The Linux Agent Remote Control Interface

Owned by Steve Challans
Last updated: Feb 20, 2019

The Remote Control Interface is accessible by entering http://localhost:6161 in the web browser as shown in Figure 1. The Remote Control Interface is turned on by default, and also password protected for security reasons. The default username and password are:
Username: snare Password: snare


Figure 1: The Remote Control Interface-View StatusNote: The password is not encrypted at this time. Ensure you change the default Snare password immediately after installation so that it is encrypted, for security purposes. It is recommended you use a strong complex password of at least 12 characters. To update the password go to the Remote Control Configuration page and update the password.

Note: For Red Hat users to access the remote control interface, will need to ensure:

  • the firewall rule allows access to the agent.
  • to disable or set to permissive mode with SELinux.


The Remote Control Interface provides a number of capabilities including:

  • Network Configuration
  • Remote Control Configuration
  • Objectives Configuration
  • Viewing Recent Events
  • Displaying User and Group metadata.

Please note that some options on these pages that are only available to users with the purchased Enterprise version. The OpenSource agents will not include any features that are new to this version of the Snare for Linux agent.

Network Configuration


To set the audit configuration parameters, select the 'Network Configuration' link.
Figure 2: Configure the network settings
The configuration parameters available are as follows, as displayed in Figure 2:


  • Override detected hostname with: Can be used to override the name that is given to the host. Unless a different name is required to be sent in the processed event log record, leave this field blank. The default is to use the fully qualified name for the machine.
  • Destination: Snare can send audit events to one or more network destinations. Snare can send data either to a Snare-compatible server, or a SYSLOG compatible destination. Please be aware that most SYSLOG servers are incompatible with the extremely high volumes of data Snare is capable of generating.

Server Details: Enter a DNS name, or IP address for each planned destination.
Port: Select the port you would like Snare to use when sending events.
Protocol: Select the protocol you would like Snare to use when sending events. Using TCP or SSL will guarantee message delivery. Using SSL will use an encrypted connection to the server.
Format: Select this option if the requirement is that the event records need to be in a specific format. This feature will allow the event log record to be formatted so it is accepted by a Syslog or a Snare server. Note: The agent will override the specified format in some cases. Specifying port 6161 will force the use of Snare format. Specifying a port of 514 will force the use of the Syslog format.
FileName: Log the output to disk as well as the network. If the file does not exist, it will be created.
Click Change Configuration to allow another destination to be added. Likewise, to remove a destination, then delete the entry in the Server Details and click Change Configuration.

  • Allow SNARE to automatically set audit configuration: By default, Snare will take control and manage your audit event settings for you. Normally on a Unix system, you will need to modify the file /etc/audit/audit.rules in order to establish a new monitored event. Snare has the capability to 'turn on' event auditing in response to the objectives you set within the Remote Control Interface. It is recommended that this parameter is enabled.
  • Cache size: Allow Snare to store messages that could not be sent. Combined with the TCP or TLS this option will allow the agent to cache messages if there is a network failure or the Snare Server is otherwise unavailable. Any cached message is kept until it is sent or the size of the cache exceeds the specified allotment, in which case the oldest message is removed. If the agent is restarted, any cached messages are lost.
  • SYSLOG Facility (optional): If you are sending your data to a SYSLOG server, specifies the subsystem that produced the message. The list displays default facility levels.
  • SYSLOG Priority (optional): If you are sending your data to a SYSLOG server, the agent can be configured to use a static or dynamic priority level.
  • Use UTC time reporting: Enables UTC (Coordinated Universal Time) timestamp format for events instead of local machine time zone format.

To save and set changes to these settings, and to ensure the audit daemon has received the new configuration, perform the following:

  1. Click on Change Configuration to save any changes.
  2. Click on the Apply the Latest Audit Configuration menu item. There will be a quick notice that Snare is restarting as displayed below.

Remote Control Configuration

The Snare for Linux agent can be controlled remotely by administrators, if required. Remote control is enabled by default. The remote control page is displayed in Figure 3.

Figure 3: Configure the Remote Control
The parameters which may be set for remote control operation include:

  • Restrict remote control of SNARE agent to certain hosts: By default Snare allows any IP address to connect to the remote control interface. Enabling this option restricts connections to the remote control interface to the IP given in the following option.
  • IP Address allowed to remote control SNARE: Remote control actions may be limited to a given host. This host, entered as an IP address will only allow remote connections to be effected from the stated IP address. Application-level firewall capabilities are also available, which block users from accessing the Remote Control Interface from any IP address other than the one specified.
  • Require a password for remote control?: Indicate whether a password will be set so that only authorised individuals may access the remote control functions. Highly recommended.
  • Password to allow remote control of SNARE: If above checkbox is checked, password must be set. A password of appropriate strength should be set for the remote control facility.
  • Web Server Port: An optional port that the Remote Control Interface listens on, can be specified. Users of the Snare Server should generally leave this as 6161, in order to take advantage of the Snare Server's user and group audit capabilities.

