Guide To Snare For Linux-4.0

Guide to
Snare for Linux

v4.0

Guide to Snare for Linux
1999-2014 Intersect Alliance Pty Ltd. All rights reserved worldwide.
Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct or indirect da!ages in connection with the "se
of this !aterial. #o $art of this wor% !ay be re$rod"ced or trans!itted in any for! or by any !eans e&ce$t as e&$ressly $er!itted
by Intersect Alliance Pty Ltd. 'his does not incl"de those doc"!ents and software develo$ed "nder the ter!s of the o$en so"rce
(eneral P"blic Licence which covers the )nare agents and so!e other software.
'he Intersect Alliance logo and )nare logo are registered trade!ar%s of Intersect Alliance Pty Ltd. *ther trade!ar%s and trade
na!es are !ar%s+ and na!es of their owners as !ay or !ay not be indicated. All trade!ar%s are the $ro$erty of their res$ective
owners and are "sed here in an editorial conte&t witho"t intent of infringe!ent. )$ecifications and content are s"b,ect to change
witho"t notice.
Inter)ect Alliance -"ne 2014 Page 2 of 2. /ersion 4.0
About this guide
'his g"ide introd"ces yo" to the f"nctionality of the )nare Agent for the Lin"& o$erating syste!.
)nare for Lin"& $rovides an event a"diting s"bsyste! for the Lin"& o$erating syste! and facilitates
ob,ective-based filtering and re!ote a"dit event delivery. )nare for Lin"& will also allow a sec"rity
ad!inistrator to f"lly re!ote control the a$$lication thro"gh a standard web browser if so desired.
)nare has been designed in s"ch a way as to allow the re!ote control f"nctions to be easily effected
!an"ally or by an a"to!ated $rocess.
*ther g"ides that !ay be "sef"l to read incl"de0
1 )nare *verview - htt$s022www.intersectalliance.co!2w$-content2"$loads220142032)nare-
*verview-4roch"re.$df
1 'he )nare 'oolset - A 5hite Pa$er at htt$s022www.intersectalliance.co!2w$-
content2"$loads220162042)nare7'oolset75hite7Pa$er-2.8.$df
Table of contents:
1 Introduction.............................................................................................................. 4
2 Overvie of Snare for Linux..........................................................................................!
" Installing and running Snare...........................................................................................#
6.1 )nare installation.................................................................................................... 8
6.2 A"dit config"ration..................................................................................................9
4 The $e%ote &ontrol Interface........................................................................................'
4.1 #etwor% :onfig"ration............................................................................................10
4.2 ;e!ote :ontrol :onfig"ration...................................................................................12
4.6 *b,ectives config"ration..........................................................................................14
4.4 <is$lay of Latest =vents 2 <estination )tat"s..................................................................19
! Snare Server............................................................................................................ 21
# About InterSect Alliance..............................................................................................2"
A((endix A ) &onfiguration *ile +escri(tion........................................................................24
A((endix , ) -vent Out(ut *or%at...................................................................................2'
1 Introduction
'he tea! at Inter)ect Alliance have e&$erience with a"diting and intr"sion detection on a wide
range of $latfor!s - )olaris 5indows Android AI> even ?/) @A:A22;A:ABC and within a wide range
of I' sec"rity in b"sinesses s"ch as #ational )ec"rity and <efence Agencies Ainancial )ervice fir!s
(overn!ent <e$art!ents and )ervice Providers. 'his bac%gro"nd gives "s a "niD"e insight into how
to effectively de$loy host and networ% intr"sion detection syste!s that s"$$ort and enhance an
organiEationFs b"siness goals.
F)nare for Lin"&F allows event logs fro! the Lin"& a"dit s"bsyste! to be collected fro! the o$erating
syste! and forwarded to a re!ote a"dit event collection facility after a$$ro$riate filtering. )nare
for Lin"& will also allow a sec"rity ad!inistrator to f"lly re!ote control the a$$lication thro"gh a
standard web browser if so desired. )nare has been designed in s"ch a way as to allow the re!ote
control f"nctions to be easily effected !an"ally or by an a"to!ated $rocess.
*ther )nare agents are also available incl"ding )nare for )olaris Lin"& *)> ?))GL =$ilog and
5indows. 'he agents are ca$able of sending data to a wide variety of target collection syste!s
incl"ding o"r very own .Snare Server.. )ee Chapter 5 Snare Server for f"rther details.
5elco!e to .Snare. - S/ste% i0trusion Anal/sis 1 $e(orting -nviron%ent.
2 Overview of Snare for Linux
)nare o$erates thro"gh the actions of three co!$le!entary co!$onents0
'he native Lin"& a"dit s"bsyste!
'he "ser-s$ace a"dit dae!on @a"ditdB
'he )nare Fdis$atcherF a$$lications.
'he a"dit dae!on and %ernel co!$onent act in concert to config"re the "nderlying a"dit
s"bsyste! and e&tract events of interest fro! the o$erating syste!.
)nare for Lin"& o$erates as an Fa"dit dis$atcherF a$$lication that receives the a"dit log data with
)nare directing a"ditd what events to selectively filter o"t that yo" are not interested in for!ats
the res"lting data into so!ething that is !ore s"ited to follow-on $rocessing and delivers it to one
or !ore re!ote syste!s over the networ%.
