The Remote Control Interface is accessible by entering http://localhost:6161 in the web browser as shown in Figure 1. The Remote Control Interface is turned on by default, and also password protected for security reasons. The default username and password are:
Username: snare Password: snare
| Anchor | ||||
|---|---|---|---|---|
|
Figure 1: The Remote Control Interface-View StatusNote: The password is not encrypted at this time. Ensure you change the default Snare password immediately after installation so that it is encrypted, for security purposes. It is recommended you use a strong complex password of at least 12 characters. To update the password go to the Remote Control Configuration page and update the password.
Note: For Red Hat users to access the remote control interface, will need to ensure:
...
Please note that some options on these pages that are only available to users with the purchased Enterprise version. The OpenSource agents will not include any features that are new to this version of the Snare for Linux agent.
Network Configuration
| Anchor | ||||
|---|---|---|---|---|
|
To set the audit configuration parameters, select the 'Network Configuration' link.Anchor
Figure 2: Configure the network settings
The configuration parameters available are as follows, as displayed in Figure 2:
...
- Syscall List: If 'Any Event(s)' is selected as the high level event, then add a comma separated list of audit events to search for.
- Audit Filter Term(s): A filter term containing a 'token' which appears within the events of interest, and the search criteria that Snare should use to include or exclude the event. For example, a search term of: /etc/.* would match any event which mentions any file in /etc. Another example:
localhost.localdomain LinuxKAudit Criticality,2 event,execve,20130725 11:03:29 sequence,524 uid,500,george gid,500,george euid,500,george egid,500,george process,,"/bin/uname" return,0,yes name,"/bin/uname" 1374714209.448:524): arch,x86_64 syscall,59,execve success,yes return,0 a0,3190f70 a1,3191040 a2,318d4b0 a3,8 items,2 ppid,3214 pid,3236 auid,500,george uid,500,george gid,500,george euid,500,george suid,500,george fsuid,500,george egid,500,george sgid,500,george fsgid,500,george tty,pts1 ses,1 comm,"uname" exe,"/bin/uname" key,"obj-2-0" argc,1 a0,"uname" cwd,"/home/george" item,0 name,"/bin/uname" inode,21430336 dev,fd:00 mode,0100755 ouid,0,root ogid,0,root rdev,00:00 item,1
The token highlighted in red could be used to only select events where the "auid" (the 'audit' ID) is a certain value, in this case "audit,500,george" or a more general term, such as "george".
...