/
Configuration Wizard v8.0.0

Configuration Wizard v8.0.0

Welcome to the Snare Wizard

The welcome screen will provide you with a general introduction to the Snare Central Wizard, and will highlight any particular information that you should have on hand before continuing.  Click on the Next button.

Organisation

  • Enter your organisation name.
  • If you wish the login page of Snare Central to display a notification/warning message, please enter the text you would like to see appear.
  • Click on the Next button.

Although you can click on the grey arrow chevron on the left of each section in order to skip to a different section of the Snare Wizard, selecting one of these chevrons will not save the changes that you have made to this page. Please use the Next button to save changes.

Date and Time

  • It is recommended that Network Time Protocol be used on Snare Central to provide a reasonable likelihood that the system date/time is less susceptible to hardware clock drift. Snare Central will utilise the NTP server (IP address or DNS name) as a source for time information. If your organisation does not have an NTP server available on the local network, you may wish to choose a server from the list available from http://www.pool.ntp.org/
  • Click on the Time Zone input box to select the location where Snare Central is installed.
  • Select the day preferences for the weekly tasks.

Network Services

  • Select the preferred Snare Central Login mode.
    • Use HTTPS to force secure web access for Snare Central logins.
  • Enter the FQDN (Fully Qualified Domain Name)/DNS name for Snare Central. This name is inserted into web addresses when electronic mails are sent out from Snare Central. As such, users will be able to click a link within their electronic mail message, and can be taken to Snare Central. You should ensure that the name input here matches the name assigned to this server in your Domain Name Server.
    • The domain name you enter, is used to generate a self-signed SSL certificate. If you have manually installed a certificate from a formal certificate registry, it is recommended that you choose the 'Do NOT regenerate' certificate option, or your existing certificate will be overwritten.
    • Installation of a custom certificate is covered in the section on 'Expert Configuration' within this guide.
    • Note that on the first run of the wizard after installation of Snare Central, regardless of the state of the 'Do NOT regenerate' option, the wizard will upgrade the default 1024-bit certificate, with a more robust 2048 bit version at the conclusion of this step.
  • Enable or disable the SSH daemon,  FTP daemon or NFS services.
  • Enable or disable Samba or SMB (Windows Share) access to the main Snare data store.
    • The Snare data store is where the event logs are stored in compressed form. This area can be accessed as a read only windows share, via userid/password authentication.
    • Set a password that your remote Windows machine needs to use, to connect to Snare Central. This will share out the Snare Archive directory in read-only format.
    • The username is always 'snarearch'.
    • The Windows share to Snare archive directory can then be accessed from your windows machine (or NAS box) as \\snare_server_IP_or_DNS\SnareArchive. For example, \\10.2.3.4\SnareArchive.
    • The PDF archive directory may be shared if selected, and is where the objective PDF output files are stored. The PDF archive share can then be accessed from your windows machine (or NAS box) as \\snare_server_IP_or_DNS\PDFArchive. For example, \\10.2.3.4\PDFArchive.
  • Click on the Next button.

Security Setup

  • This control allows you to install, update or remove trusted Root Certificates system wide. If you are required to Authenticate users with LDAP/TLS or SASL/LDAP, you need to provide Snare Central with the CA root certificate of the authority that issued the LDAP-server certificate.

    If you are setting up a certificate authority for your organisation, in order to build and use PEM certificates in-house, you need to make sure that Snare Central is configured to recognise and trust your CA.

    Snare Wizard only supports PEM certificates. Please make sure that the file you want to upload is a Base-64 encoded, X-509 certificate with one of the following file extensions: (.crt, .cer, .pem, .cert, .key).
  • Stronger cipher encryption and more secure HTTPS connections is supported.

    • All versions of SSL are disabled by default. The option is available to disable weak ciphers for Apache and Snare Central which will disable TLS1.0, and TLS1.1 in the Apache configuration and only allow TLS1.2 with strong ciphers.  Checking this setting will change the web server's configuration, therefore you must restart Apache for the changes to take effect.  Please note that old browsers will not support the newer Transport Layer Protocols and may not connect to Snare web interface at all. The minimum compatible clients are: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.

