FECD107B95C0784D9C516A4F57C72A736AC54E12D0C811B00283FE65A80"
AgentLog=3
Audit=1
AuditAll=0
CachePath="C:\Program Files\Snare"
Checksum=0
ClearTabs=0
CritAudit=0
Delimiter=" "
EnableEventXML=1
EnableUSB=1
EpilogImport=0
EpilogImportComplete=0
EventSourceId=""
EventSourceIdText=""
EventSourceIdType=0
FileAudit=1
FileSize=256
HeartBeat=15
HeartBeatFileExport=0
HeartBeatOutputPath="C:\Program Files\Snare\"
IISLogFlush=0
Installed=0
LeaveRetention=0
TLS13Minimum=0
UseHostIP=0
UseUTC=0
filecheckpast=1
[Network]
CacheSize=640
CacheSizeEventLog=1000
CacheSizeM=10
CacheSizeSet=1
CheckTime=600
Destination1Delimiter=" "
Destination1Format=6
Destination1Host="192.168.10.11"
Destination1Port=6161
Destination1SocketType=1
Destination1TLSAuthKey="9B0EACF781AEB019625033CE96ED71E2850ED52EF5AC6B39BA73D7149CA7D2E2105F76BA75FE0833EAA2828F9EFE112D179E4FB8B30F6608D56CC4E07957A6C9CE9F6B1AE5881FF6CF59C61C58FBDFF83CA2AE0DE874C0FCE4A27D9DCE26298D"
NotifyMsgLimit=1
NotifyMsgLimitFrequency=60
RateLimit=10000
SyslogDynamicCritic=0
SyslogFacility=1
SyslogPriority=8
SyslogTAGTerminator=1
TruncateList="provided if a certificate was used for pre-authentication This event is generated every time access is requested This event is generated when a logon request fails. This event is generated when a logon session is created. This event is generated when the system time is changed. Token Elevation Type indicates the type of token The subject fields indicate the account on the local system "
[AdvObjective]
AdvObjective10="{ "events": [ "Logon.Success", "Logon.Failure", "Logoff.Success", "Account Lockout.Success", "Account Lockout.Failure", "Special Logon.Success", "Special Logon.Failure", "Other LogonLogoff Events.Success", "Other LogonLogoff Events.Failure", "Group Membership.Success" ], "event_id_match": { "exclude": "0", "data": [ "4624", "4625", "4627", "4634", "4647", "4648", "4672", "4675", "4778", "4779", "4800", "4801", "4802", "4803", "5378", "5632" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective11="{ "events": [ "Audit Policy Change.Success", "Audit Policy Change.Failure", "Authentication Policy Change.Success", "Authorization Policy Change.Success", "MPSSVC RuleLevel Policy Change.Success", "MPSSVC RuleLevel Policy Change.Failure", "Filtering Platform Policy Change.Success", "Filtering Platform Policy Change.Failure", "Other Policy Change Events.Success", "Other Policy Change Events.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4707", "4709", "4710", "4711", "4712", "4714", "4717", "4718", "4817", "4864", "4902", "4904", "4905", "5040", "5041", "5042", "5043", "5044", "5045", "5046", "5047", "5048", "5440", "5441", "5442", "5443", "5444", "5446", "5448", "5449", "5450", "5456", "5458", "5459", "5460", "5461", "5462", "5463", "5464", "5465", "5466", "5467", "5468", "5471", "5472", "5473", "5474", "5477" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "3", "syslog3164_alert_level": "4", "syslogAlt_alert_level": "4", "syslog5424_alert_level": "4", "cef_alert_level": "5", "leef_alert_level": "5", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective12="{ "events": [ "Audit Policy Change.Success", "Audit Policy Change.Failure", "Authentication Policy Change.Success", "Authorization Policy Change.Success", "MPSSVC RuleLevel Policy Change.Success", "MPSSVC RuleLevel Policy Change.Failure", "Filtering Platform Policy Change.Success", "Filtering Platform Policy Change.Failure", "Other Policy Change Events.Success", "Other Policy Change Events.