The team at InterSect Alliance has experience with auditing and intrusion detection on a wide range of platforms such as - Solaris, Windows 2000/NT/XP/2003, Novell Netware, AIX, even MVS (ACF2/RACF); and within a wide range of IT security in businesses such as - National Security and Defence Agencies, Financial Service firms, Government Departments and Service Providers.
This background gives us an insight into how to effectively deploy host and network intrusion detection systems that support and enhance an organisation's business goals.
As long term users of the Linux operating system, we believe that one of the key missing features that can hold Linux back from deployment in organisations with basic security requirements, is the availability of system auditing or event logging facilities.
As such, the InterSect Alliance team is trying to bring a comprehensive C2-style logging system to Linux, ideally without impacting those users who do not have a requirement for auditing and logging.
The project is called 'SNARE for Linux' (SNARE stands for System
iNtrusion Analysis & Reporting Environment), and like many of our
other Snare Agent tools, is available under the terms of the GNU Public License.
InterSect Alliance welcome your support, comments, and contributions. Our contact details are available from our contact page.
More information on these files is available from our old snare page.
Like to keep up to date with Snare releases? Sourceforge offer an email notification service that will send you an email each time we release a new version of Snare. Log in to sourceforge using an existing OpenID compatible account, then jump to the Snare tracker page, and hit the 'Monitor' button, to set this up.
SNARE is divided into three key components:
In order to collect event log data, Snare needs to add auditing support into the operating system. You can choose to either install a binary version of the kernel, with Snare already integrated, or you can apply a 'patch' to your kernel source.
Although we try hard to make Snare as easy to install as possible, there are hundreds of different distributions and kernel versions, and it would be an immense task to build Snare for each variant. We are hoping that recent efforts towards creating a native auditing subsystem for linux will soon mean that the kernel component of the Snare for Linux agent, will no longer be required.
The Snare audit daemon acts as an interface between the Linux kernel, and the security administrator. It allow you to turn on events, filter the output, and potentially push audit log information back to a central location for collection, analysis and archival.
The Snare Micro-Web Server, is embedded in the audit daemon, and provides a very simple configuration capability that can be managed from your web browser.
To enable the micro-web server, please add the following to your /etc/audit/snare.conf file, and restart snare (/etc/init.d/snare restart):
[Remote] allow=1 listen_port=6161We recommend that you configure a password for the remote control capability the first time you connect.
Documentation on SNARE is incorporated within the packages above, and is also available from our Resources page.
If you would like to utilise the Snare PATCH file for development purposes, or to build your own kernel, basic instructions are available here.
Having trouble building third party modules (such as video drivers) with Snare? Try installing the kernel-devel RPM from your Redhat/Fedora CDs (Thanks to Bill Gressett of Lockheed).
Jonathan Abbey has written some fantastic guidelines on how to build a Redhat kernel, that includes Snare: Redhat Kernel building instructions
InterSect provides commercial Snare Agent support for our Snare Server customers, but we're always happy to help out via the Snare Sourceforge Forum.
Copyright (c) 1999-2013 InterSect Alliance Pty Ltd