)nare for!ats the a"dit log data into a series of Fto%ensF. 'wo different field se$arators are "sed in
order to facilitate follow-on $rocessing - 'A4) se$arate Fto%ensF and :*??A) se$arate data within
each to%en. 'his for!at is f"rther disc"ssed in Appendix B-Event Output Format. 'he res"lt is that a
raw event as $rocessed by )nare !ay a$$ear as follows0
localhost.localdomain LinuxKAudit 2 event,open,Jun 20 06:00:16
sequence,30430 uid,4246!2",un#no$n euid,0,%oot &id,0,%oot e&id,0,%oot
p%ocess,,'opt'()ox*uestAdditions+4.2.1,'s-in'()ox.e%vice %etu%n,4,/es
name,'va%'%un'utmp exe,'opt'()ox*uestAdditions+4.2.1,'s-in'()ox.e%vice
success,/es %etu%n,4 s/scall,",open uid,un#no$n euid,%oot &id,%oot
e&id,%oot a%ch, name,'va%'%un'utmp a0,-!ea!003 a1,2 a2,0 a3,-!ea!00
items,1 ppid,1 pid,233 uid,0 suid,0 0suid,0 s&id,0 0s&id,0 tt/,none
comm,()ox.e%vice #e/,o-1+1+1 c$d,' item,0 inode,6! dev,03:02 mode,0100664
ouid,0 o&id," %dev,00:00
)nare also incor$orates a tiny e!bedded web server the ;e!ote :ontrol Interface which allows
ad!inistrators to re!otely control which events are collected and re$orted. 'he ;e!ote :ontrol
Interface also $rovides infor!ation on "sers gro"$s and gro"$ !e!bershi$ on the local !achine
which can be "sed to satisfy vario"s reg"latory sec"rity reD"ire!ents.
)nare for Lin"& is %nown to wor% on ;ed Hat =nter$rise 38 :ent*) 38 Aedora :ore > )")= 1011
Ib"nt" 121614 <ebian 9.6.
3 Installing and running Snare
3.1 Snare installation
An a$$ro$riate Lin"& <istrib"tion
'he snarelin"& $ac%age available for =nter$rise c"sto!ers fro! the )nare
)ec"re Area at htt$s022www.intersectalliance.co!.
Install )nare for Lin"& binary ;P? $ac%age.
1. 'o install the )nare $ac%age $erfor! the following0
2. <ownload the reD"ired ;P? or <=4
6. Logon as root "ser i.e. at the co!!and $ro!$t enter the co!!and /bin/su and
enter the root $assword when $ro!$ted. Iss"e the co!!and as root as $er yo"r
distrib"tion0
Jrpm -Uvh filename.rpm
E.g. >rpm -Uvh snarelinux-supp-4.0.0-SLED-10.i686.rpm
Or
>dpkg -i filename.deb
E.g. >dpkg -i snarelinux-supp-4.0.0-Debian-7.3.x86_64.deb
4. 'his will install )nare for Lin"& and restart the a"dit dae!on @a"ditdB.
;e!ove )nare for Lin"& binary ;P? $ac%age @if reD"iredB.
1. G"ery the ;P? database to ens"re )nare for Lin"& is installed
>rpm -q snarelinux-supp
2. ;e!ove the )nare for Lin"& $ac%age
>rpm -e snarelinux-supp
;e!ove )nare for Lin"& binary <=4 $ac%age @if reD"iredB.
1. ;e!ove the )nare for Lin"& $ac%age
>dpkg -r snarelinux-supp
3.2 Audit configuration
'he )nare config"ration is stored as /etc/audit/snare.conf (note, for SuSE ! and users, the
"ocation of snare.conf is /etc/snare.conf#. 'his file contains all the details reD"ired by )nare to
config"re the a"dit s"bsyste! to s"ccessf"lly e&ec"te.
'he config"ration of /etc/audit/snare.conf can be changed either0
directly
:are sho"ld be ta%en if !an"ally editing the snare.conf config"ration file to ens"re
that it confor!s to the reD"ired for!at for the a"dit dae!on. Also any "se of the
;e!ote :ontrol Interface to !odify sec"rity ob,ectives or selected events !ay res"lt
in !an"al config"ration file changes being overwritten. <etails on the config"ration
file for!at can be viewed in Appendix A - Confi$uration Fi"e %escription. Aail"re to
s$ecify a correct config"ration file will $revent )nare fro! r"nning.
or by !odifying the ob,ectives via the ;e!ote :ontrol Interface
The Remote Control Interface is the most effective and simplest way to configure
/etc/audit/snare.conf and o$erates completely in memory, with no reliance on any external
files.
;e!ote A"dit ?onitoring
'he ;e!ote :ontrol Interface can be t"rned off by editing the defa"lt
/etc/audit/snare.conf file. Ko" can either edit the /etc/audit/snare.conf file
directly co!!enting the allow=1 line "nder the [Remote] section or by
setting this val"e to 0.
4e s"re to restart the agent for the change to ta%e effect. 'he agent can be
restarted by0
>/etc/init.d/auditd restart
#ote0 Aor ad!inistrators the syste! log files will be "$dated whenever settings are a$$lied to
the snare.conf for e&a!$le 2var2log2!essages. 'his infor!ation !ay assist yo" when yo"
reD"ire it.
