Wizard Install
Ensure you have administrator rights, double-click the downloaded file Snare-Windows-Agent-v{Version}-{Architecture}.exe file where {Version} is the most recent version of the file available. This is a self extracting archive, and will not require WinZip or other programs. You will be prompted with the following screens:
Welcome to the Snare Setup Wizard
This screen provides a brief overview of the product you are about to install. Where available, select "Next" to continue the installation, or "Cancel" to abort the installation.
License Agreement
The License Page displays the link to the End User License Agreement (EULA). Please read the document carefully and if you accept the terms of the agreement, select "Accept". If you do not accept the EULA conditions, click "Decline" and do not proceed with the installation.
Installation Options
The following options are available to install the agent.
Quick - recommended for evaluations to get the agent up and running quickly, enabling the web UI with default settings. If a previous installation is detected, it will be overwritten with the Quick install, replacing any configuration previously found. Selecting this option will install the agent and you will be presented with the final screen Completing the Snare Setup Wizard.
Advanced - recommended to customize the agent for your environment. Installer proceeds with individual screens as detailed below.
To upgrade the Agent from earlier version, please select Advanced.
NOTE: If existing installation of the agent is detected, the Quick install option will overwrite the installation.
Existing Install (Upgrade only)
If the Wizard detects a previous install of the Snare agent, you will be asked how to proceed. Selecting "Keep the existing settings" will leave the agent configuration intact and only update the Snare files. The Wizard will then skip directly to the Ready to Install screen.
Selecting "Reinstall" will allow the configuration wizard to continue and replace your existing configuration with the values you input. Note that replacing the configuration does not happen immediately; it takes place after selecting the "Install" button on the Ready to Install screen.
Auditing
EventLog Configuration:
The Snare agent has the ability to automatically configure the audit settings of the local machine to match the configured audit policies also known as objectives in earlier releases. To enable this feature, select "Yes".
Very Important
For all events. This option, when selected, will enable the auditing for all the events (i.e. System Audit, Logon Audit, ObjectAccess Audit, PrivilegeUse Audit, DetailedTracking Audit, PolicyChange Audit, AccountManagement Audit, DirectoryServiceAccess Audit and AccountLogon Audit). Enable this option *only* when you know what you are doing.
Import Logs and Filters from Snare Epilog agent: The Snare agent can import Logs and Filters settings from an Snare Epilog agent installed on the same machine. If selected, the Snare agent, on detecting the Snare Epilog settings, will import Logs and Filters settings from the Snare Epilog agent.
- Case 1 - Snare Epilog already installed: The Snare agent, on startup, will import Logs and Filters settings from the Snare Epilog agent.
- Case 2 - Snare Epilog is NOT installed at the time of this installation: The Snare agent will periodically try to detect Snare Epilog settings. Once Snare Epilog agent is installed, the Snare agent will then import Logs and Filters settings from the Snare Epilog agent.
NOTE: Selecting the option of importing relevant settings from Snare Epilog agent may result in duplication of log events.
Service Account
The Snare agent requires a service account to operate. The default option is to use the in-built SYSTEM account.
If a custom account is required to run the Snare service, select Enter Credentials. The account requires the following permissions:
- Provide the account with administrative privileges
or
Select a License
If Snare license files are found in the current directory where the Snare installation file exists, an option to select the license will be available.
Network Destination
This screen provides configurations for network destination. Following configurations can be configured.
- Destination address The name or IP address can be entered and comma delimited when several addresses are required.
- Port Configure the port, for example Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS/SSL, and Syslog via port 514.
- Protocol Select the network protocol (UDP,TCP,TLS and TLS_AUTH) you would like the agent to use when sending events.
- TLS Authentication Key This option is available only for TLS_AUTH protocol. TLS authentication key should be the same as configured in destination. A valid TLS Authentication Key must be between 8-4096 characters and allowed characters include A-Za-z0-9~!@$%^*\()_+=`-
- Use Host IP Address Override for source address Enabling this setting will use the first network adaptor as listed in the network configuration as the source of the IP address.
Web User Interface
This screen provides a means to configure the Snare Agent's web interface for first time use. Select from the following options to configure the Snare web interface:
- Enable Web Access
Select this option to enable the web user interface.
The following options may also be configured:
- No – Disable password
The web interface will operate without a password, allowing unauthenticated access to the configuration options. We strongly recommend that this option is not used on production systems as it will leave the agent vulnerable to unauthorised access.
- Yes – Please enter a password
A user/password combination will be required to access the web interface. The user is always "snare" and the password will be set to text supplied in the "Password" field. It is recommended that you use a strong complex password and it complies with your corporate policies.
- Local access only? Selecting "Local access only" will configure the web interface to restrict access to local users only. Remote users will be unable to contact the web interface.
Select Destination Location
This screen provides the ability to select the folder where the Snare Agent will be installed. If the folder name specified does not exist, it will be created. It is important that this folder has enough space available to install the agent.
By default, the installation wizard will install Snare under the Program Files folder. If a different destination is desired, one may be selected via the "Browse" button, or by typing the full path name directly into the box.
Select Start Menu Folder
Select the program group within the Start Menu under which a shortcut to the Snare Agent's remote control interface will be created.
Ready to Install
This screen provides a final summary of the chosen installation options. If the options listed are incorrect, select the "Back" button to return to previous screens and change their configuration.
Select the "Next" button to proceed with the listed choices, or "Cancel" to abort the installation without making any changes.
Completing the Snare Setup Wizard
This is the final screen of the installation wizard. By default, the web UI will be launched at https://localhost:6161