Snare. The world standard for effectively gathering and filtering IT-event data for critical security monitoring, analysis, auditing and archiving.
Snare Agents capture and immediately send the collected event logs to the Snare Server, a third party SIEM or a Syslog server for central storage and reporting.
Snare Agents will run on your server or desktop system to capture all relevant system or application audit logs. You can filter and refine the logging collection to capture all IT network security or application events that you have defined to be relevant to your business operation and to help with compliance to your security policy. The agents capture and immediately send the collected event logs to the Snare Server, ArcSight, LogLogic, LogRhythm, Splunk, RSA or other third party SIEM or a Syslog server for central storage and reporting. There are many Snare Enterprise Agents solutions which are each designed for a specific technology platform and provide you with an extensive range of crucial options.
There are extensive capabilities that can be utilised to assist businesses with internal security audits and for compliance with a wide range of security standards such as PCI DSS, HIPPA, SOX, NISPOM, California SB, US Patriot Act, Australian ISM, GLBA, DCID, DIAM, DDS, Danish Standard DS-484, ISO 27001/2 and Massachusetts 201 CMR.
There is also a limited version of this agents software, known as the Snare OpenSource Agent (OSA). As you would expect, this software does not enjoy ongoing supplier support and continuing development or feature enhancement and does not deliver many of the more advanced capabilities of its Enterprise version counterpart. It is strongly advised that the OSA should not be used in production as this version does not adhere to compliance regulations, or offer sufficient protection for your IT assets and corporate data and identity.
To view some of these principal functionality distinctions see the table that contrasts the two Snare Agent editions.
In a moment we will present some real specifics in terms of the wide array of individual Snare Agent options that are currently available for use with Windows, UNIX, Linux, Solaris, OSX and MSSQL. Snare Epilog also supports a wide variety of log formats from any text application log file as well as many well-known applications such as Apache, IIS and ISA. But just before that …
What differentiates Snare?
- As we’ve already noted, the Snare Agents can readily work with other SIEMS and Syslog servers. So if you already have Agent software, the investment in that is preserved. Plus, you can dynamically change from your present SIEM server to an alternative should future circumstances dictate such a move. So you are also ‘future proofed’.
- The agents are ultra-lightweight in terms of memory requirements (less than 20Mb of Ram) and CPU demands (less than 5% of host on an average system deployment).
- Snare gives the ability to filter and forward defined information in real time.
- You are afforded smart TCP and Smart caching (and UDP for when its needed).
- Where you require security for the transmission of the log information, the agents can use the industry standard SSL/TLS protocol to encrypt the log information to keep it safe from prying eyes
- Advanced Events per Second (EPS) rate limiting and event throttling controls. The Windows agents all support a customer event rate per second control to allow you to manage the event rates from systems over slow or low bandwidth sites.
- File Integrity Monitoring. The Snare Agents support file and directory monitoring to allow you to track all activity of your critical operating system and application files.
- USB and mounted file systems. Both the Unix and Windows Snare Agents allow desktop and servers to be monitored for any unauthorised connection of USB drives such as USB memory stick, smart phones, stand alone and powered USB hard drives as well as mounting of remote file systems.
- If necessary, you can work with military grade unidirectional data-diodes to bring data from areas of low classification/trust, up to collection systems of high classification/trust.
- Snare has a high level of granularity for parsing, filtering etc. That is, Snare Agents enable you to find and filter on specific event ids or events, across multiple platforms (e.g. 2003, 2008, 2012) at the agent level. Or at a level of abstraction e.g. (failed sign on) for ease of use. Without this, you may end up forcing your SIEM server into overtime with all the ‘noise’ you send it, bumping up license fees, slowing down performance or necessitating a stepping stone to a tiered collection model.
- Snare is easy to install with the integrated installer or you can create your own custom MSI for all Windows platforms (32 bit 64 bit, 2003, 2008, 2012 etc) for ease of deployment and include all of your own system settings.
- You can manage and administer the agents individually, local regedits, via the web GUI locally or remotely or by the Snare Agent Management Console.
- The Windows agents all support Active Directory Group policy configuration management for centralised control of all settings. This can be achieved via a Super Group Policy or by an Agent Policy for each agent type being Snare for Windows, Snare Epilog or Snare for MSSQL.
- You are given broad coverage with agents for operating systems, agents for file contents and agents for DBMS activity.
- Snare uses dynamic DNS names for 24×7 operation and allows you to provide automatic failover to an alternate Snare Server or SIEM collection system in the event of hardware or site failure.
- The Snare Agents provide ‘heartbeats’ to log details on the agent’s health and to allow the tracking that all systems are up and running.
- Provides time-zone normalization and UTC format for sites that need to collect logs from multiple time zones.
What technology does Snare work with?
Click each heading for more information
Operating System Agents
Snare for Windows provides front end filtering, remote control, and remote distribution for Windows eventlog data. Snare for Windows interfaces into the Windows EventLog / Windows auditing subsystem. It can be used as a standalone event log auditing tool, or can send data to the Snare Server, or a SYSLOG server, for analysis and storage. More Details
As regular users of the Linux operating system, the team at InterSect Alliance believe that one of the key missing features that is holding Linux back from deployment in large organisations, particularly those with significant security requirements, is the availability of host based intrusion detection systems – ie: system auditing or event logging facilities. Snare for Linux provides a ‘C2′ or ‘CAPP’ style audit subsystem for the Linux operating system. It can be used as a standalone auditing tool for Linux, or can send data to the Snare Server for analysis and storage. More Details
Snare for Solaris provides front end filtering, remote control, and remote distribution for Solaris audit data, interfacing with the underlying C2/ CAPP-style Sun “Basic Security Module”. Snare for Solaris can be used as a standalone auditing tool, or can send data to the Snare Server for analysis and storage. More Details
Snare for OSX enhances the platform by making use of the TrustedBSM auditing framework to provide remote control, and remote distribution of OSX audit data for Apple MAC products. Able to be used stand alone as an auditing tool or in conjunction with Snare Server for remote analysis and storage, Snare for OSX makes use of the latest in encryption to help provide PCI compliance for your business.More Details
File Format Agents
Epilog for Windows is a program that facilitates the central collection and processing of Windows text-based log files. Epilog for Windows also supports date stamped log files such as IIS, ISA, SMTP and Exchange message tracking logs. Log information is converted to tab delimited text format, then delivered over UDP to a remote server. More Details
Snare Epilog for UNIX text files provides a remote distribution facility for any text based log files and is currently available for the Solaris and Linux operating systems. SnareApache and SnareSquid are plugins for Epilog to specifically target Apache and Squid logs respectively. Please see the User Guide for more information. More Details
Snare for MSSQL allows events generated by Microsoft SQL Server to be forwarded to a remote audit event collection facility. Please see the User Guide for more information. More Details
The Snare Agent for the Chrome web browser (Snare for Chrome), is a browser extension that provides event logging functionality. The Snare Agent tracks browser activity, cookie modifications, and browser configuration changes. The agent pushes the log data to a central Snare Server appliance for collection, analysis, archive and reporting. More Details
Snare Agent for Firefox is a browser add-on that monitors web requests made by your browser and cookie activity by remote web sites, and sends the results to a central server for collection and analysis. More Details
The OpenSource Agent can be downloaded here.