4 Te !e"ote #ontrol Interface
'he ;e!ote :ontrol Interface is accessible by entering htt$022localhost08181 in the web browser as
shown in Aig"re 1. 'he ;e!ote :ontrol Interface is t"rned on by defa"lt and also $assword
$rotected for sec"rity reasons. 'he defa"lt "serna!e and $assword are0
2serna%e0 snare
3assord0 snare
0OT-: The (assord is not encr/(ted at this ti%e. -nsure /ou change the default Snare
(assord i%%ediatel/ after installation4 so that it is encr/(ted4 for securit/ (ur(oses. It is
reco%%ended /ou use a strong co%(lex (assord of at least 12 characters.
Aig"re 10 'he ;e!ote :ontrol Interface-/iew )tat"s
'he ;e!ote :ontrol Interface $rovides a n"!ber of ca$abilities incl"ding0
#etwor% :onfig"ration
;e!ote :ontrol :onfig"ration
*b,ectives :onfig"ration
/iewing ;ecent =vents
Inter)ect Alliance -"ne 2014 Page . of 2. /ersion 4.0
<is$laying Iser and (ro"$ !etadata.
Please note that so!e o$tions on these $ages that are only available to "sers with the $"rchased
=nter$rise version. 'he *$en)o"rce agents will not incl"de any feat"res that are new to this version
of the )nare for Lin"& agent.
4.1 $etwor% #onfiguration
'o set the a"dit config"ration $ara!eters select the F#etwor% :onfig"rationF lin%.
Aig"re 20 :onfig"re the networ% settings
'he config"ration $ara!eters available are as follows as dis$layed in Aig"re 20
Override detected hostname with: :an be "sed to override the na!e that is given to the
host. Inless a different na!e is reD"ired to be sent in the $rocessed event log record leave
this field blan%. 'he defa"lt is to "se the f"lly D"alified na!e for the !achine.
Destination: )nare can send a"dit events to one or !ore networ% destinations. )nare can
send data either to a )nare-co!$atible server or a )K)L*( co!$atible destination. Please
be aware that !ost )K)L*( servers are inco!$atible with the e&tre!ely high vol"!es of
data )nare is ca$able of generating.
Server Details: =nter a <#) na!e or IP address for each $lanned destination.
Port: )elect the $ort yo" wo"ld li%e )nare to "se when sending events.
Protocol: )elect the $rotocol yo" wo"ld li%e )nare to "se when sending events.
Ising ':P or ))L will g"arantee !essage delivery. Ising ))L will "se an
encry$ted connection to the server.
Format: )elect this o$tion if the reD"ire!ent is that the event records need to
be in a s$ecific for!at. 'his feat"re will allow the event log record to be
for!atted so it is acce$ted by a )yslog or a )nare server. #ote0 'he agent will
override the s$ecified for!at in so!e cases. )$ecifying $ort 8181 will force the
"se of )nare for!at. )$ecifying a $ort of 314 will force the "se of the )yslog
for!at.
FileName: Log the o"t$"t to dis% as well as the networ%.
:lic% :hange :onfig"ration to allow another destination to be added. Li%ewise to
re!ove a destination then delete the entry in the Server %etai"s and clic% :hange
:onfig"ration.
Allow SNARE to automatically set audit configuration: 4y defa"lt )nare will ta%e control
and !anage yo"r a"dit event settings for yo". #or!ally on a Ini& syste! yo" will need to
!odify the file /etc/audit/audit.ru"es in order to establish a new !onitored event. )nare
has the ca$ability to Ft"rn onF event a"diting in res$onse to the ob,ectives yo" set within the
;e!ote :ontrol Interface. It is reco!!ended that this $ara!eter is enabled.
Cache sie: Allow )nare to store !essages that co"ld not be sent. :o!bined with the ':P or
'L) this o$tion will allow the agent to cache !essages if there is a networ% fail"re or the
)nare )erver is otherwise "navailable. Any cached !essage is %e$t "ntil it is sent or the siEe
of the cache e&ceeds the s$ecified allot!ent in which case the oldest !essage is re!oved.
If the agent is restarted any cached !essages are lost.
S!S"O# Facility $o%tional&: If yo" are sending yo"r data to a )K)L*( server s$ecifies the
s"bsyste! that $rod"ced the !essage. 'he list dis$lays defa"lt facility levels.
S!S"O# Priority $o%tional&: If yo" are sending yo"r data to a )K)L*( server the agent can
be config"red to "se a static or dyna!ic $riority level.
'se '(C time re%orting: =nables I': @:oordinated Iniversal 'i!eB ti!esta!$ for!at for
events instead of local !achine ti!e Eone for!at.
'o save and set changes to these settings and to ens"re the a"dit dae!on has received the new
config"ration $erfor! the following0
1. :lic% on :hange :onfig"ration to save any changes.
2. :lic% on the A((l/ the Latest Audit &onfiguration !en" ite!. 'here will be a D"ic% notice
that )nare is restarting as dis$layed below.
4.2 !e"ote #ontrol #onfiguration
'he )nare for Lin"& agent can be controlled re!otely by ad!inistrators if reD"ired. ;e!ote control
is enabled by defa"lt. 'he re!ote control $age is dis$layed in Aig"re 6.
Aig"re 60 :onfig"re the ;e!ote :ontrol
'he $ara!eters which !ay be set for re!ote control o$eration incl"de0
Restrict remote control of SNARE agent to certain hosts: 4y defa"lt )nare allows any IP
address to connect to the re!ote control interface. =nabling this o$tion restricts connections
to the re!ote control interface to the IP given in the following o$tion.
