Configuration

Owned by Andrew.Madge (Unlicensed)
Last updated: Jul 11, 2023 by jorge.rueda
7 min read

The Agent Management Console Objective Configuration is accessible by clicking on the Configure icon in the top toolbar. It will bring up a dialog with a number of different selections, each of which are covered below.

Snare Agent Type


Due to the differences between the functionality and capability of each of the different Snare Agent types, it is a requirement to specify the type of Agent to be managed via the Console. Any Agent that is contacted, but of a different type, will be marked as such and ignored by the configuration checking.

To manage multiple types of Snare Agents, please clone an existing objective and change the type on the cloned objective(s) to cover the different versions as required.

Hostname filter


When dealing with reporting Agents (i.e. Agents that log events directly to the Snare Central Server), it is possible to filter Agents by hostname so only a specific subset are managed by the console. The filter can either be applied using a standard wildcard * character, or using Regular Expressions for more complex filters.

This option is quite useful when you have a large fleet of different Agents all reporting to the Server. As long as the host names on each of the Agents are correctly set up, you can easily filter out, for example, the workstations from the servers without needing to manually specify each one as it is provisioned.

Examples:

Hostname Requirements

Examples

Wildcard Filter

Regular Expression

All hosts within the domain dni.gov.au.

alpha.dni.gov.au
beta.dni.gov.au

*.dni.gov.au

(.*)\.dni\.gov\.au

All hosts starting with win, and ending in c01.

win01-02c01
win02-02c01
win03-10c01

win*c01

win(.*)c01

Hosts starting with ws, and ending with either a 0, 1, or 2.

ws-17hm42
ws-abcw20
ws-87sde1

Not possible with a standard wildcard.

ws(.*[012])

Note: The hostname filter is bypassed when an agent is specified as a Non-reporting Agent. When working with non-reporting Agents only, you can specify a long string of random characters in this field to prevent any reporting agents from being managed by mistake. If the SAM is used in Snare Central then the system will automatically know of all the hosts the AMC can manage so the non reporting agent section should not be used. 

Version string filter


Similar concept to the Hostname filter. The version string applies to the Agent version number reported by the agent for the reporting Agents (again, this is ignored when dealing with a non-reporting Agent). It supports the same wildcard or regular expression filtering as the hostname filter.

This option is only useful when you have different versions of the Agent installed for different purposes. It can normally be left as a wildcard, since the Snare Agent Type selection above handles the major version difference selection.

Non-Reporting Agents


When you need to manage Agents that do not report to the Snare Central Server or use the SAM in Snare Central Server you are using for the Agent Management Console, you can specify them in the Non-Reporting Agents section. There are two ways to enter agents to be managed.

Either manually enter them into the box, one per line in the format:

    [ipaddress],[hostname]

For example:

    10.1.2.3,AGENT3.SNARE.DEV
    10.1.2.12,AGENT12.SNARE.DEV
    10.1.2.15,AGENT15.SNARE.DEV
    10.1.2.17,AGENT17.SNARE.DEV
    10.1.2.24,AGENT24.SNARE.DEV

Or you can add an entire IP address range, using the button Add IP address range under the box. This will present you with a dialog to enter in the IP range and the custom domain to be appended onto the end of the domain. The domain reference is only for a tab or label it does not mean its using the Windows Active Directory domain for accessing the system. You can use it to reference your own internal system domain names but its not required. 

