/
Overview of Snare for Solaris

Overview of Snare for Solaris

Owned by Steve Challans
Feb 20, 2019

Snare operates through the actions of the audit_snare plugin which is loaded by the auditd daemon. The auditd daemon interfaces with the Solaris kernel and passes kernel audit information to the audit_snare plugin.
The audit_snare plugin reads, filter and send event logs from the kernel audit BSM event logging sub-system (known in Solaris as the Basic Security Module - BSM) to a remote host. The events to be sent will depend on the objectives chosen, and not on the configuration of the BSM files. Snare will automatically take control of the BSM subsystem without the requirement of any System Administrator intervention. The logs are then filtered according to a set of 'objectives' chosen by the administrator, and then passed over the network, using the UDP, TCP or TCP (with SSL encryption) protocol, to a remote server. The audit_snare plugin is able to be remotely controlled using a standard web browser, or via a custom tool that acts as a web client.
The audit_snare plugin reads event log data directly from the audit deamon. audit_snare converts the Solaris event log from binary format to text format. Unfortunately, the Solaris BSM audit subsystem has a number of identified 'bugs', which are further detailed in – Known BSM Bugs, this prevents events for some processes from being generated. The events sent by the audit_snare plugin are in a text-format, TAB separated series of tokens, which are described in detail by the BSM documentation. This format, is also discussed in Configuration File Description - Event Output Format. The net result is that a raw event, as processed by the audit_snare plugin may appear as follows:
phoenix SolarisBSM1header,146,2,execve(2),,Mon Dec 9 22:23:42 2002, + 140001416 msecpath,/usr/bin/grepattribute,100555,root,bin,136,379861,0exec_args,2,grep,snaresubject,red,root,other,root,other,12228,12212,8236 131095 10.0.1.1return,success,0sequence,65941
All of the fields in the above record are sent to the remote server, whether this is a Snare Server, or a custom tool. The Snare Server is then used to interpret some or all of the tokens in the log file to determine the value of the event to the security or system administrators.