InterSect [InterSect Swish]
Search Our Site
  Enter Search Terms
News
Solutionary

IAI is very proud to announce that Solutionary has selected Snare as their technology partner for the ActiveGUARD managed service platform.
InterSect Alliance International

As some are already aware, InterSect Alliance was recently purchased by Prophecy International, and is now InterSect Alliance International Pty Ltd. More good news to come.
[Snare Logo]

The team at InterSect Alliance has experience with auditing and intrusion detection on a wide range of platforms such as - Solaris, Windows 2000/NT/XP/2003, Novell Netware, AIX, even MVS (ACF2/RACF); and within a wide range of IT security in businesses such as - National Security and Defence Agencies, Financial Service firms, Government Departments and Service Providers.

This background gives us an insight into how to effectively deploy host and network intrusion detection systems that support and enhance an organisation's business goals.

As long term users of the Linux operating system, we believe that one of the key missing features that can hold Linux back from deployment in organisations with basic security requirements, is the availability of system auditing or event logging facilities.

As such, the InterSect Alliance team is trying to bring a comprehensive C2-style logging system to Linux, ideally without impacting those users who do not have a requirement for auditing and logging.

The project is called 'SNARE for Linux' (SNARE stands for System iNtrusion Analysis & Reporting Environment), and like many of our other Snare Agent tools, is available under the terms of the GNU Public License.

Snare is currently used by hundreds of thousands of individuals, and organisations worldwide. Snare for Linux is used by many large Financial, Insurance, Healthcare, Defence, AeroSpace, and Intelligence organisations to meet elements of local and federal security requirements, such as:

InterSect Alliance welcome your support, comments, and contributions. Our contact details are available from our contact page.


Screen Shots


Main Window


Defining an objective


Gnome 2 GUI, and the Remote Management Server


Download
NOTE: Snare 0.9.8 has now been released, and we have started the process of building easy-to-install binary kernel RPMs for some of the key distributions. If you're interested in helping out, and know your way around your distributions' kernel, please let us know!

Redhat Enterprise Linux 4

(Version 0.9.8)		 Kernel Install one of the following kernels using 'rpm -ivh':
Audit Daemon Install one of the following snare-core packages using 'rpm -Uvh':
Source Files The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
Redhat Enterprise Linux 3

(Version 0.9.8)		 Kernel Install one of the following kernels using 'rpm -ivh':
Audit Daemon Install one of the following snare-core packages using 'rpm -Uvh':
Source Files The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
Fedora Core 2

(Version 0.9.8)		 Kernel Install one of the following kernels using 'rpm -ivh':
Audit Daemon Install one of the following snare-core packages using 'rpm -Uvh':
Source Files The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
Redhat 9

(Version 0.9.8)		 Kernel Install one of the following kernels using 'rpm -ivh':
Audit Daemon Install one of the following snare-core packages using 'rpm -Uvh':
Source Files The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
Fedora Core 3

(Version 0.9.7)		 Kernel Binary kernel RPMs are available from Jonathan Abbey's UTexas site.
Audit Daemon snare-core-0.9.7-1.i386.rpm available from UTexas.
Debian Sarge

(Version 0.9.7)		 Kernel Debian Sarge kernel patch, and binary kernel packages, are available from Erics' site
Note that the debian patch file will apply to most modern 2.4-based kernels.
2.6.12 kernel patch
Thanks to Alec Dawson and Eric Meyers, from Pratt and Whitney Rocketdyne and Eric Malkowski for their contributions
Audit Daemon snare-core-0.9.7 daemon
Audit GUI GUI for 0.9.7 not available at this time. We recommend using the micro-web server embedded in the snare audit daemon.
Ubuntu

(Version 0.9.7)		 Kernel Ubuntu 5.10 (Breezy) kernel packages, are available from the web site of Doug Henry.
Audit Daemon snare-core-0.9.7-1 daemon

Source

Source Code Kernel Version 0.9.7 patch against linux-2.6.11.7
Thanks to Mike Fecina @ PSU

Version 0.9.6 patch against SuSE 9.1 - 2.4.21 (Thanks to Fred Beck @ NGC)
Instructions for getting SuSE 9.1 and SNARE to play nicely together have been provided by Clif Flynt of Noumena Corp. Click here for more information.
Audit Daemon snare-core-0.9.8.tar.gz
snare-core-0.9.8-1.src.rpm

Older versions of Snare are available from our Download Archive section.
More information on these files is available from our old snare page.

