Using a CA-signed cert on Snare Central Server


SUMMARY

The Snare Central Server uses Ubuntu as a base operating system, and is compatible with instructions provided by most certificate issuing agencies for Ubuntu (or Debian), to generate your certificate signing request and install the resulting certificates.

This link provides general documentation on the use of self-signed, and third-party certificates on Ubuntu server appliances, and can be useful background reading if you wish to implement a non-standard configuration: https://help.ubuntu.com/community/OpenSSL#SSL Certificates.

The file /etc/apache2/sites-enabled/000-default-ssl, on the Snare Server, contains SSL/TLS related configuration items. Various options will need to be enabled and you will have to copy the updated certificates to the server after signing etc.

How To Create your own Certificate Signing Request (CSR) Certificate to get signed by an organisational, or 3rd party Certificate Authority

/etc/init.d/apache2 restart
  1. Using putty or ssh, connect to your Snare Central Server as the 'snare' user, attain administrator-level privileges by running the command: "sudo -s" (and enter your snare user password), then enter following commands:

    cd /etc/apache2/ssl openssl req -out snare.csr -new -newkey rsa:2048 -sha256 -nodes -keyout privkey.pem

    It will then request C/CN details. The "C" field should be a two-letter country code. The CN should be the DNS name of the Snare Server; the same address that you will put into your web browser to connect to the server. Other fields, as appropriate based on your geographic location and organisational details.

  2. Once the command completes, a snare.csr will be created. Using the commands below elevate the permissions on the newly created CSR file and move it to the /tmp location.

    chmod 755 snare.csr mv snare.csr /tmp

    To validate that the snare.csr file moved correctly, perform the below commands.

    This should then list the contents of the /tmp directory and there you should see your snare.csr file.

  3. Using a tool such as WinSCP or an SFTP tool, copy the snare.csr file over to your CA server and create your cert for example snare.crt (generally by copy/pasting the contents into a web form).

    Please ensure that the certificate provided by your CA is exported in base64/PEM format.
    The certificate you get back from your CA needs to replace the contents of the apache.pem file.

  4. Please transfer the certificate created to the Snare Server, and copy it to /tmp directory using your preferred SFTP tool.

  5. run the below commands to update the apache.pem with the new cert details in the /tmp directory.

    Note: you will need to transfer the files to either /tmp or /home/snare as you can only use SFTP/scp for non root accounts. Once you copy the files to the Snare Central server, log in to the CLI, sudo to root-level user access as highlighted above, then move the files to the correct locations.

  6. When the file is updated, reload the web server with the new keys execute:

  7. If things are not working as expected then run the following to help diagnose the problems

    1. check the log files for Apache cat /var/log/apache2/error.log, errors may indicate problems with certificate files, miss matches in public private keys or problems with the apache ssl configuration files if they were altered.

    2. run “service apache2 status” this will show details around potential errors with apache not running.

    3. once the errors are corrected apache should start and run correctly.

Snare Central TLS Listener

TLS and strict validation are available from Snare Agents to Snare Central. Standard TLS is supported with a self-signed certificate. Strict validation of the client/server can be provided with a certificate signed by a trusted (internal or third party) CA.

Logs can be received by the Snare Central server over a TLS connection, on tcp port 6163, or port 6514 (encrypted syslog). By default, the Snare collection system in v8.4 will generate a new dynamic self-signed certificate every time the service restarts. If a valid certificate is found in /data/SnareConfig, it will be used by 8.4 and prior. The reflector can work with either a single PEM file that contains both public and private keys, or will be use with two separate PEM files containing private and public keys respectively. The public key is signed (self, or CA). The agent encrypts content using the public key. The private key is used to decrypt the encrypted data. The private key is generally kept secure on the server and not shared. New keys can be generated in the same fashion as described above for the Apache web server but just stored in this separate location.

  • "PEMFile": "TLSServer.pem",

  • "PubKeyFile": "TLSServer-Public.pem",

  • "PrivKeyFile": "TLSServer-Private.pem",

 

Installing certificate in Reflector v3.x.x on Snare Central

The Snare Reflector/Collector can receive events using secure TLS on port 6163. Snare TLS+Authentication is also support on port 6164.

By default, the Collector uses a self-signed certificate for this purpose. It is possible however, to install custom certificates. In order to accomplish this, the user needs to upload both public and private keys to the Snare Central server, place the certificates in the right directory with the right permissions/ownership.

Please note that the certificates are used exclusively for the TLS reception port(s) and are not used to access the UI nor as an encryption certificate for any destination.

The Collector can be configured to support separate files for private/public keys, or can use a single container file (pem) that includes both keys. Depending on user needs the procedure is very similar:

  1. Stop Collector with the following command:

    $ sudo /etc/init.d/snare stop
    

  1. Upload and copy certificate files into the correct directory, with the correct filename. Assuming the source private and public keys are in separate files and the names are MyTLSCert-Public.pem and MyTLSCert-Private.pem:

    $ sudo cp MyTLSCert-Public.pem /data/SnareConfig/TLSServer-Public.pem
    $ sudo cp MyTLSCert-Private.pem /data/SnareConfig/TLSServer-Private.pem
    $ sudo chown root: /data/SnareConfig/*.pem
    $ sudo chmod 400 /data/SnareConfig/*.pem

  1. ALTERNATIVELY, if your public and private keys are in a single file (MyTLSCert.pem):

    $ sudo cp MyTLSCert.pem /data/SnareConfig/TLSServer.pem
    $ sudo chown root: /data/SnareConfig/*.pem
    $ sudo chmod 400 /data/SnareConfig/*.pem

Note that if both options exist in the /data/SnareConfig directory, the separate public/private files will take precedence.