Versions Compared

Version Old Version 3 New Version Current
Changes made by

Steve Challans

Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Remote Control Interface is accessible by entering http://localhost:6161 in the web browser as shown in Figure 1. The Remote Control Interface is turned on by default, and also password protected for security reasons. The default username and password are:
Username: snare Password: snare

Anchor
Figure_1
Figure_1


Figure 1: The Remote Control Interface-View StatusNote: The password is not encrypted at this time. Ensure you change the default Snare password immediately after installation so that it is encrypted, for security purposes. It is recommended you use a strong complex password of at least 12 characters. To update the password go to the Remote Control Configuration page and update the password.

Note: For Red Hat users to access the remote control interface, will need to ensure:

...

  • Syscall List: If 'Any Event(s)' is selected as the high level event, then add a comma separated list of audit events to search for.
  • Audit Filter Term(s): A filter term containing a 'token' which appears within the events of interest, and the search criteria that Snare should use to include or exclude the event. For example, a search term of: /etc/.* would match any event which mentions any file in /etc. Another example:

localhost.localdomain LinuxKAudit Criticality,2 event,execve,20130725 11:03:29 sequence,524 uid,500,george gid,500,george euid,500,george egid,500,george process,,"/bin/uname" return,0,yes name,"/bin/uname" 1374714209.448:524): arch,x86_64 syscall,59,execve success,yes return,0 a0,3190f70 a1,3191040 a2,318d4b0 a3,8 items,2 ppid,3214 pid,3236 auid,500,george uid,500,george gid,500,george euid,500,george suid,500,george fsuid,500,george egid,500,george sgid,500,george fsgid,500,george tty,pts1 ses,1 comm,"uname" exe,"/bin/uname" key,"obj-2-0" argc,1 a0,"uname" cwd,"/home/george" item,0 name,"/bin/uname" inode,21430336 dev,fd:00 mode,0100755 ouid,0,root ogid,0,root rdev,00:00 item,1
The token highlighted in red could be used to only select events where the "auid" (the 'audit' ID) is a certain value, in this case "audit,500,george" or a more general term, such as "george".

...