Overview of Snare for Linux

Owned by Andrew Madge
Last updated: Jan 27, 2021
1 min read

Snare operates through the actions of three complementary components:

  • The native Linux audit subsystem
  • The user-space audit daemon (auditd)
  • The Snare agent applications

The audit daemon, and kernel component act in concert to configure the underlying audit subsystem, and extract events of interest from the operating system.
Snare for Linux operates as an 'audit dispatcher' ('Audit Plugin' on newer audit subsystem versions) application that receives the audit log data, with Snare directing auditd what events to selectively filter out that you are not interested in, formats the resulting data into something that is more suited to follow-on processing, and delivers it to one or more remote systems over the network.

Snare formats the audit log data into a series of 'tokens'. Two different field separators are used in order to facilitate follow-on processing - TABS separate 'tokens', and COMMAS separate data within each token. This format is further discussed in Appendix B-Event Output Format. The result is that a raw event, as processed by Snare, may appear as follows:

localhost.localdomain LinuxKAudit 2 event,open,Jun 20 06:00:16 sequence,304390 uid,4294967295,unknown euid,0,root gid,0,root egid,0,root process,,/opt/VBoxGuestAdditions-4.2.18/sbin/VBoxService return,4,yes name,/var/run/utmp exe,/opt/VBoxGuestAdditions-4.2.18/sbin/VBoxService success,yes return,4 syscall,5,open uid,unknown euid,root gid,root egid,root arch, name,/var/run/utmp a0,b7ea7003 a1,2 a2,0 a3,b7ea7009 items,1 ppid,1 pid,2339 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none comm,VBoxService key,obj-1-1 cwd,/ item,0 inode,67 dev,03:02 mode,0100664 ouid,0 ogid,5 rdev,00:00

Snare also incorporates a tiny embedded web server, the Web User Interface (Web UI), which allows administrators to remotely control which events are collected and reported. This interface also provides information on users, groups, and group membership on the local machine, which can be used to satisfy various regulatory security requirements.