Overview
- Andrew.Madge (Unlicensed)
- Steve Challans
About this User Guide
This user guide describes how to use the Agent Management Console also referred to AMC within the Snare Central Server product. This guide targets the console that was launched in v7.0.x of the Snare Central Server. If you are using an earlier, or later, version of the server, please refer to the User Guide for that version instead as there may be significant changes between versions.
It is designed to be a starting point for users who already have a working Snare Central Server v7.0.x installation, and are familiar with the basic navigation concepts. For help installing the server, please refer to the Snare Central Server v7.0 Installation Guide. Likewise, if you are running an older version (v6, v5 or v4), then please update your Snare Central Server version first.
This guide also assumes that you have at least one working Snare Agent within your environment. Please refer to the associated Agent user guides if you need any help installing your Agents. Please also refer to the Compatibility Chart to ensure that the Agents you are using are compatible with the console.
What is the Agent Management Console (AMC)?
The AMC is a tool within the Snare Central Server that enables remote management of Snare Agents through the Snare Central Server interface.
The AMC enables administrators to set up automatic audits of the configuration of Agents within their fleet. The administrators specify a Master Configuration, which represents the required configuration of the fleet Agents. This Master Configuration is then compared to the actual configuration of each of the Agents within their network based on the filters in the AMC objective. Any discrepancies that are found are listed, and alerts sent out as required. Any Agents that were uncontactable during the process are also identified in the relevant tab. The results of these configuration audits provide information to the administrators that can be used to identify if the configurations of any Agents have been unexpectedly modified vs the approved master configuration.Â
The AMC also provides the ability to push the specified Master Configuration out to each of the Agents under management to enable fleet-wide configuration changes from a centralized location. This also ensures that any unauthorized configuration changes on the Agents are reverted automatically and updated based on the approved master template.Â
Snare Agents that are reporting directly to the Snare Central Server are automatically detected by the AMC. For other situations where there are Agents that are not reporting directly to the Snare Central Server, a list of custom Agents can be manually added into the AMC using the non-reporting agent options in the AMC configurationm where the AMC can scan the network on specific IP ranges looking for Snare agents.
What the Console CAN do
The Agent Management Console allows you to create as many Management Objectives as is required in your environment via the right click clone feature. These objectives allow you to:
- Manage any compatible Snare Agent, even if it is not directly reporting to the Snare Central Server.
- Snare Agents reporting to the Snare Central Server (via ports 6161, 6162, 6163) will be automatically identified and treated as a reporting Agent.
- Snare Agents not reporting to the Snare Central Server can be manually added within the Management Objective configuration, as a non-reporting Agent. After manually specifying these Agents, the management functionality available is exactly the same as a reporting Agent.
- Specify the specific type of Agent to be managed (to ensure configurations aren't corrupted by passing the wrong configuration).
- Pull the current configuration from any of the compatible Snare Agents within your environment.
- Either by filtering Agents that report event logs to the Snare Central Server by hostname and/or version,
- Or by specifying non-reporting Agents manually by IP (or IP range).
- Pull current configuration from a specific Master Agent to compare against the managed Agent configurations.
- Optionally push the master configuration out to each of the managed Agents that support push, to sync configurations to a single approved configuration.
- Set a specific schedule to run the configuration check/sync process.
- Send email alerts when Agents are uncontactable and/or have a different configuration.
What the Console CANNOT do
- The Agent Management Console currently only manages Agent Configurations for compatible Enterprise Agents.
- It does not provide the ability to install and/or upgrade the Agent software. Upgrades of the agents can be performed by the Snare Agent Manager (SAM) from version 1.2 onwards.Â
- It will only work on Agents that have the Remote Management function enabled, without this, the Console cannot communicate with the Agent.
- All communication is initiated by the Server, so firewall rules must be in place to allow the Server to connect to each Agent.
- The Console cannot monitor/wait for an Agent to come online - if it is not online when the check/sync is triggered, it will be considered uncontactable.
Snare Agent CompatibilityÂ
Agent | Version(s) | Config Pull | Config Push |
Enterprise - Snare Agent for Windows | v4.1.x, v5.x |
|
|
Enterprise - Snare Agent for Windows | v4.0.2.x |
|
|
Enterprise - Snare Agent for Windows | v4.0.0.0, v4.0.1.x |
|
|
| Enterprise - Snare Epilog | v5.x.x |
|
|
Enterprise - Snare for MSSQL | v5.x.x |
|
|
Enterprise - Snare Agent for Linux | v5.x.x |
|
|
Enterprise - Snare Agent for Solaris | v5.x.x |
|
|
| Enterprise - Mac OSX Agent | v5.x.x |  | |
Enterprise - Snare Agent for Linux | v1, v2.1, v3, v4 |
|
|
Enterprise - Snare Agent for Solaris | v3.x, v4.x |
|
|
| Enterprise - Mac OSX Agent | v1.x |  | |
Open Source - Snare Agent/Epilog | any |
|
|
Notes:
- Compatibility table refers to Snare Central Server v7.x.x only.
- "Config Pull" means Agent Configuration can be retrieved from the Agent by the Server.
- "Config Push" means Agent Configuration can be updated by the Server on the Agent.