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4670", "4703", "4704", "4705", "4819", "4826", "4909", "4910", "4911", "4913", "4944", "4945", "4946", "4947", "4948", "4949", "4950", "4951", "4952", "4953", "4954", "4956", "4957", "4958", "5063", "5064", "5065", "5066", "5067", "5068", "5069", "5070", "5447", "6144" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "3", "syslog3164_alert_level": "4", "syslogAlt_alert_level": "4", "syslog5424_alert_level": "4", "cef_alert_level": "5", "leef_alert_level": "5", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective13="{ "events": [ "Non Sensitive Privilege Use.Success", "Non Sensitive Privilege Use.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4673", "4674" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "0", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective14="{ "events": [ "Security State Change.Success", "Security State Change.Failure", "Security System Extension.Success", "Security System Extension.Failure", "System Integrity.Success", "System Integrity.Failure", "IPsec Driver.Success", "IPsec Driver.Failure", "Other System Events.Success", "Other System Events.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4608", "4609", "4610", "4611", "4612", "4614", "4615", "4616", "4621", "4622", "4697", "4816", "5024", "5025", "5032", "5033", "5034", "5056", "5057", "5058", "5059", "5060", "5061", "5062", "5478", "5479", "6281", "6400", "6401", "6402", "6403", "6404", "6405", "6406", "6407", "6408", "6409", "6410" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "1", "CustomEventLog": "1", "DFSReplication": "1", "DNSServer": "1", "DirectoryService": "1", "LegacyFRS": "0", "Security": "0", "System": "1" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective15="{ "events": [ "Registry.Success", "Registry.Failure", "Kernel Object.Success", "Kernel Object.Failure", "Handle Manipulation.Success", "File Share.Success", "File Share.Failure", "Other Object Access Events.Success", "Other Object Access Events.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4656", "4657", "4658", "4659", "4660", "4661", "4663", "4671", "4690", "4691", "4698", "4699", "4700", "4701", "4702", "5140", "5142", "5143", "5144", "5148", "5149", "5168", "5888", "5889", "5890" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "1", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "1", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective16="{ "events": [ "Any Events" ], "event_id_match": { "exclude": "0", "data": [ "*" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "1", "CustomEventLog": "1", "DFSReplication": "1", "DNSServer": "1", "DirectoryService": "1", "LegacyFRS": "0", "Security": "0", "System": "1" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective1="{ "events": [ "System Integrity.Success", "Other LogonLogoff Events.Success", "Certification Services.Success", "Audit Policy Change.Success", "User Account Management.Success", "User Account Management.Failure", "Special Logon.Success" ], "event_id_match": { "exclude": "0", "data": [ "104", "1102", "4618", "4649", "4719", "4765", "4766", "4794", "4897", "4964", "5124" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "4", "syslog3164_alert_level": "2", "syslogAlt_alert_level": "2", "syslog5424_alert_level": "2", "cef_alert_level": "10", "leef_alert_level": "10", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective2="{ "events": [ "IPsec Driver.Success", "IPsec Driver.Failure", "Other System Events.Success", "Other System Events.Failure", "System Integrity.