Overview of the Snare Agents
Snare operates through the actions of a single component; the SnareCore service based application (snarecore.exe) and can be remotely controlled and monitored using a standard web browser. The SnareCore service interfaces with the Windows event logging sub-system to read, filter and send event logs from the primary Application, System and Security event logs to a remote host. Please note that where available, the agent is also capable of reading, filtering and sending logs from the DNS Server, File Replication Service, DFS-Replication and Directory Service logs, as well as any Custom event log sources such as those under Applications and Services Logs. In addition to regular event logs, SnareCore will collect USB device notifications.
The Snare agents have a very small footprint and so the below usage is based on the out of the box configuration, this can increase depending on the level of additional configuration, policies set and the EPS rate of the server.
System Usage out of the box:
- On disk usage: 20 megabytes
- 20 megabytes of RAM
- CPU < 5%
Once gathered, the logs are then filtered according to a set of audit policies chosen by the administrator, and passed over a network using the UDP or TCP protocol, using optional TLS/SSL encryption, to a remote server. SnareCore converts the binary/encoded event log record to a human-readable format. If a SYSLOG or Snare Server is being used to collect the event log records, the event records will be TAB delimited. This format is further discussed in Appendix A - Event output format.
Introducing the Snare Agent Manager (SAM) with version 5 of the Snare Enterprise Agents that allows the management of the Snare Agents, such as licensing found on the network via a web browser.