)P Address allowed to remote control SNARE: ;e!ote control actions !ay be li!ited to a
given host. 'his host entered as an IP address will only allow re!ote connections to be
effected fro! the stated IP address. A$$lication-level firewall ca$abilities are also available
which bloc% "sers fro! accessing the ;e!ote :ontrol Interface fro! any IP address other
than the one s$ecified.
Re*uire a %assword for remote control+: Indicate whether a $assword will be set so that
only a"thorised individ"als !ay access the re!ote control f"nctions. Highly reco!!ended.
Password to allow remote control of SNARE: If above chec%bo& is chec%ed $assword !"st
be set. A $assword of a$$ro$riate strength sho"ld be set for the re!ote control facility.
,e- Server Port: An o$tional $ort that the ;e!ote :ontrol Interface listens on can be
s$ecified. Isers of the )nare )erver sho"ld generally leave this as 8181 in order to ta%e
advantage of the )nare )erverFs "ser and gro"$ a"dit ca$abilities.
2. :lic% on the A((l/ the Latest Audit &onfiguration !en" ite!.
4.3 O&'ectives configuration
)nareFs ability to filter events is acco!$lished via the a"diting Fob,ectivesF ca$ability. 'he ter!
Fob,ectiveF is "sed within )nare Agents to describe an a"diting goal. It is generally !ade "$ of events
that )nare sho"ld watch for a filter ter! containing a Fto%enF and a criticality level. )ee Aig"re 4.
'he ob,ective config"ration $age s"$$lied as $art of the web based re!ote control is intended as a
way to enable "sers to co!!ence a"dit f"nctions reasonably D"ic%ly. Aor $ower "sers a far !ore
$owerf"l and f"nctional way is to !an"ally control the /etc/audit/snare.conf file. 'his is described
in !ore detail in A%%endi. A-:onfig"ration Aile <escri$tion and is intended for "sers who have a
very detailed %nowledge of Lin"& ad!inistration and sec"rity. It is #*' reco!!ended for novice
"sers.
Aig"re 40 <is$lay the )et ob,ectives
)nare for Lin"& has two ways of a"diting file-related events L event @syscallB ob,ectives and2or file
watches. =ither or both can be e!$loyed de$ending on yo"r reD"ire!ents.
(vent O&'ectives
)elect FAddF to insert an ob,ective or F?odifyF to edit an ob,ective. (enerally the order of ob,ectives
is not i!$ortant.
Aig"re 30 Adding2?odifying a )yscall *b,ective
'he following $ara!eters !ay be set as dis$layed in Aig"re 30
)dentify the high level event: =ach of the ob,ectives $rovides a high level of control over
which events are selected and re$orted. =vents are selected fro! a gro"$ of high level
reD"ire!ents and f"rther refined "sing selected filters. =vents are generally gro"$ed into
the following0
)tart or sto$ $rogra! e&ec"tion0 execve,fork,exit,kill,tkill,tgkill
*$en a file2dir for reading or writing0 open,close
:hange a file or directory attrib"te0 fch!odch!odfch!odatchownlchown
fchownfchownat
;e!ove a file or directory0 r!dir "nlin%
?o"nt a new filesyste!0 !o"nt "!o"nt2
:hange "ser or gro"$ identity0
setfs"idset"idsetre"idsetfsgidsetregidsetgidsetresgid
Ad!inistration ;elated =vents0 rebootsetti!eofdaycloc%7setti!esetdo!ainna!e
sethostna!e
Login2Logo"t events0 login7startlogin7a"thlogo"t
In addition any event that can be generated by the a"dit s"bsyste! can be s$ecified
@co!!a se$aratedB by "sing the FAny =vent@sBF high level gro"$.
'i$0 '"rning on file-related events can $rod"ce a very high vol"!e of a"dit events on so!e
syste!s and therefore res"lt in a considerable a!o"nt of :PI ti!e being "sed by )nare and
the a"dit s"bsyste!.
Syscall "ist: If FAny =vent@sBF is selected as the high level event then add a co!!a se$arated
list of a"dit events to search for.
Audit Filter (erm$s&: A filter ter! containing a Fto%enF which a$$ears within the events of
interest and the search criteria that )nare sho"ld "se to incl"de or e&cl"de the event. Aor
e&a!$le a search ter! of0 /etc/.* wo"ld !atch any event which !entions any file in
/etc. Another e&a!$le0
"oca"host."oca"domain &inux'Audit Critica"it(,) event,execve,)!*!+)5 ,!*,)-
se.uence,5)/ uid,5!!,$eor$e $id,5!!,$eor$e euid,5!!,$eor$e e$id,5!!,$eor$e
process,,0/1in/uname0 return,!,(es name,0/1in/uname0 *+/+/)!-.//2,5)/#,
arch,x2343/ s(sca"",5-,execve success,(es return,! a!,*-!f+! a,*-!/!
a),*2d/1! a*,2 items,) ppid,*)/ pid,*)*3 auid/011/george uid,5!!,$eor$e
$id,5!!,$eor$e euid,5!!,$eor$e suid,5!!,$eor$e fsuid,5!!,$eor$e e$id,5!!,$eor$e
s$id,5!!,$eor$e fs$id,5!!,$eor$e tt(,pts ses, comm,0uname0 exe,0/1in/uname0
5e(,0o16-)-!0 ar$c, a!,0uname0 c7d,0/home/$eor$e0 item,! name,0/1in/uname0
inode,)/*!**3 dev,fd,!! mode,!!!+55 ouid,!,root o$id,!,root rdev,!!,!! item,
'he to%en highlighted in red co"ld be "sed to only select events where the Ma"idN
@the Fa"ditF I<B is a certain val"e in this case Ma"dit300georgeN or a !ore general
ter! s"ch as MgeorgeN.