To save and set changes to these settings, and to ensure the audit daemon has received the new configuration, perform the following:

  1. Click on Change Configuration to save any changes.
  2. Click on the Apply the Latest Audit Configuration menu item.

Objectives configuration

Snare's ability to filter events is accomplished via the auditing 'objectives' capability. The term 'objective' is used within Snare Agents to describe an auditing goal. It is generally made up of events that Snare should watch for, a filter term containing a 'token' and a criticality level. See Figure 4.
The objective configuration page supplied as part of the web based remote control is intended as a way to enable users to commence audit functions reasonably quickly. For power users, a far more powerful and functional way is to manually control the /etc/audit/snare.conf file. This is described in more detail in Appendix A-Configuration File Description, and is intended for users who have a very detailed knowledge of Linux administration and security. It is NOT recommended for novice users.

Figure 4: Display the Set objectives
Snare for Linux has two ways of auditing file-related events – event (syscall) objectives, and/or file watches. Either or both, can be employed depending on your requirements.

Event Objectives

Select 'Add' to insert an objective or 'Modify' to edit an objective. Generally the order of objectives is not important.

Figure 5: Adding/Modifying a Syscall Objective
The following parameters may be set as displayed in Figure 5:

  • Identify the high level event: Each of the objectives provides a high level of control over which events are selected and reported. Events are selected from a group of high level requirements, and further refined using selected filters. Events are generally grouped into the following:
  • Start or stop program execution: execve,fork,exit,kill,tkill,tgkill
  • Open a file/dir for reading or writing: open,close
  • Change a file or directory attribute: fchmod,chmod,fchmodat,chown,lchown, fchown,fchownat
  • Remove a file or directory: rmdir, unlink
  • Mount a new filesystem: mount, umount2
  • Change user or group identity: setfsuid,setuid,setreuid,setfsgid,setregid,setgid,setresgid
  • Administration Related Events: reboot,settimeofday,clock_settime,setdomainname, sethostname
  • Login/Logout events: login_start,login_auth,logout

In addition, any event that can be generated by the audit subsystem can be specified (comma separated) by using the 'Any Event(s)' high level group.
Tip: Turning on file-related events can produce a very high volume of audit events on some systems, and therefore result in a considerable amount of CPU time being used by Snare and the audit subsystem.

  • Syscall List: If 'Any Event(s)' is selected as the high level event, then add a comma separated list of audit events to search for.
  • Audit Filter Term(s): A filter term containing a 'token' which appears within the events of interest, and the search criteria that Snare should use to include or exclude the event. For example, a search term of: /etc/.* would match any event which mentions any file in /etc. Another example:

localhost.localdomain LinuxKAudit Criticality,2 event,execve,20130725 11:03:29 sequence,524 uid,500,george gid,500,george euid,500,george egid,500,george process,,"/bin/uname" return,0,yes name,"/bin/uname" 1374714209.448:524): arch,x86_64 syscall,59,execve success,yes return,0 a0,3190f70 a1,3191040 a2,318d4b0 a3,8 items,2 ppid,3214 pid,3236 auid,500,george uid,500,george gid,500,george euid,500,george suid,500,george fsuid,500,george egid,500,george sgid,500,george fsgid,500,george tty,pts1 ses,1 comm,"uname" exe,"/bin/uname" key,"obj-2-0" argc,1 a0,"uname" cwd,"/home/george" item,0 name,"/bin/uname" inode,21430336 dev,fd:00 mode,0100755 ouid,0,root ogid,0,root rdev,00:00 item,1
The token highlighted in red could be used to only select events where the "auid" (the 'audit' ID) is a certain value, in this case "audit,500,george" or a more general term, such as "george".

  • Select the REGEX Match Type: Select to either include the regex match in the search or exclude the regex match set below.
  • Regex Match: A filter term the objective should match. For example .data. would cause the objective to match the word 'data' in the whole string. To use multiple matches use the virtual bar symbol which will act as the OR operator.

Complex matches such as the following are possible. For example to include/exclude various commands from the log output use the following syntax: ./bin/grep.|./bin/bash.|./bin/sleep.|./usr/bin/wc.|./usr/bin/cut.|./usr/bin/expr.|./usr/bin/bc.|./usr/bin/du.|./usr/bin/tail.|./usr/bin/head.|./usr/bin/sum.|./usr/bin/who.

