/
Snare Enterprise Agents

Snare Enterprise Agents

Owned by maria ieropoulos
Last updated: Aug 22, 2019 by Leigh Purdie (Unlicensed)

The steps below recommend initial settings for Snare Agents. As dedicated tables exist for all of the agents mentioned below, the standard syslog systems must not be used (this will ensure the correct handling of data by Snare Central). The use of the Snare via the web user interface (UI) is recommended (the user friendly interface will maintain the appropriate syntax and formatting) and instructions to enable this service will be detailed where applicable.

Windows-Based Agents

During installation, if the machine is not part of a Windows' domain, allow Snare to take control of the audit subsystem. If the machine is part of a Windows' domain, Local and Group Policies will need to be manually edited to provide the required level of auditing.
Through the web UI, click Network Configuration.

  1. Leave the hostname override blank. The hostname will be automatically picked up by the Snare Agent.
  2. Enter the Snare Central IP address or hostname.
  3. Ensure that the remote port is 6161.
  4. UDP is recommended for faster and more efficient use of host and network resources.
  5. Untick "Enable syslog headers".
  6. Click Change Configuration. Next select Remote Control Configuration:
  7. Untick "Restrict remote control of Snare Agent to certain hosts".
  8. Tick "Require a password for remote access" and enter the enterprise password.
  9. Ensure "Change web server default port" is unticked.

The default objectives for the Windows Agent will provide a strong auditing capability. For high traffic systems, remove the process tracking objective (Event ID Match: Process_Events) and add a new objective with the following properties:

  • Logon or Logoff.
  • Exclude Search Term Users: *$,SYSTEM.

Further tuning may be required depending on the size and type of environment.
The Snare Central tables used by the Windows agent are:

  1. Win Application (Application events)
  2. WinSecurity (Security events)
  3. WinSystem (System events)
  4. MSWinEventLog (DNS, File Replication and Directory Service events).

UNIX-Based agents

Remote Control

For all UNIX-based agents, the following section should be included in the configuration file to enable remote control capabilities. The user friendly interface will maintain the appropriate syntax and formatting of the Snare configuration files, while also allowing Snare Central to contact its agents to check their individual configuration settings.

[Remote]
  allow=1
  listen_port=6161


Once access is granted, please configure the enterprise remote access password through the "Remote Control Configuration" page on the agent web interface.

Linux

The Linux Agent is packaged with a comprehensive set of objectives for NISPOM, SOX and PCI compliance. Once installed, make the following changes via the Snare Remote Control Interface or the configuration file:

  1. Change the remote access password to the enterprise password.
  2. Remove the log file (this will avoid the risk of local storage partitions filling up).
  3. Set the destination server to the Snare Central IP address or hostname.
  4. Restart the 'auditd' service.
  5. UDP is recommended for faster and more efficient use of host and network resources.
  6. Events will be stored in the Snare Central LinuxAudit table.
  7. If resource usage becomes a problem, remove all references to the "open" syscall from /etc/snare.conf and restart the agent.

Solaris

Ensure that BSM is properly installed and configured (/etc/security/bsmconv) before installing Snare. The Solaris agent should be installed using the "Advanced" objectives and then tuned accordingly. Once installed, make the following changes via the Snare Remote Control Interface or the configuration file:

  1. Change the remote access password to the enterprise password.
  2. Remove the log file (this will avoid the risk of local storage partitions filling up).
  3. Set the destination server to the Snare Central IP address or hostname.
  4. Restart the Snare Agent.
  5. UDP is recommended for faster and more efficient use of host and network resources.
  6. Events will be stored in the Snare Central SolarisBSM table.

Epilog for UNIX

After installing Epilog for the first time, there are two main changes that are required:

  1. Specify the log files that Epilog should monitor.
  2. Set the destination server to the Snare Central IP address or hostname.
  3. Syslog option must not be used when sending logs to a Snare Central so that all events are processed correctly by Snare Central.
  4. Send event to TCP or UDP port 6161.
  5. UDP is recommended for faster and more efficient use of host and network resources.
  6. Generally, events will be stored in the Snare Central GenericLog table.


Related content

Snare Agents
Snare Agents
Snare Central v7 Documentation
Read with this
About this Guide
About this Guide
Snare Windows WEC Agent v5 Documentation
More like this
About this guide
About this guide
Snare Epilog Agent v5 Documentation
More like this
Release Notes for Snare Windows Desktop Agent v5.3.0
Release Notes for Snare Windows Desktop Agent v5.3.0
Snare Windows Desktop Agent v5 Documentation
More like this
Appendix B - Snare Windows Registry Configuration Description
Appendix B - Snare Windows Registry Configuration Description
Snare Windows Agent v5 Documentation
More like this
Overview of the Snare Agents
Overview of the Snare Agents
Snare Windows Agent v5 Documentation
More like this