Rege. 2atch: A filter ter! the ob,ective sho"ld !atch. Aor e&a!$le .Odata.O wo"ld ca"se
the ob,ective to !atch the word FdataF in the whole string.
Select the Alert "evel: 'he criticality levels are :ritical Priority 5arning Infor!ation and
:lear. 'hese sec"rity levels are $rovided to enable the )nare "ser to !a$ a"dit events to
their !ost $ressing b"siness sec"rity ob,ectives.
2. :lic% on the A((l/ the Latest Audit &onfiguration !en" ite!.
)ile *atces
Aile watches are so!ewhat different to event filters. ;ather than as%ing the %ernel to re$ort on all
file activity a Ffile watchF will ca"se )nare to as% the %ernel to FtagF certain files or directories and
only generate file-related events when activity associated with those $artic"lar files or directories
occ"r. 'his generally res"lts in a s$ectac"lar dro$ in reso"rce "sage by the )nare and a"dit
$rocesses as $otentially tho"sands of file-related events-$er-second no longer have to be discarded
when they do not !atch a )nare agent ob,ective. 'his !ethod does not reD"ire that each targeted
file or directory e&ist $rior to )nare starting "$. 5here a directory is s$ecified )nare will also
watch for the creation of new files and directories.
)ee Aig"re 8 for config"ring a )nare file watch.
Aig"re 80 Adding2?odifying a Aile 5atch *b,ective
'he following $ara!eters !ay be set0
File watch %ath: Any file or directory c"rrently e&isting or not can be s$ecified. In order
not to generate too !any events it is strongly reco!!ended that file watches be set on the
e&act directory@iesB of choice with as few $er!issions as $ossible. It is far !ore desirable to
"se file watches to !onitor accesses to files and directories than to "se syscall2event
filters.
Permissions to trigger an event: A file watch is associated with !onitoring fo"r ty$es of
$er!issions na!ely r7xa. 'hese are read @rB write @wB e&ec"te @&B or attrib"tes @aB. A file
?I)' be s$ecified with a !ini!"! of 1 and a !a&i!"! of 4 $er!issions.
Rege. String 2atch: A filter ter! the ob,ective sho"ld !atch. Aor e&a!$le .Oroot.O wo"ld
ca"se the ob,ective to !atch the word FrootF in the whole string.
Select the Alert "evel: 'he criticality levels are :ritical Priority 5arning Infor!ation and
:lear. 'hese sec"rity levels are $rovided to enable the )nare "ser to !a$ a"dit events to
their !ost $ressing b"siness sec"rity ob,ectives.
#ote0 <e$ending on yo"r lin"& %ernel there !ay be an iss"e with the creation2deletion
of file watches. 'his b"g in the %ernel occ"rs if yo" create a file watch and then do
not a$$ly the a"dit config"ration and then delete the file watch with the res"lt
loc%ing "$ yo"r o$erating syste!. 'o $revent this iss"e ens"re yo" set the a"dit
config"ration after creation.
Inter)ect Alliance -"ne 2014 Page 1. of 2. /ersion 4.0
4.4 +is,la- of Latest (vents . +estination Status
A s!all rotating cache of a"dit events is %e$t by the )nare for Lin"& web server. :lic%ing on the
Latest -vents !en" ite! will dis$lay twenty of the !ost recent events as dis$layed in Aig"re 9.
Aig"re 90 <is$lay the latest events
Additionally this $age shows the stat"s for each <estination that was config"red for logging. An
e&a!$le of this destination stat"s is0
10.1.1.30:6161 (TCP), status: CONNECTED
'his infor!ation can be "sed to hel$ deb"g $otential logging iss"es. 'he stat"s can be e&$lained as
follows0
5ost63ort: e.g.0 10.1.1.6008181
'he host i$2na!e and $ort that logs will be sent too.
Log destination T/(e: e.g.0 ':P
'he $rotocol of the re!ote connection. Possible val"es are ':P I<P ))L or Aile
The current State of the connection: e.g.0 :*##=:'=<
'his field indicates what snare is c"rrently doing with the connection. Ko" will see !any
different states incl"ding0
I#I'IAL - 'he re!ote log location is abo"t to begin set"$
;=)*L/I#( - <#) resol"tion for a hostna!e is occ"rring
;=)*L/=7<=LAK@&B - <#) resol"tion failed a retry will occ"r in > seconds
:*##=:'I#( - )nare is trying to connect to the destination
:*##=:'7AAIL=< - 'he connection to the destination failed
:*##=:'7<=LAK@&B - :onnecting to the re!ote end failed it will be retried again in >
seconds
:*##=:'=< - )nare has an active connection to the destination
)=#<I#( - )nare is c"rrently sending logs to the destination
<I):*##=:'=< - 'he destination has disconnected the snare agent.. a reconnection will
occ"r a"to!atically.
HA#<)HAP= - A ))L2'L) Handsha%e is in $rogress
HA#<)HAP=7AAIL=< - 'he ))L2'L) Handsha%e failed
*P=#I#( - *$ening a a file destination is in $rogress
5;I'I#( - 5riting is occ"rring to a file
5;I'=7AAIL=< - A write to file failed
:L*)=< - A file has been closed
Additionally two other stat"ses give instant feedbac% abo"t what )nare is doing0
Availa-le
Indicates if )nare can "se the destination to send logs. A val"e of 1 indicates that logs
can be sent. A val"e of 0 indicates logs canFt be sent
Ready(oSend
Indicates if the destination is set"$ in a state where logs can be sent. Aor instance if
)nare is already sending to the destination ;eady'o)end will be 0.