  • Enable or disable the enhanced password security functionality for the operating-system-level accounts that are installed by default by Snare Central.
    • By default, Snare Central enables password complexity controls, account lockout (30 minutes after 5 failed password attempts), and password history checks. Normally, though Snare Central system accounts are exempted from the more stringent requirements of an organisational security policy; particularly the requirement for password rotation. The accounts are generally used for either system administration or automated log transfers, and may not fit in with password rotation policies. Enhanced security and forced rotation can be enabled, or disabled via this setting, if required.
  • Snare is capable of delegating authentication to an external LDAP Directory or Active Directory server.
    • Note that the user must still have an account on Snare Central with the same name as the LDAP/AD user, to log in.
    • Enter the IP address (or DNS name, as long as Snare Central has been configured to use your local DNS) of your target LDAP or Active Directory server.
    • When the LDAP Groups option is disabled, the user must still have an account on the Snare Server with the same name as the LDAP/AD user, in order to log in. However this requirement is overridden when the LDAP Groups option is enabled.
    • If specified, the Domain will be added to the end of the username for authentication purposes (eg: A username of 'auser' and a domain of 'test.local' will imply an LDAP/AD authentication of auser@test.local. Only 'auser' will be used locally on Snare Central to determine access control settings).  A Test button is available to verify the LDAP setup values.
    • There is a known issue when trying to bind Snare Server to an MS Active Directory using LDAPS on a Windows Server 2012 R2. OpenLDAP’s GnuTLS and Microsoft’s SChannel implementations are not compatible for TLS 1.2 negotiation during AD/LDAPS binding, so it’s necessary to disable TLS1.2 before attempting binding. The “Enable compatibility mode for Win Server 2012 R2” control allows to couple with this situation and force to a lower TLS version.
    • LDAP Groups control enable the authorisation of groups defined in the AD server for Snare. Please note that when LDAP Groups option is enabled, all local accounts are temporarily disabled with the exception of the ADMINISTRATOR account. As per Snare Server 7.2, support for both kinds of users simultaneously is not supported.
    • When LDAP Groups option is enabled the first time, Snare Server needs to retrieve groups information from the LDAP or AD server. This can be done specifying a valid user and password with enough access rights to retrieve this information. Please note that both user name and password won’t be stored by Snare. IMPORTANT: Before retrieval, super group Snare_Central and all defined groups should exists in the LDAP or AD server and all groups must be members of Snare_Central group.
    • Once Snare Central is aware of existing groups, it is possible to manage Objectives access rights from the System | Administrative Tools | Manage Access Control configuration objective.
  • Enable or disable enhanced password expiry in Snare Central.
    • PCI, and related regulatory compliance compatible password controls can be enforced by turning on this setting.
  • Enable or Disable Auto Logout time for Snare sessions.
    • By default http sessions will expire approximately two hours depending on the volume of activity a user is performing. If the organisation also requires a mandatory idle timeout, this control allows you to specify the default (system wide) setting in minutes. A maximum of 120 minutes (2 hours) can be entered. A value of 0 disables Auto Logout.  Per user Auto Logout settings are also available in the User Administration objective.
  • Some security vulnerability scanners identify links to 'external sites' as reportable vulnerabilities. The Block external links from being clickable, when displayed by Snare setting turns off clickable links in the external link redirect page.
  • Enable Security Technical Implementation Guide (STIG) compliance, to comply with recommendations for the Unix operating system (https://www.stigviewer.com/stig/unix_srg/).
    • The Snare Linux Agent is automatically installed when the Enable STIG Compliance for Snare Central checkbox is selected. When active, the Snare Linux Agent web user interface (UI) can be accessed by allowing port 6112 on Snare Central. Navigate to Configuration Wizard | Firewall Setup and add the port to the Active Rules if you wish to access the Agent's UI directly. Note that once the Agent's UI has been made accessible, it is recommended you enable the remote control password on the Linux Agent Access Configuration page and supply a new password.
      The Agent audits the following criteria as recommended by STIG (Unix):
      V-819 all discretionary access control permission modifications.
      V-818 login, logout, and session initiation.
      V-816 all administrative, privileged, and security actions.
      V-815 file deletions.
      V-814 failed attempts to access files and programs.
      V-22383 the loading and unloading of dynamic kernel modules.
      V-22376 account creation.
      V-22377 account modification.
      V-22378 account disabling.
      V-22382 account termination.
      Events are sent via TCP to port 6161 of the local Snare Server with the Log Type "LinuxAudit". The configuration file for the Linux agent is located at /etc/audit/snare.conf.
      If the Enable STIG Compliance for Snare Central checkbox is subsequently unchecked, then the Snare Linux Agent is also uninstalled from the system.

      Note that enabling STIG compliance may actually reduce the effective security of some aspects of the operating system, by overriding default CIS security controls.
  • Click on the Next button.

Firewall Setup

  • Enable or disable the Basic Snare Firewall, which uses the UFW firewall to configure IPTables. For normal Snare Central operation, the firewall should be left enabled; it will only block those ports that do not have an associated snare-related service active.
    • When the Snare Firewall checkbox is enabled, the currently active firewall rules will be shown in the Active Rules section, and the Backup & Restore section is available. It is possible to make a backup of the current rules and restore them if required.

    • Clicking on any active rule will display the "edit rule" form, where you can delete the selected rule or change parameters like destination port number, transport protocol, policy and origin.
    • It is important to note that when adding a new rule, by default UFW will create the same rule for both TCPv4 and TCPv6. However, when deleting a rule you need to delete the TCPv4 and TCPv6 rules separately.
  • More information on UFW can be found at:  https://help.ubuntu.com/community/UFW
  • Click on the Next button.

