|
|
|
|
| News | Snare for Windows - Snare for Windows Version 3.0.0 is now available. This new version fixes some bugs noticed on some Windows OS versions. | NISPOM and PCI An appendix to the Snare Server User's Guide now contains guidance on how to comply with NISPOM and PCI Data Security Standard | Snare Server Version 4.2.1 is now available. This new version includes a single CD installation for all packages and the OS. | Stats on the agent downloads and visits to our web server are avialble from Statistics. | |
|
![[Snare Logo]](/images/SnareLinux.gif)
The team at InterSect Alliance has experience with auditing and
intrusion detection on a wide range of platforms such as - Solaris,
Windows 2000/NT/XP/2003, Novell Netware, AIX, even MVS (ACF2/RACF); and within a wide
range of IT security in businesses such as - National Security and Defence
Agencies, Financial Service firms, Government Departments and Service
Providers.
This background gives us an insight into how to effectively
deploy host and network intrusion detection systems that support and enhance
an organisation's business goals.
As long term users of the Linux operating system, we believe that
one of the key missing features that can hold Linux back from deployment
in organisations with basic security requirements, is
the availability of system
auditing or event logging facilities.
As such, the InterSect Alliance team is trying to bring a comprehensive
C2-style logging system to Linux, ideally without impacting those users who
do not have a requirement for auditing and logging.
The project is called 'SNARE for Linux' (SNARE stands for System
iNtrusion Analysis & Reporting Environment), and like many of our
other Snare Agent tools, is available under the terms of the GNU Public License.
|
Snare is currently used by hundreds of thousands of individuals,
and organisations worldwide. Snare for Linux is used by many large Financial,
Insurance, Healthcare, Defence, AeroSpace, and Intelligence organisations to
meet elements of local and federal security requirements, such as:
|
InterSect Alliance welcome your support, comments, and contributions. Our contact details are
available from our contact page.
Main Window
Defining an objective
Gnome 2 GUI, and the Remote Management Server
|
NOTE: Snare 0.9.8 has now been released, and we have started the process of building easy-to-install binary kernel RPMs for some of the key distributions. If you're interested in helping out, and know your way around your distributions' kernel, please let us know!
|
Redhat Enterprise Linux 4
(Version 0.9.8) |
Kernel |
Install one of the following kernels using 'rpm -ivh':
|
| Audit Daemon |
Install one of the following snare-core packages using 'rpm -Uvh':
|
| Source Files |
The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
|
|
Redhat Enterprise Linux 3
(Version 0.9.8) |
Kernel |
Install one of the following kernels using 'rpm -ivh':
|
| Audit Daemon |
Install one of the following snare-core packages using 'rpm -Uvh':
|
| Source Files |
The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
|
|
Fedora Core 2
(Version 0.9.8) |
Kernel |
Install one of the following kernels using 'rpm -ivh':
|
| Audit Daemon |
Install one of the following snare-core packages using 'rpm -Uvh':
|
| Source Files |
The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
|
|
Redhat 9
(Version 0.9.8) |
Kernel |
Install one of the following kernels using 'rpm -ivh':
|
| Audit Daemon |
Install one of the following snare-core packages using 'rpm -Uvh':
|
| Source Files |
The following files are optional, and are only required if you wish to rebuild Snare, or need to install custom kernel modules/drivers:
|
|
Fedora Core 3
(Version 0.9.7) |
Kernel |
Binary kernel RPMs are available from Jonathan Abbey's UTexas site.
|
| Audit Daemon |
snare-core-0.9.7-1.i386.rpm available from UTexas.
|
|
Debian Sarge
(Version 0.9.7) |
Kernel |
Debian Sarge kernel patch, and binary kernel packages, are available from Erics' site
Note that the debian patch file will apply to most modern 2.4-based kernels.