For example, you enter the IP range: 10.1.2.0-10.1.2.10

With the custom domain: custom.snare.dev 

Then your non-reporting Agents box would be automatically filled with these Agents:

   10.1.2.0,10-1-2-0.custom.snare.dev
   10.1.2.1,10-1-2-1.custom.snare.dev
   10.1.2.2,10-1-2-2.custom.snare.dev
   10.1.2.3,10-1-2-3.custom.snare.dev
   10.1.2.4,10-1-2-4.custom.snare.dev
   10.1.2.5,10-1-2-5.custom.snare.dev
   10.1.2.6,10-1-2-6.custom.snare.dev
   10.1.2.7,10-1-2-7.custom.snare.dev
   10.1.2.8,10-1-2-8.custom.snare.dev
   10.1.2.9,10-1-2-9.custom.snare.dev
   10.1.2.10,10-1-2-10.custom.snare.dev 

Using a combination of these two input methods, you should have no trouble easily adding in all of the non-reporting Agents that you wish to manage through the console. 
Notes:

  • Non-Reporting Agents bypass the specified hostname and version string filters, but not the Snare Agent Type selection. This means every Agent listed in the non-reporting Agents box will be managed, as long as it is the right type.
  • To tell the console to ignore all reporting Agents and only manage non-reporting Agents, simply set the Hostname filter to a pile of random characters that does not exist in a hostname, i.e. 'thiswillnotexistinahostnamesoonlynonreportingagentswillbefound'.
  • It is not possible to set only a hostname with no IP address for a non-reporting Agent as it needs to use the IP address to access the host. 

Alternate Password


The Console needs to authenticate each Agent with a valid password, as specified on the Agent. Each of the alternate passwords are tried in turn until a successful authentication attempt is found. This allows the objective to manage a group of Agents with up to 4 unique passwords. 

This option is useful if you have assigned different Agent Remote Management passwords for different groups of Agents, so you can manage them all from a single point, or have different password(s) configured in each objective. It is also quite handy when you have a password rotation plan, since you can enter in the old passwords into the alternate boxes to ensure that Agents that haven't been updated yet can still be communicated with. 

Note: When configuration push is enabled, the password assigned on the Master Agent will be pushed out to all the managed Agents, causing them to all have the same password.

Alternate listening port


This option allows you to specify the port to connect to the Snare Agent on.

The only reason this option will need to be used is if you have changed the default port of the Snare Agent from 6161 for whatever reason.

Management Mode


The Management Mode option allows you to chose between two options: 

Only highlight differences between Master Config and Agent Config.

This option connects to each managed Agent, retrieves the current configuration, and then compares it with the master config only. It does not push back configuration changes to the Agents. 

This is the default Pull-only option, and is the one to use when you only wish to regularly audit Agent configurations and be notified when anything changes. Note that some Agent versions will only work successfully with this option (see the compatibility chart in 1.3 above). 

Push Master Config to all managed Agents on schedule (only supported by some agents).

This option connects to each managed Agent, retrieves the current configuration, compares it with the master config, and then pushes back any changes that it finds to compatible Agents.

This is the option to use when you want the Console to manage the Agent configuration for you. When a schedule is set up, it will automatically update the configuration on each Agent to ensure that it matches the master. If they cannot be synchronised, then the system will report the conflicts.

Extra Options

Ignore Agent Version Mismatch in configuration differences report.

When this option is not enabled the Agent configuration checking will compare the Agent version with the master config Agent version. If they are found to differ, then it will list it as a configuration mismatch. This is useful when upgrading the fleet with new Agent versions to identify any that were missed, but if you intentionally use different versions of the Agent, then you can enable this option to ignore the differences. 

Ignore offline/uncontactable agents.

When an Agent cannot be contacted, it is highlighted as uncontactable, and it is listed as such in the report. Depending on your environment, you may want to disregard Agents that are offline (for example, when you add an entire IP range but only expect to find Agents on some of the IP addresses). If this is the case, then you can enable this option, and uncontactable Agents will no longer throw an alert (they will still be listed though). 

Agent Presentation (from v7.0.3)

These are the options for the creation of reports.  Large or small icons alongside the Hostname/IP may be displayed.  If space is a concern, you may select Just Text which would show the Hostname/IP in text only.  Select Attachment in the top panel to view the report.


Filter Non Responsive Agents Days Threshold

Adjust this value as needed to remove old or systems that no longer have a Snare Agent installed.