Agents Defaults

  • Enter the Port your Snare Agents are listening on for their remote administration interface. This port will be used by the Agent Management Console to contact your agents. By default the port is 6161.
  • Enter the Password set on the remote administration interface of your Snare Agents. It is used by the Agent Management Console, decrypting encrypted log messages, as well as retrieving such items as user and group retrieval from the agents.
  • Click on the Next button.

Email Setup


  • Enter the DNS Name or IP address of an SMTP email server. If you want to use SMTPS (SMTP over SSL or TLS) you can specify the authentication protocol to use as well as SMTP Username, SMTP password and SMTP port (587 is the default). Please note that SMTP authentication without encryption is not supported.  There is the ability to send a test email with outcome presented on screen, and to the nominated email address.
  • If you set the default address to append for your organisation, Snare will add this on to any email addresses specified in the scheduled task settings associated with each objective.
    • For instance, if you add 'dni.gov.au' here, you can specify 'fred.bloggs' in a scheduled task email configuration item, rather than 'fred.blogs@dni.gov.au'.
  • Enter the Reply-To address that Snare Central should use to send emails from.
    • This will set any email 'reply to' addresses to this entry. If users hit their 'reply' button on a Snare email, this will be the address that email returns to. It is recommended you configure this to be your IT helpdesk, or a member of your security team.
  • Select the preferred email distribution mode
    • In general, it is recommended that each objective is configured to send out data independently of other objectives. If 'One email per user will go out..' is selected, there may be a delay of up to 15 minutes after an individual objective completes, before the collection of generated objectives is sent to the destination user.
  • If your organisation requires a classification header to be included within the electronic mail messages sent with an objective, add it here.
    • You may also choose to prepend, or append, the classification message to the subject line.
  • If you are using an older mail client that cannot handle inline HTML formatted mail, the option in Mail Format section gives you the chance to turn HTML content off. Objective output will still be included as an attachment to the electronic mail message.
  • Whether or not to generate PDF attachments on emails for real time Alerts.
  • Click on the Next button.

SNMP Setup

  • Enter the DNS Name or IP address of a SNMP Manager server.  By default the UDP port number is 162.
  • Set the SNMP version, 1,2 or 3c. Selecting 1 or 2 enables entry of the community name. Selecting 3c enables further authentication and encryption options to be entered.
  • Specify the full enterprise object identifier for the trap you want to send.
  • Depending on the SNMP version chosen, you will be required to provide a Community name or Username and Password as well as further authentication and encryption information.
  • Click on the Next button.

Performance and Hardware Settings

  • In situations where a workstation, or other client, has incorrect date/time settings, and is sending log data to Snare Central significantly out of sync with the correct date/time, the collection subsystem can be configured to discard events that are older than a certain number of days.

    • Note that date-based discard does introduce a small performance penalty for collection rates.
  • Event and Memory thresholds should generally not be changed unless otherwise advised by your Snare Central support team.
  • Version 8.0 of the Snare Server includes a new, faster, query engine. For complete backwards compatibility, the SnareStore interface can be disabled. It is recommended that this option be left at the standard setting unless otherwise advised by your Snare Central support team.
  • Realtime Query Limit - Snare Central limits the number of concurrent realtime queries to 10 by default - any extra active queries will have an impact on your event collection rates.
  • If your server has an optical writer (CD / DVD) installed, you can select the preferred default device here. Click on the Next button. A final screen will be displayed, reminding you of the location of the Snare Central documentation.

    • This setting will be used by the automated data archive objective, if you choose to schedule it.

Additional Objectives

Snare Central comes with baseline objectives suitable for a wide range of deployments. However, additional, special-purpose objectives can be downloaded from the InterSect Alliance web site, to supplement the defaults.

Several of the objective sets are also stored on your installation media, and are copied to Snare Central during install. In situations where a direct path to the internet is unavailable, these cached objectives can be imported into Snare Central.

In general, the objectives available from this page are either:

    • Associated with the security and audit components of industry regulations such as PCI, NISPOM, or HIPAA, or
    • Are newly developed, and have not yet been integrated directly into the default objectives distributed as part of a Snare Central release.

Objectives imported during this step, will be added to the 'Reports' area of Snare Central, under a new folder called 'Imported Objectives', and tagged with the date/time of import.

Return to Snare Central

  • If you have changed the server name, or have forced a regeneration of the Snare Central certificate, choose the 'Restart Apache, and return to Snare Central' option, otherwise click on 'Return to Snare Central'.




Related content

Introduction to Snare Central v8.0.0
Introduction to Snare Central v8.0.0
More like this
Overview of Sections v8.0.0
Overview of Sections v8.0.0
Read with this
Configuration Wizard
Configuration Wizard
More like this
Objectives - An Overview v8.0.0
Objectives - An Overview v8.0.0
Read with this
Configuration Wizard
Configuration Wizard
More like this
User Guide for Snare Central
User Guide for Snare Central
Read with this