Overview of the Snare Agents

Owned by Steve Challans (Unlicensed)
Last updated: Sept 03, 2018 by Mirza Baig (Unlicensed)

Snare operates through the actions of a single component; the SnareCore service based application (snarecore.exe) and can be remotely controlled and monitored using a standard web browser. The SnareCore service interfaces with the Windows event logging sub-system to read, filter and send event logs from the primary Application, System and Security event logs to a remote host.  Please note that where available, the agent is also capable of reading, filtering and sending logs from the DNS Server, File Replication Service, DFS-Replication and Directory Service logs, as well as any Custom event log sources such as those under Applications and Services Logs. In addition to regular event logs, SnareCore will collect USB device notifications.

Once gathered, the logs are then filtered according to a set of objectives chosen by the administrator, and passed over a network using the UDP or TCP protocol, using optional TLS/SSL encryption, to a remote server.  SnareCore converts the binary/encoded event log record to a human-readable format. If a SYSLOG or Snare Server is being used to collect the event log records, the event records will be TAB delimited. This format is further discussed in Appendix A - Event output format.