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4960", "4961", "4962", "4963", "4965", "5480", "5483", "5484", "8485", "5027", "5028", "5029", "5030", "5035", "5037", "5038" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "2", "syslog3164_alert_level": "4", "syslogAlt_alert_level": "4", "syslog5424_alert_level": "4", "cef_alert_level": "8", "leef_alert_level": "8", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective3="{ "events": [ "Audit Policy Change.Success", "Authentication Policy Change.Success", "Authorization Policy Change.Success", "Other Policy Change Events.Success" ], "event_id_match": { "exclude": "0", "data": [ "4706", "4713", "4714", "4715", "4716", "4739", "4865", "4866", "4867", "4906", "4907", "4908", "4912", "6145" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "2", "syslog3164_alert_level": "4", "syslogAlt_alert_level": "4", "syslog5424_alert_level": "4", "cef_alert_level": "8", "leef_alert_level": "8", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective4="{ "events": [ "User Account Management.Success", "User Account Management.Failure", "Security Group Management.Success" ], "event_id_match": { "exclude": "0", "data": [ "4724", "4727", "4731", "4735", "4737", "4754", "4755", "4764", "4780", "5376", "5377" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "2", "syslog3164_alert_level": "4", "syslogAlt_alert_level": "4", "syslog5424_alert_level": "4", "cef_alert_level": "8", "leef_alert_level": "8", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective5="{ "events": [ "Logon.Success", "IPsec Main Mode.Success", "IPsec Quick Mode.Success", "IPsec Extended Mode.Success", "Network Policy Server.Success" ], "event_id_match": { "exclude": "0", "data": [ "4675", "4976", "4977", "4978", "4983", "4984", "5453", "6273", "6274", "6275", "6276", "6277", "6278", "6279", "6280" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "2", "syslog3164_alert_level": "4", "syslogAlt_alert_level": "4", "syslog5424_alert_level": "4", "cef_alert_level": "8", "leef_alert_level": "8", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective6="{ "events": [ "Certification Services.Success" ], "event_id_match": { "exclude": "0", "data": [ "4868", "4870", "4882", "4885", "4890", "4892", "4896", "5120", "5121", "5122", "5123" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "1", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "1", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective7="{ "events": [ "Process Creation.Success", "Process Termination.Success", "DPAPI Activity.Success", "DPAPI Activity.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4688", "4689", "4692", "4693", "4696" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "0", "syslog3164_alert_level": "7", "syslogAlt_alert_level": "7", "syslog5424_alert_level": "7", "cef_alert_level": "0", "leef_alert_level": "1", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective8="{ "events": [ "Credential Validation.Success", "Credential Validation.Failure", "Kerberos Service Ticket Operations.Success", "Kerberos Service Ticket Operations.Failure", "Kerberos Authentication Service.Success", "Kerberos Authentication Service.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4768", "4769", "4770", "4771", "4772", "4773", "4774", "4775", "4776", "4777" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