/ Snare Server
'he )nare )erver is a log collection analysis re$orting forensics and storage a$$liance that hel$s
yo"r !eet de$art!ental organisational ind"stry and national sec"rity reD"ire!ents and
reg"lations. It integrates closely with the ind"stry standard )nare agents to $rovide a cohesive
end-to-end sol"tion for yo"r log-related sec"rity reD"ire!ents.
'he )nare )erver as shown in Aig"re . collects events and logs fro! a variety of o$erating syste!s
a$$lications and a$$liances incl"ding b"t not li!ited to0 5indows @#' thro"gh 2012B )olaris AI>
*)> Iri& Lin"& 'r"84 A:A2 ;A:A :I):* ;o"ters :I):* PI> Airewall :yber("ard Airewall
:hec%$oint Airewall1 (a"ntlet Airewall #etgear Airewall IP'ables Airewall ?icrosoft I)A )erver
?icrosoft II) )erver Lot"s #otes ?icrosoft Pro&y )erver A$ache )D"id )nort #etwor% Intr"sion
<etection )ensors I4? )*:P) )erver and (eneric )yslog <ata of any variety.
Aig"re . 5elco!e to the )nare )erver
)o!e of the %ey feat"res of the )nare )erver incl"de0
1 Ability to collect any arbitrary log data either via I<P or ':P
1 )ec"re encry$ted channel for log data "sing 'L)2))L
1 Proven technology that wor%s sea!lessly with the )nare agents
1 )nare reflector technology that allows for all collected events to be sent in real ti!e to a
standby2bac%"$ )nare )erver or a third $arty collection syste!
1 Ability to contin"o"sly collect large n"!bers of events. )nare )erver collection rates
e&ceed 80000 events $er !in"te "sing a low end wor%station class Intel based P: on a
100?b$s networ%.
1 Ability to drill down fro! to$ level re$orts. 'his red"ces the a!o"nt of data Mcl"tterN and
allows a syste! ad!inistrator to fine t"ne the re$orting ob,ectives.
1 Ability to FcloneF e&isting ob,ectives in order to significantly tailor the re$orting criteria.
'hese re$orts along with all )nare )erver ob,ectives !ay be sched"led and e!ailed to
designated staff.
1 'he )nare )erver "ses e&tensive discri!inators for each ob,ective allowing syste!
ad!inistrators to finely t"ne re$orting based on incl"sion or e&cl"sion of a wide variety of
$ara!eters.
1 /ery si!$le download and installation
1 Ale&ibility when dealing with "niD"e c"sto!er reD"ire!ents
1 A strategic foc"s on low end hardware !eans that )nare can achieve o"tstanding res"lts
with !ini!al hardware cost o"tlay
1 )nare gives yo" "sef"l data o"t of the bo& with defa"lt ob,ectives t"ned for co!!on
organisational needs
1 Ability to !anage =nter$rise Agents
1 All f"t"re )nare )erver versions and "$grades incl"ded as $art of an ann"al !aintenance
fee.
'he )nare )erver is an a$$liance sol"tion that co!es $ac%aged with a hardened !ini!al version of
the Lin"& o$erating syste! to $rovide baseline co!$"ting f"nctionality which !eans yo" do not
need to $"rchase additional o$erating syste! licenses database licenses or install additional
a$$lications in order to get "$ and r"nning. Li%e yo"r android $hone or yo"r ho!e ro"ter any
o$erating-syste! level !anage!ent and !aintenance is either a"to!ated or is available within the
web-based interface.
Aor f"rther infor!ation on the )nare )erver refer to the Snare Server 8ser 9uide on the Intersect
Alliance website.
0 A&out InterSect Alliance
Intersect Alliance $art of the Pro$hecy International Holdings (ro"$ is a tea! of leading
infor!ation technology sec"rity s$ecialists. In $artic"lar Intersect Alliance are noted leaders in %ey
as$ects of I' )ec"rity incl"ding host intr"sion detection. *"r sol"tions have and contin"e to be "sed
in the !ost sensitive areas of (overn!ent and b"siness sectors.
Intersect Alliance intend to contin"e releasing tools that enable "sers ad!inistrators and clients
worldwide to achieve a greater level of $rod"ctivity and effectiveness in the area of I' )ec"rity by
si!$lifying abstracting and2or solving co!$le& sec"rity $roble!s.
Intersect Alliance welco!es and val"es yo"r s"$$ort co!!ents and contrib"tions.
Aor !ore infor!ation on the =nter$rise Agents )nare )erver and other )nare $rod"cts and licensing
o$tions $lease contact "s as follows0
The A%ericas Q1 @.00B .64 1080 'oll Aree R Q1 @606B 991 2888 <enver
Asia 3acific Q81 . .211 81.. Adelaide A"stralia
-uro(e and the 27 Q44 @999B 090 3011
-%ail intersectSintersectalliance.co!
8isit www.intersectalliance.co!
A,,endix A 1 #onfiguration )ile +escri,tion
'he $"r$ose of this section is to disc"ss the $ara!eter settings of the config"ration file. 'he )nare
config"ration file is located at /etc/audit/snare.conf and this location !ay not be changed. If the
config"ration file does not e&ist the a"dit dae!on will not actively a"dit events "ntil a correctly
for!atted config"ration file is $resent.