Like to keep up to date with Snare releases? Sourceforge offer an email notification service that will send you an email each time we release a new version of Snare. Log in to sourceforge using an existing OpenID compatible account, then jump to the Snare tracker page, and hit the 'Monitor' button, to set this up.

Details

SNARE is divided into three key components:
  • The Kernel changes
    In order to collect event log data, Snare needs to add auditing support into the operating system. You can choose to either install a binary version of the kernel, with Snare already integrated, or you can apply a 'patch' to your kernel source.

    Although we try hard to make Snare as easy to install as possible, there are hundreds of different distributions and kernel versions, and it would be an immense task to build Snare for each variant. We are hoping that recent efforts towards creating a native auditing subsystem for linux will soon mean that the kernel component of the Snare for Linux agent, will no longer be required.


  • The Snare Audit Daemon
    The Snare audit daemon acts as an interface between the Linux kernel, and the security administrator. It allow you to turn on events, filter the output, and potentially push audit log information back to a central location for collection, analysis and archival.

  • The Snare Micro-Web Server
    The Snare Micro-Web Server, is embedded in the audit daemon, and provides a very simple configuration capability that can be managed from your web browser.

    To enable the micro-web server, please add the following to your /etc/audit/snare.conf file, and restart snare (/etc/init.d/snare restart): 
    [Remote]
        allow=1
        listen_port=6161
    We recommend that you configure a password for the remote control capability the first time you connect.


    The Sourceforge development website shows support for the open source development community by providing SNARE with a home away from home, and Snare support forums.

    SourceForge.net Logo
    Jonathan Abbey, of Applied Research Laboratories, University of Texas, Austin has been working hard on optimising the Snare audit daemon, and has succeeded in an order-of-magnitude speedup in audit objective matching and reporting. Jonathan's changes will be making an appearance in Snare 0.9.6. The University of Texas also greatly assist the Snare project by building and distributing binary kernel RPMs for key Redhat systems.

    University of Texas - ARLUT Logo
    Aaron Laffin, of Silicon Graphics Inc. has integrated Snare into the SGI Altix series of products, and in doing so, has provided a series of additions to the Snare Kernel that have contributed significantly to performance and stability.

    Silicon Graphics Inc.
    Eric Malkowski has contributed some great work coming up with the changes required to get Snare working on Debian Sarge, including creating kernel patches, binaries for the audit daemon, and the creation of kernel binary packages.

    Mark Westerman of Westcam, Inc has been doing some great things with the in-kernel components of Snare, adding the code to make better use of kernel memory, and ferreting out SMP problems, amongst other significant improvements.


    Documentation

    Documentation on SNARE is incorporated within the packages above, and is also available from our Resources page.

    If you would like to utilise the Snare PATCH file for development purposes, or to build your own kernel, basic instructions are available here.

    Having trouble building third party modules (such as video drivers) with Snare? Try installing the kernel-devel RPM from your Redhat/Fedora CDs (Thanks to Bill Gressett of Lockheed).

    Jonathan Abbey has written some fantastic guidelines on how to build a Redhat kernel, that includes Snare: Redhat Kernel building instructions

    InterSect provides commercial Snare Agent support for our Snare Server customers, but we're always happy to help out via the Snare Sourceforge Forum.

    • Snare Server
    With its' origins in open source software, the Snare Server from InterSect Alliance provides a central collection, analysis, reporting and archival tool for a very wide variety of log formats.

    Click here for more information
    Snare Demonstration

    Snare Introduction

    Snare Agents

    Snare Server
    Click on a video above, to find out more about Snare and to access the Snare Demonstration Server
    Copyright (c) 1999-2013 InterSect Alliance Pty Ltd