AdvObjective9="{ "events": [ "User Account Management.Success", "User Account Management.Failure", "Computer Account Management.Success", "Computer Account Management.Failure", "Security Group Management.Success", "Security Group Management.Failure", "Distribution Group Management.Success", "Application Group Management.Success", "Other Account Management Events.Success", "Other Account Management Events.Failure" ], "event_id_match": { "exclude": "0", "data": [ "4720", "4722", "4723", "4725", "4726", "4728", "4729", "4730", "4732", "4733", "4734", "4738", "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751", "4752", "4753", "4756", "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4767", "4781", "4782", "4783", "4784", "4785", "4786", "4787", "4788", "4789", "4790", "4791", "4792", "4793", "4798", "4799" ] }, "general_match": { "exclude": "0", "data": "***" }, "general_match_regex": "0", "user_match": { "exclude": "0", "data": [ "*" ] }, "source_match": { "exclude": "0", "data": [ "*" ] }, "event_type": { "ActivityTracing": "0", "Critical": "1", "Error": "1", "FailureAudit": "1", "Information": "1", "SuccessAudit": "1", "Verbose": "0", "Warning": "1" }, "log_type": { "Application": "0", "CustomEventLog": "0", "DFSReplication": "0", "DNSServer": "0", "DirectoryService": "0", "LegacyFRS": "0", "Security": "1", "System": "0" }, "criticality": { "snare_alert_level": "1", "syslog3164_alert_level": "6", "syslogAlt_alert_level": "6", "syslog5424_alert_level": "6", "cef_alert_level": "3", "leef_alert_level": "3", "reserve1": "0", "reserve2": "0", "reserve3": "0", "reserve4": "0" }}"
[Objective]
Objective10="3,0,0,0,0,1,0,0,0,0 127 112 USB_Audit_Events *** 0 * 0 0 * 0 0"
Objective1="0,0,0,0,0,1,0,0,0,0 16 32 4690 *** 0 * 1 0 * 0 0"
Objective2="2,0,0,0,0,1,0,0,0,0 63 32 Other_Object_Access_Events *** 0 * 0 0 * 0 0"
Objective3="1,5,5,5,3,3,0,0,0,0 63 32 Logon_Logoff *** 0 * 0 0 * 0 0"
Objective4="0,5,5,5,0,1,0,0,0,0 63 32 Process_Events *** 0 * 0 0 * 0 0"
Objective5="2,5,5,5,5,5,0,0,0,0 63 32 User_Group_Management_Events *** 0 * 0 0 * 0 0"
Objective6="1,5,5,5,3,3,0,0,0,0 24 32 Reboot_Events *** 0 * 0 0 * 0 0"
Objective7="3,5,5,5,8,8,0,0,0,0 63 32 Security_Policy_Events *** 0 * 0 0 * 0 0"
Objective8="1,5,5,5,3,3,0,0,0,0 63 95 * *** 0 * 0 0 * 0 0"
Objective9="4,5,5,5,10,10,0,0,0,0 63 32 User_Right_Events *** 0 * 0 0 * 0 0"
[FAM]
FAM1="File c:\windows\win.ini Both FAM_NO_PROPAGATE_INHERIT_ACE FAM_GENERIC_ALL=1 Include * Include * 0 Include * 4,0,0,0,0,1,0,0,0,0"
FAM2="File c:\windows\system.ini Both FAM_NO_PROPAGATE_INHERIT_ACE FAM_GENERIC_ALL=1 Include * Include * 0 Include * 4,0,0,0,0,1,0,0,0,0"
FAM3="Folder c:\temp Both FAM_NO_PROPAGATE_INHERIT_ACE FAM_GENERIC_ALL=1,FAM_GENERIC_EXECUTE=0,FAM_SPECIFIC_RIGHTS_ALL=0,FAM_STANDARD_RIGHTS_REQUIRED=0,FAM_WRITE_OWNER=0,FAM_GENERIC_WRITE=0,FAM_DELETE=0,FAM_WRITE_DAC=0,FAM_GENERIC_READ=0 Include * Include * 0 Include * 2,0,0,0,0,1,,,,"
FAM4="Folder c:\windows\system32\drivers\etc Both FAM_CONTAINER_INHERIT_ACE|FAM_OBJECT_INHERIT_ACE FAM_GENERIC_ALL=1 Include * Include * 0 Include * 3,0,0,0,0,1,0,0,0,0"
FAM5="Folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup Both FAM_CONTAINER_INHERIT_ACE|FAM_OBJECT_INHERIT_ACE FAM_GENERIC_ALL=1 Include * Include * 0 Include * 4,0,0,0,0,1,0,0,0,0"
[RAM]
RAM1="Registry MACHINE\Software\Policies Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 3,0,0,0,0,1,0,0,0,0"
RAM2="Registry MACHINE\Software\Classes\batfile Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 3,0,0,0,0,1,0,0,0,0"
RAM3="Registry MACHINE\Software\Classes\cmdfile Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 3,0,0,0,0,1,0,0,0,0"