)nare can be config"red in several different ways na!ely0
a. /ia the e!bedded web server @recommended for novice usersB or
b. 4y !an"ally editing the config"ration file @recommended for advanced usersB.
'he for!at of the audit configuration file is disc"ssed below. Any line beginning with MTN will be
treated as a co!!ent line and ignored. Any n"!ber of tabs or s$aces can be "sed. ?a,or to%ens
s"ch as [on!ig] !"st be s"rro"nded by the sD"are brac%ets.
[on!ig]
'his section allows yo" to s$ecify settings relating to the
o$eration of the )nare agent.
clientname=o"erride
'he hostna!e of the client. If no hostna!e is set the
val"e of Mhostna!e --fDdnN will be "sed
set7a"ditUV1R0W 'his val"e deter!ines if )nare sho"ld set the a"diting
config"ration for the local !achine.
s#slog$!acilit#=!acilit#
'he )K)L*( facility "sed when sending to a )K)L*(
server.
s#slog$priorit#=priorit#
'he )K)L*( $riority "sed when sending to a )K)L*(
server.
cac%e$si&e='0 - 100000(
'his val"e deter!ines the siEe of the event cacheieC the
n"!ber of events that )nare sho"ld %ee$ if it cannot
reach at least one of the hosts. 'he val"e !"st be
between 0 and 100000. 'his feat"re only a$$ears in
=nter$rise Agents only.
use$utc=1
=nable I': @Iniversal :oordinated 'i!eB. 'his feat"re
only a$$ears in =nter$rise Agents only.
versionU4 A"t"re incl"sion0 )nare version for infor!ational
$"r$oses.
[Remote]
'his section allows yo" to s$ecify settings relating to the
;e!ote :ontrol Interface "sed to control )nare.
allow=[1)0]
'"rn the ;e!ote :ontrol Interface on or off.
listen$port=*1*1
)et a $ort that the )nare for Lin"& agent sho"ld listen on.
accesske#$enabled=on
Password is reD"ired to be set
accesske#=md+password
?d3 chec%s"! of the $assword "sed to $rotect the
e!bedded web server
restrict$ip$enabled=0
;estrict the ;e!ote :ontrol Interface to an IP.
restrict$ip=1.,.-..
IP address of a syste! that is "sed to re!otely control
the agent. All reD"ests fro! other syste!s will be
dro$$ed.
[/utput]
4y defa"lt if no o"t$"t section e&ists within the
config"ration file the a"dit dae!on will not send any
data to anywhere. *therwise a"dit events will be sent to
all valid destinations s$ecified in the *"t$"t section. As
s"ch events can be sent to one or all of a file or to a
re!ote networ% destination
!ile=/!ull#/0uali!ied/!ile/name
'he a"dit dae!on will send data to the f"lly D"alified
filena!e. 'he director( !"st e&ist. 'he fi"e will be
created if it doesnFt e&ist. =.g
!ile=/"ar/log/!ilewatc%.log
network=%ostname1port1protocol1
!ormat
<ata will be sent to the re!ote host and networ% $ort
s$ecified here. A"dit data can be sent to a re!ote
syste! "sing the 234 or 54 $rotocol. ))L !ay also be
"sed to indicate an encry$ted ':P connection. Aor!at
!ay be either 678R9 or 6:6;/<. =.g
network/utput0=10.1.1.-01*1*11541678R9
[;inux]
audit$bu!!ersi&e=-*0 8d=ustment o! audit bu!!ers i! re0uired to
a"oid causing a too %ea"# audit load on
#our s#stem. 5o be added to t%e Remote
ontrol >nter!ace as a setting in t%e
!uture release o! "ersion +.0 o! t%e 6nare
!or ;inux agent.
[/b=ecti"es]
'his section describes the for!at of the ob,ectives.
*b,ectives are co!$osed of0
1. :riticality - an integer between 0 and 4 that
indicates the severity of the event. 0 is
FclearF 4 is XcriticalN. Any integer less than 0
will ca"se the line to be re,ected.
2. 'he event - this !"st either corres$ond to
a valid syscall event or a series of events
se$arated by co!!as and !ay be
s"rro"nded with ro"nd brac%ets @B. #ote
that the e!bedded web server will convert
the generic Xgro"$sX in the A"dit
:onfig"ration window to the reD"ired
events. Aor e&a!$le the abstracted gro"$
FAd!inistrative =ventsF will res"lt in the
event entry0
FeventU@re1oot,settimeofda(,c"oc54settime,
setdomainname,sethostnameBF
being written.
6. ;et"rn L either )"ccess Aail"re or O to
indicate both )"ccess and Aail"re
4. Iser L 'he "sers@sB to watch. 'his can be a
single "ser a list of "sers se$arated with
co!!as or O to indicate all "sers
3. !atch L An o$tional string to !atch. 'his
can be either a string literal a reg"lar
e&$ression or .O to indicate all events
#ote that whites$ace will be tri!!ed fro! the start and
end of ite!s.
criticalit#=1 e"ent=exec"e
return=6uccess user=maria
matc%=/sbin
;e$ort at criticality level 1 whenever the "ser F!ariaF
atte!$ts to e&ec"te a binary within 2sbin
criticalityU0 for :lear @ordinary sec"rity levelB 1
for Infor!ation , for 5arning - for Priority . for
:ritical.
