Installing and running Snare Linux Agent

Owned by Steve Challans
Last updated: Feb 20, 2019

Snare installation



Install Snare for Linux binary RPM package.

  1. To install the Snare package perform the following:
  2. Download the required RPM or DEB
  3. Logon as root user, i.e. at the command prompt enter the command /bin/su and enter the root password when prompted. Issue the command, as root as per your distribution: >rpm -Uvh filename.rpm E.g. >rpm -Uvh snarelinux-supp-4.1.0-SLED-10.i686.rpm

    Or >dpkg -i filename.deb E.g. >dpkg -i snarelinux-supp-4.1.0-Debian-7.3.x86_64.deb
  4. This will install Snare for Linux and restart the audit daemon (auditd).
    NOTE: Red Hat may have a conflict during install. If this occurs, use –force flag E.g. >rpm -Uvh --force snarelinux-supp-4.1.0-SLED-10.i686.rpm


Remove Snare for Linux binary RPM package (if required).

  1. Query the RPM database to ensure Snare for Linux is installed

    >rpm -q snarelinux-supp
  2. Remove the Snare for Linux package

    >rpm -e snarelinux-supp
    Remove Snare for Linux binary DEB package (if required).
  3. Remove the Snare for Linux package
    >dpkg -r snarelinux-supp


Audit configuration

The Snare configuration is stored as /etc/audit/snare.conf (SuSE 10 and 11 users the location is /etc/snare.conf). This file contains all the details required by Snare to configure the audit subsystem to successfully execute.
The configuration of /etc/audit/snare.conf can be changed either:

  • directly

Care should be taken if manually editing the snare.conf configuration file to ensure that it conforms to the required format for the audit daemon. Also, any use of the Remote Control Interface to modify security objectives or selected events, may result in manual configuration file changes being overwritten. Details on the configuration file format can be viewed in Appendix A - Configuration File Description. Failure to specify a correct configuration file will prevent Snare from running.

  • or by modifying the objectives via the Remote Control Interface

The Remote Control Interface is the most effective and simplest way to configure /etc/audit/snare.conf and operates completely in memory, with no reliance on any external files.

Remote Audit Monitoring
The Remote Control Interface can be turned off by editing the default /etc/audit/snare.conf file. You can either edit the /etc/audit/snare.conf file directly, commenting the allow=1 line under the [Remote] section, or by setting this value to 0.
Be sure to restart the agent for the change to take effect. The agent can be restarted by: >/etc/init.d/auditd restart


Note: For administrators, the system log files will be updated whenever settings are applied to the snare.conf, for example, /var/log/messages. This information may assist you when required.

Related pages

Agent Installation
Agent Installation
Snare Linux Agent v5 Documentation
Read with this
Snare Linux Agent trouble shooting
Snare Linux Agent trouble shooting
Snare Solutions
Read with this
Appendix E - Running Snare Agent Alongside SELinux
Appendix E - Running Snare Agent Alongside SELinux
Snare Linux Agent v5 Documentation
Read with this