RAM4="Registry MACHINE\Software\Classes\comfile Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 3,0,0,0,0,1,0,0,0,0"
RAM5="Registry MACHINE\Software\Classes\exefile Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 3,0,0,0,0,1,0,0,0,0"
RAM6="Registry MACHINE\Software\Classes\AllFilesystemObjects Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 1,0,0,0,0,1,0,0,0,0"
RAM7="Registry MACHINE\Security Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 4,0,0,0,0,1,0,0,0,0"
RAM8="Registry MACHINE\System\CurrentControlSet\Services Both RAM_CONTAINER_INHERIT_ACE RAM_GENERIC_ALL=1 Include * Include * 0 Include * 1,0,0,0,0,1,0,0,0,0"
[Log]
Log1="logtype=13logval=""linetype=2lineval="\r\n\r\n"watchtype=0watchval="1"dirfilter="c:\"filefilter="dns.log"features=0state=1uuid=a8c010e3-3acc-430c-a859-9e6dc2eeeb3f"
Log2="logtype=0logval=""linetype=0lineval="1"watchtype=0watchval="1"dirfilter="c:\windows\logs\*"filefilter="*.log"features=16state=1uuid=bbca62ce-4011-4551-a928-143cb38ea3dd"
[Filter]
Filter1="criticality=0,5,5,5,0,1,0,0,0,0match="*"regex=0state=1uuid=9a91ae02-01f5-48a3-9e99-149244e41ee1"
[FIM]
FIM1="type=0,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,dirfilter="c:\windows",filefilter="*.ini",exclusions="",features=64,state=1,uuid=69212ecb-0372-450d-a768-40800d4aaf0e"
FIM2="type=0,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,dirfilter="c:\windows\system32",filefilter="*.exe",exclusions="",features=64,state=1,uuid=d59a8117-093a-4040-997a-1846fb0d43b3"
FIM3="type=0,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,dirfilter="c:\windows\system32",filefilter="*.dll",exclusions="",features=64,state=1,uuid=5c63d351-b172-4e8b-b4b9-ffa43406fb5a"
FIM4="type=0,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,dirfilter="c:\windows\system32\drivers\etc",filefilter="*",exclusions="",features=64,state=1,uuid=22b86660-54ac-4788-b427-1e01ac28d7f4"
FIM5="type=0,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,dirfilter="C:\Documents and Settings\All Users\Start Menu\Programs\startup",filefilter="*",exclusions="",features=64,state=1,uuid=899b0564-2f39-4c19-bd28-1fd980276e1b"
FIM6="type=0,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,dirfilter="c:\temp",filefilter="*",exclusions="",features=64,state=1,uuid=77448952-3f4b-4320-8121-b851cf901975"
[RIM]
RIM10="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Security",inclusions="*",exclusions="",features=0,state=1,uuid=5fca92ff-12cc-48a6-99d3-c1e99787077c"
RIM11="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\System\CurrentControlSet\Services",inclusions="*",exclusions="",features=0,state=1,uuid=2e1d0a6c-79db-4463-a5ce-aef7d77b3ead"
RIM12="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\System\CurrentControlSet\Control\Session Manager\KnownDLLs",inclusions="*",exclusions="",features=0,state=1,uuid=162b15a6-9843-4e3b-b27b-56378a096435"
RIM13="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\System\CurrentControlSet\Control\SecurePipeServers\winreg",inclusions="*",exclusions="",features=0,state=1,uuid=5206d5b4-6d91-4ee7-851a-a969f0bb09ad"
RIM14="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Windows\CurrentVersion\Run",inclusions="*",exclusions="",features=0,state=1,uuid=8e10cdc5-0807-4d00-8476-ef3943db5927"
RIM15="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Windows\CurrentVersion\RunOnce",inclusions="*",exclusions="",features=0,state=1,uuid=37abaa53-1bf9-4346-b73b-a8beeb3ea17c"
