Wizard Install

Welcome to the Snare Reflector Setup Wizard

This screen provides a brief overview of the product you are about to install. Where available, select "Next" to continue the installation, "Back" to return to the previous screen or "Cancel" to abort the installation.

License Page

The License Page displays the End User License Agreement (EULA) for supported versions of the Reflector. Please read the document carefully and if you accept the terms of the agreement, select "I accept the terms in the License Agreement" and the "Next" button will be enabled allowing the installation to continue.

Existing Install (Upgrade only)

If the Wizard detects a previous install of the Snare Reflector, you will be asked how to proceed. Selecting "Keep existing settings" will leave the configuration intact and only update the Snare Reflector files.  The Wizard will then skip directly to the Ready to Install screen.  Selecting "Reinstall" will allow the configuration wizard to continue and replace your existing configuration with the values you input.  

Note that replacing the configuration does not happen immediately; it takes place after selecting the "Install" button on the Ready to Install screen.

Select Installation Folder

This page allows you to change the location of the folder in which Snare Reflector will be installed. Accept the suggested location by selecting "Next", or change it by either typing a different folder location or selecting the "Browse…" button to find a suitable location.

Change the port for Web browser User Interface

The Snare Reflector HTTP server allows users to use a Web Browser to login, change configuration settings and view the status of network connections. By default this is port 6111. If some other application is currently using the port you have chosen, then the Snare Reflector Wizard will detect this and display an error dialog asking you to choose a different port. For example if port 445 is entered but is being used by another application, then Snare Reflector will display a dialog box.

Configure Event Cache Memory

Snare Reflector can store incoming events in memory (the Event Cache) or on a disk file (the Disk Cache). Performance is vastly improved if incoming events can be cached in memory rather than on disk.  Therefore this value should be generous, but also allow for other applications which need to run at the same time. Note that this value can be fine tuned from the Web browser user interface once installation is completed.

Configure the Disk Cache

When the Event Cache fills to capacity, incoming events will be stored on disk in the Disk Cache. The location of the disk cache can be changed by selecting "Browse…"

The maximum size of the Disk Cache can be specified as a percentage of the total available disk space on the selected disk drive. Note that this value can be fine tuned from the Web browser user interface once installation is completed.

Configure a Destination Syslog Server

This screen allows you to enter the details for a destination server, such as a Syslog server, to which Snare Reflector can send incoming events.

• Destination address - Enter the name or IP address of the destination.

• Port - Configure the port, for example Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS/SSL, and Syslog via port 514.

• Protocol - Select the protocol (TCP, UDP, TLS or TLS_AUTH) you would like the Reflector to use when sending events to this destination.

• TLS Authentication Key - This option is available only for TLS_AUTH protocol. TLS authentication key should be the same as configured in destination. A valid TLS Authentication Key must be between 8-4096 characters and allowed characters include A-Za-z0-9~!@$%^*\()_+=`-

• Format - Choose one of the formats provided. These are described in more detail in the section on Destinations.

Note that more destinations can be added from the Web browser user interface once installation is completed.

Confirm Listener Ports

This screen displays the ports on which Snare Reflector will listen for incoming connections. The default ports for Snare Reflector are

• 514 TCP and UDP for syslog formatted events,

• 6161 TCP and UDP for other events, such as Snare formatted events, and

• 6163 TLS for sending encrypted events.

• 6164 TLS_AUTH for sending ecrypted events from an authenticated host

TLS Authentication Key - This option is available only for TLS_AUTH protocol. TLS authentication key should be the same as configured in source agents. A valid TLS Authentication Key must be between 8-4096 characters and allowed characters include A-Za-z0-9~!@$%^*\()_+=`-

Should other applications be using any of these ports, the wizard will automatically determine the closest available port.

Ready to Install

This screen provides a final opportunity to change any settings before installing.  Select the "Install" button to proceed, or "Cancel" to abort the installation without making any changes.  The "Back" button may be used to return to the previous screen.

Installing Snare Reflector

The Snare Reflector installer must have elevated privileges before it can make changes to your system. Windows will ask you to confirm this via the User Account Control dialog.  Select "Yes" to install Snare Reflector on this computer.

Completing the Snare Reflector Setup Wizard

This is the final screen of the installation wizard. To view the Readme file for this version of Snare Reflector, check the "View readme file" box before selecting "Finish".