2.6.12 kernel patch
Thanks to Alec Dawson and Eric Meyers, from Pratt and Whitney Rocketdyne and Eric Malkowski for their contributions |
| Audit Daemon |
snare-core-0.9.7 daemon |
| Audit GUI |
GUI for 0.9.7 not available at this time. We recommend using the micro-web server embedded in the snare audit daemon. |
|
Ubuntu
(Version 0.9.7) |
Kernel |
Ubuntu 5.10 (Breezy) kernel packages, are available from the web site of Doug Henry. |
| Audit Daemon |
snare-core-0.9.7-1 daemon |
Source
|
| Source Code |
Kernel |
Version 0.9.7 patch against linux-2.6.11.7
Thanks to Mike Fecina @ PSU
Version 0.9.6 patch against SuSE 9.1 - 2.4.21 (Thanks to Fred Beck @ NGC)
Instructions for getting SuSE 9.1 and SNARE to play nicely together have been provided by Clif Flynt of Noumena Corp. Click here for more information.
|
| Audit Daemon |
snare-core-0.9.8.tar.gz
snare-core-0.9.8-1.src.rpm
|
Older versions of Snare are available from our Download Archive section.
More information on these files is available from our old snare page.
Like to keep up to date with Snare releases? Sourceforge offer an email notification service that will send you an email each time we release a new version of Snare. Click here to set this up.
SNARE is divided into three key components:
The Kernel changes
In order to collect event log data, Snare needs to add auditing support into the operating system. You can choose to either install a binary version of the kernel, with Snare already integrated, or you can apply a 'patch' to your kernel source.
Although we try hard to make Snare as easy to install as possible, there are hundreds of different distributions and kernel versions, and it would be an immense task to build Snare for each variant. We are hoping that recent efforts towards creating a native auditing subsystem for linux will soon mean that the kernel component of the Snare for Linux agent, will no longer be required.
The Snare Audit Daemon
The Snare audit daemon acts as an interface between the Linux kernel, and the security administrator. It allow you to turn on events, filter the output, and potentially push audit log information back to a central location for collection, analysis and archival.
The Snare Micro-Web Server
The Snare Micro-Web Server, is embedded in the audit daemon, and provides a very simple configuration capability that can be managed from your web browser.
To enable the micro-web server, please add the following to your /etc/audit/snare.conf file, and restart snare (/etc/init.d/snare restart):
[Remote]
allow=1
listen_port=6161
We recommend that you configure a password for the remote control capability the first time you connect.
The Sourceforge development website shows support for the open source development community by providing SNARE with a home away from home, and Snare support forums.
| |
Jonathan Abbey, of Applied Research Laboratories, University of Texas, Austin has been working hard on optimising the Snare audit daemon, and has succeeded in an order-of-magnitude speedup in audit objective matching and reporting. Jonathan's changes will be making an appearance in Snare 0.9.6. The University of Texas also greatly assist the Snare project by building and distributing binary kernel RPMs for key Redhat systems.
| |
Aaron Laffin, of Silicon Graphics Inc. has integrated Snare into the SGI Altix series of products, and in doing so, has provided a series of additions to the Snare Kernel that have contributed significantly to performance and stability.
| |
Eric Malkowski has contributed some great work coming up with the changes required to get Snare working on Debian Sarge, including creating kernel patches, binaries for the audit daemon, and the creation of kernel binary packages.
| |
Mark Westerman of Westcam, Inc has been doing some great things with the in-kernel components of Snare, adding the code to make better use of kernel memory, and ferreting out SMP problems, amongst other significant improvements.
| |
Documentation on SNARE is incorporated within the packages above, and is also available from our Resources page.
If you would like to utilise the Snare PATCH file for development purposes, or to build your own kernel, basic instructions are available here.
Having trouble building third party modules (such as video drivers) with Snare? Try installing the kernel-devel RPM from your Redhat/Fedora CDs (Thanks to Bill Gressett of Lockheed).
Jonathan Abbey has written some fantastic guidelines on how to build a Redhat
kernel, that includes Snare: Redhat Kernel building instructions
InterSect provides commercial Snare Agent support for our Snare Server customers, but we're always happy to help out via the Snare Sourceforge Forum.
|
Snare Server |
The Snare Server builds on the success of our Open Source audit & event log agents. When used in combination, our Snare agents, and Server provide a robust and effective resource for event log management. Snare Server Snort ReportThis link will take you to a small report exported from our Snare Server, that shows attacks against our website |
|
|
![[InterSect Swish]](/images/Right-Swish.jpg)