RIM16="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Windows\CurrentVersion\RunOnceEx",inclusions="*",exclusions="",features=0,state=1,uuid=904dd5a7-0350-4c0b-a89b-e50ce0acbbc9"
RIM17="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Windows\CurrentVersion\URL",inclusions="*",exclusions="",features=0,state=1,uuid=7a9eb553-5a5d-4766-a0e6-eb1a5fa50bee"
RIM18="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Windows\CurrentVersion\Policies",inclusions="*",exclusions="",features=0,state=1,uuid=a48dc6b2-a2d0-4cfe-8170-537087b138e9"
RIM19="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Windows NT\CurrentVersion\Windows",inclusions="*",exclusions="",features=0,state=1,uuid=f4e3d7bc-d0cf-4011-b277-e7a440a0e605"
RIM1="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\batfile",inclusions="*",exclusions="",features=0,state=1,uuid=9031c223-be45-4417-b216-80b7c40880e0"
RIM20="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",inclusions="*",exclusions="",features=0,state=1,uuid=75ac584a-5572-4768-b180-4199dac5ba6f"
RIM21="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Microsoft\Active Setup\Installed Components",inclusions="*",exclusions="",features=0,state=1,uuid=b02d5fb5-5869-48c3-ac4e-c1e1949be549"
RIM22="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Policies",inclusions="*",exclusions="",features=0,state=1,uuid=e66e1f12-408b-4da4-b20a-bef5204db529"
RIM2="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\cmdfile",inclusions="*",exclusions="",features=0,state=1,uuid=672ee85b-4c68-46a9-a6cc-bbb949339bc3"
RIM3="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\comfile",inclusions="*",exclusions="",features=0,state=1,uuid=b192c826-b555-43d5-8ad5-f8e5aa21f0c5"
RIM4="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\exefile",inclusions="*",exclusions="",features=0,state=1,uuid=d9ddc23e-c150-46d6-beab-a451f8a7a52d"
RIM5="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\piffile",inclusions="*",exclusions="",features=0,state=1,uuid=a46c700f-54e1-4b35-9806-420cce432457"
RIM6="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\AllFilesystemObjects",inclusions="*",exclusions="",features=0,state=1,uuid=a8ecd165-fad9-478b-bf21-110405791f43"
RIM7="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\Directory",inclusions="*",exclusions="",features=0,state=1,uuid=22ff5039-f5ff-4e37-8d18-ed33fc07503b"
RIM8="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\Folder",inclusions="*",exclusions="",features=0,state=1,uuid=17041025-d13e-4ad6-aca4-b8fa3aa01db2"
RIM9="type=1,alg=1,criticality=0,4,4,4,0,1,0,0,0,0,schedule=@midnight,regrootkey="HKEY_LOCAL_MACHINE",pathfilter="\Software\Classes\Protocols",inclusions="*",exclusions="",features=0,state=1,uuid=30be1992-2bdd-441f-a1c2-6a080148b4fe"
[Remote]
AccessKey=1
AccessKeyAuth="021935D4248FEEB655CE04712F3575AC0D1BD6B5ED7D3DEF0A0E9F0737231BB0B6BA6146E45223C88B7A732B99AA77D0AC863AD76B413230A96E4AF7FE83B8EAADCBC4FA5326D09E7D0595F35A03F33BD74317B247D76136039A6708A71511B2A6D0B07DC95D56C8DDA0BD1FA066034E10385A228ECC28B299D7CB53EAFBEBD4118894"
AccessKeySet=""
AccessKeySetSnare1=""
AccessKeySetSnare2=""
AccessKeySetSnare3=""
Allow=1
AllowBasicAuth=1
Restrict=0
RestrictIP=""
WebPort=6161
[SAM]
SAM1AuthKey="A63B059DB2BB864A4711D1001136E2E9BF07B60CDD45992C665E0232EB722C98DE40EBD8ECFC3F9549D3660469219FBAC8B6CBA6588BA2292A19F7F637F75891"
SAM1IP="192.168.10.111"
SAM1Port=6262
[Certificate]
DestinationCertPreference="ANY"
DestinationCertPreferenceSAM="ANY"
WebCertID="6b 77 8a 99 9d a0 b7 4b 70 d4 17 7a 09 93 49 5b 1b ba b6 b1"