It is recommended to perform all the excludes for a particular high level event in one objective, for example to exclude events that contain either auditctl or top in the high level event open a file/directory for reading or writing, then select Exclude and in the Regex Match type .*auditctl.|.top.* (as shown above).

  • Select the Alert Level: The criticality levels are Critical, Priority, Warning, Information and Clear. These security levels are provided to enable the Snare user to map audit events to their most pressing business security objectives.


To save and set changes to these settings, and to ensure the audit daemon has received the new configuration, perform the following:

  1. Click on Change Configuration to save any changes.
  2. Click on the Apply the Latest Audit Configuration menu item.

File Watches

File watches are somewhat different to event filters. Rather than asking the kernel to report on all file activity, a 'file watch' will cause Snare to ask the kernel to 'tag' certain files, or directories, and only generate file-related events when activity associated with those particular files or directories, occur. This generally results in a spectacular drop in resource usage by the Snare and audit processes, as potentially thousands of file-related events-per-second no longer have to be discarded when they do not match a Snare agent objective. This method does not require that each targeted file or directory exist prior to Snare starting up. Where a directory is specified, Snare will also watch for the creation of new files and directories.
See Figure 6 for configuring a Snare file watch.
{_}Figure 6: Adding/Modifying a File Watch Objective_The following parameters may be set:

  • File watch path: Any file or directory, currently existing or not, can be specified. In order not to generate too many events, it is strongly recommended that file watches be set on the exact directory(ies) of choice, with as few permissions as possible. It is far more desirable to use file watches to monitor accesses to files and directories, than to use syscall/event filters.
  • Permissions to trigger an event: A file watch is associated with monitoring four types of permissions, namely rwxa. These are read (r), write (w), execute (error) or attributes (a). A file MUST be specified with a minimum of 1 and a maximum of 4 permissions.


  • Select the REGEX Match Type: Select to either include the regex match in the search or exclude the regex match set below.
  • Regex String Match: A filter term the objective should match. For example .root. would cause the objective to match the word 'root' in the whole string. The Regex format uses the same basic format as discussed in the objective section above.
  • Select the Alert Level: The criticality levels are Critical, Priority, Warning, Information and Clear. These security levels are provided to enable the Snare user to map audit events to their most pressing business security objectives.

Note: Depending on your Linux kernel there may be an issue with the creation/deletion of file watches. This bug in the kernel occurs if you create a file watch, and then do not apply the audit configuration, and then delete the file watch, with the result locking up your operating system. To prevent this issue ensure you set the audit configuration after creation.

Display of Latest Events / Destination Status

A small rotating cache of audit events is kept by the Snare for Linux web server. Clicking on the Latest Events menu item will display twenty of the most recent events as displayed in Figure 7.

Figure 7: Display the latest events
Additionally this page shows the status for each Destination that was configured for logging. An example of this destination status is: 10.1.1.30:6161 (TCP), status: CONNECTED This information can be used to help debug potential logging issues. The status can be explained as follows:

  • Host/Port: e.g.: 10.1.1.30:6161 The host ip/name and port that logs will be sent too.
  • Log destination Type: e.g.: TCP The protocol of the remote connection. Possible values are TCP, UDP, SSL or File
  • The current State of the connection: e.g.: CONNECTED This field indicates what snare is currently doing with the connection. You will see many different states including:
    • INITIAL - The remote log location is about to begin setup
    • RESOLVING - DNS resolution for a hostname is occurring
    • RESOLVE_DELAY(error) - DNS resolution failed, a retry will occur in X seconds
    • CONNECTING - Snare is trying to connect to the destination
    • CONNECT_FAILED - The connection to the destination failed
    • CONNECT_DELAY(error) - Connecting to the remote end failed, it will be retried again in X seconds
    • CONNECTED - Snare has an active connection to the destination
    • SENDING - Snare is currently sending logs to the destination
    • DISCONNECTED - The destination has disconnected the snare agent.. a reconnection will occur automatically.
    • HANDSHAKE - A SSL/TLS Handshake is in progress
    • HANDSHAKE_FAILED - The SSL/TLS Handshake failed
    • OPENING - Opening a a file destination is in progress
    • WRITING - Writing is occurring to a file
    • WRITE_FAILED - A write to file failed
    • CLOSED - A file has been closed

Additionally two other statuses give instant feedback about what Snare is doing:

  • Available
    • Indicates if Snare can use the destination to send logs. A value of 1 indicates that logs can be sent. A value of 0 indicates logs can't be sent
  • ReadyToSend
    • Indicates if the destination is setup in a state where logs can be sent. For instance if Snare is already sending to the destination, ReadyToSend will be 0.

4.5 List Displays

A list of Users, Groups, Group Members, Logins and Reboots may be displayed by selecting on the appropriate link in the menu.