)hown below is an e&a!$le /etc/audit/snare.conf file. It is an e&a!$le file only and sho"ld #*' be
"sed for o$erational $"r$oses. It has been incl"ded to de!onstrate the %ey conce$ts of for!"lating
a snare.conf file as disc"ssed above.
(xa",le 2ersion 4.0 snare.conf file
?5%is is a comment line wit% no leading spaces
[on!ig]
clientname=
set$audit=1
cac%e$si&e=10000
use$utc=0
s#slog$!acilit#=1
s#slog$priorit#=+
[;inux]
audit$bu!!ersi&e=-*0
? 54 and multiple network entries onl# allowed b# t%e 9nterprise agent
[/utput]
network/utput0=10.1.1.-01*1*11541678R9
network/utput1=10.1.1..*1+1.123416:6;/<
!ile=/"ar/log/!ilewatc%.log
[Remote]
allow=1
accesske#$enabled=on
restrict$ip= 1,@.0.0.1
listen$port=*1*1
accesske# = +-*+1+bA@1,1.c*1,1@ae.,!a!+*+ed,
restrict$ip$enabled=0
[/b=ecti"es]
criticalit#=0 matc%=BB e"ent=exec"eC!orkCexitCkillCtkillCtgkill
criticalit#=. e"ent=execCexec"e return=6uccess user=.* matc%=.*
criticalit#=.
e"ent=open$rcCopen$rtCopen$rtcCopen$wCopen$wcCopen$wtCopen$wtcCopen$rwCopen
$rwcCopen$rwtCopen$rwtcCcreatCmkdirCmknodCxmknodClinkCs#mlinkCrmdirCunlinkC
renameCtruncateC!truncate return=6uccess user=.* matc%=.*
criticalit#=. e"ent=connectCs%utdownCsetsockopt return=6uccess
user=.* matc%=.*
criticalit#=.
e"ent=setgroupsCsetpgrpCsetuidCsetgidCseteuidCsetegidCsetauidCsetreuidCsetr
egidCsetuidCosetpgrp return=6uccess user=.* matc%=.*
criticalit#=.
e"ent=c%modC!c%modCc%ownC!c%ownCmctlC!cntlClc%ownCaclsetC!aclset
return=6uccess user=.* matc%=.*
criticalit#=.
e"ent=loginClogoutCtelnetCrloginCsuCrexecdCpasswdCrexdC!tpdCadmin$aut%entic
ateCss% return=6uccess user=.* matc%=.*
[Datc%]
criticalit#=1 matc%=B.*user01.*B pat%=/etc/test perms=waxr
A,,endix 3 1 (vent Out,ut )or"at
'he )nare dis$atcher receives data fro! the native Lin"& a"dit s"bsyste!.
'he native a"dit dae!on re$orts data in s"ch a way that0
It is F$rogra!!aticallyF diffic"lt to deter!ine how !any FlinesF !a%e "$ an a"dit event. )o!e
lines can be re$eated with slightly different val"es.
Ko" can have !"lti$le identical to%ens for an event @e.g. two M$athUN to%ensB
=vent lines !ay be interleaved @i.e. yo" !ight get two lines fro! event T 1000 then one line
fro! event T 1001 then another line fro! event T 1000B.
)o!e filena!e characters are translated into their H=> eD"ivalents which will !a%e
!atching filena!es diffic"lt.
)nare for Lin"& "ses an internal cache to a!alga!ate all lines relating to an individ"al event into
Mone line $er eventN for!at once a$$ro$riate filtering2event selection has ta%en $lace. An event
will loo% li%e this once $rocessed by )nare0
localhost.localdomain LinuxKAudit 2 event,execve,Jun 20 06:10:03
sequence,34"1 uid,4246!2",un#no$n euid,0,%oot &id,0,%oot
e&id,0,%oot p%ocess,,'s-in'auditctl %etu%n,0,/es name,null
exe,'s-in'auditctl success,/es %etu%n,0 s/scall,11,execve uid,un#no$n
euid,%oot &id,%oot e&id,%oot a%ch, name,null a0,,0ca!0, a1,,0ca,0
a2,,0ca,a, a3,0 items,2 ppid,2404! pid,240"1 uid,0 suid,0 0suid,0
s&id,0 0s&id,0 tt/,none comm,auditctl #e/,o-1+0+0 a0,'s-in'auditctl
a1,+v c$d,' item,0 inode,3!!"1 dev,03:02 mode,0100!"0 ouid,0 o&id,0
%dev,00:00 item,1 inode,1!644 dev,03:02 mode,0100!"" ouid,0 o&id,0
%dev,00:00
)nare for Lin"& $resents the infor!ation in a series of to%en2data gro"$s. 'hree different field
se$arators are "sed in order to facilitate follow-on $rocessing - 'A4) se$arate Fto%ensF :*??A)
se$arate data within each to%en. A Fto%enF is a gro"$ of related data co!$rising a FheaderF and a
series of co!!a se$arated fields which !a%e "$ data that relates to the header. =&a!$les of
to%ens fro! the above event incl"de0
s/scall,11,execve
's-in'auditctl
Inter)ect Alliance -"ne 2014 Page 2. of 2. /ersion 4.0

Guide To Snare For Linux-4.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guide To Snare For Linux-4.0

Uploaded by

Copyright:

Available Formats

Guide to

Snare for Linux

You might also like