InterSect [InterSect Swish]
Search Our Site
  Enter Search Terms
News
Solutionary

IAI is very proud to announce that Solutionary has selected Snare as their technology partner for the ActiveGUARD managed service platform.
InterSect Alliance International

As some are already aware, InterSect Alliance was recently purchased by Prophecy International, and is now InterSect Alliance International Pty Ltd. More good news to come.
[Snare Logo]
"Network 'signature-based' intrusion detection is a little like posting a guard outside the bank, and giving them pictures of all the known crooks in the world. He scans the faces of the people walking past, and if he sees a known crook, he signals an alarm.

Host-based intrusion detection is like someone watching the gold bars in the vault to make sure they're still there."

- Leigh Purdie on NewsForge.

The team at InterSect Alliance have experience with auditing and intrusion detection on a wide range of platforms - Solaris, Windows NT, Windows 2000, Novell Netware, AIX, even MVS (ACF2/RACF); and within a wide range of IT security in businesses such as - National Security and Defence Agencies, Financial Service firms, Government Departments and Service Providers.

This background gives us a unique insight into how to effectively deploy host and network intrusion detection systems that support and enhance an organisation's business goals.

As long term users of the Linux operating system, we believe that one of the key missing features that is holding Linux back from deployment in large organisations, particularly those with significant security requirements, is the availability of host based intrusion detection systems - ie: system auditing or event logging facilities.

As such, the InterSect Alliance team are trying to bring a comprehensive C2-style logging system to Linux, ideally without impacting those users who do not have a requirement for auditing and logging.
The overall project is called 'SNARE for Linux' (SNARE stands for System iNtrusion Analysis & Reporting Environment). The team at InterSect Alliance are releasing Snare for Linux under the terms of the GNU Public License.

InterSect Alliance welcome your support, comments, and contributions. Our contact details are available from our contact page.

Screen Shots


Main Window


Defining an objective

Download

SNARE is divided into two components, the snare-core package and the snare GUI.
Both components are open source, and are licenced under the GNU Public Licence.
The snare-core package includes the SNARE audit kernel module and the audit daemon.
The snare package provides the SNARE graphical user interface.

Due to the nature of Linux modules, the binary versions of the snare-core package are kernel version specific. Binary packages are provided for recent Redhat kernels. Users with different kernel versions will need to recompile snare-core from either the source RPM, or the supplied tar.gz file.

Users of very recent kernels - particularly kernel 2.4.20 and above (eg: Redhat 9), will not be able to use the Snare kernel module due to the lack of 'system call table interception' capabilities in the kernel. These users may wish to try the Snare Kernel patch (see below), which is currently in development.

Files available for download:

The Sourceforge development website shows support for the open source development community by providing SNARE with a home away from home, and Snare support forums.
SourceForge.net Logo

Post-Release Notes

SMP/Multiprocessor Users:

    Although we have had reports of significantly increased stability for SMP machines with the latest snare module release, the snare module is unfortunately still likely to cause problems on multi-processor machines, due to the way that system-call interception, and locking has been implemented.

    Reports from users so far have indicated that the new kernel-based version is stable on SMP machines.

Redhat 9 / 2.4.20+ users:

    The 'trick' we used to get Snare running on Redhat 8, is no longer available in kernel 2.4.20. As such, users of Redhat 9, or other distributions that use kernel 2.4.19 or above (except SuSE, which still exports sys_call_table) may wish to modify/recompile their kernel to re-export the system call table.
    Not for the faint-hearted, but you can add the following lines to /usr/src/linux*/kernel/ksyms.c:
      #ifndef __mips__
      EXPORT_SYMBOL(sys_call_table);
      #endif
    - Then comment out the #define HIDDEN_SYS_CALL_TABLE line within Snares auditmodule.c

    An easier option would be to grab the latest redhat 9 kernel RPMs from the University of Texas, discussed above.

Redhat 7.x / Kernel 2.4.18+ users:

    Users of 7.1, 7.2 and 7.3 who have updated to the latest Redhat kernel can install 0.9.2. It is recommended that you follow the process outlined below:

      1) rpm --rebuild snare-core-0.9.2-1.src.rpm
      2) install the resulting i386 rpm with the 'nodeps' flag: rpm -Uvh snare-core-0.9.2-1.i386.rpm --nodeps
        Ignore the warning about GLIBC2_3 - this seems to be a small bug with the RPM dependency checker.
      3) download snare-core-0.9.2.tar.gz, and run 'make clean', then 'make'
      4) copy the new 'auditd' over /usr/sbin/auditd

Documentation

Documentation on SNARE is incorporated within the packages above, and is also available from our Resources page.

SuSE users:
A quick Snare installation 'HOWTO' has been provided by Kylene Smith of IBM US.

Like some more information on Snare? Here are a few links:

  • Ryan Barnett, a SANS instructor and security engineer for RS Information Systems, presented on SNARE at a recent SANS conference (Recommended reading):
    http://www.sans.org/rr/audittech/Ryan_Barnett_AT.pdf

  • The 4N6 (Forensics) project.
    Mike Shea (Canada), has been enhancing the core functionality to include a bunch of new system calls, including read/write, dup/dup2, kill, clone, fork/vfork, sendfile. He's also optimised and enhanced some of the code inside the daemon.
    The Forensix Project aims to allow a system to be monitored so that, in the event of a security compromise, it is easy to track the compromise back to its source. To facilitate this, the system requires two machines: a potentially insecure "front-line" machine, and a known secure back-end. Information about system calls is stored in a MySQL database on the back-end. 4N6 is built on top of SNARE.
    http://www.cse.ogi.edu/sysl/projects/4N6/

  • InfoWorld: Free, dependable IDS: January 24, 2002
    http://www.infoworld.com/articles/tc/xml/02/01/28/020128tcsnare.xml

InterSect provides commercial support for Snare Agents and the Snare Server, but assistance is also available from the Snare Sourceforge Forum.

Major Contributors
Jonathan Abbey, of Applied Research Laboratories, University of Texas, Austin.
  • Jonathan has been working hard on optimising the Snare audit daemon, and has succeeded in an order-of-magnitude speedup in audit objective matching and reporting. Jonathan's changes will be making an appearance in Snare 0.9.6.

    Mark Westerman, of Westcam, Inc

  • Mark has been doing some great things with the in-kernel components of Snare, adding the code to make better use of kernel memory, and ferreting out SMP problems, amongst other significant improvements.

    • Snare Server
    With its' origins in open source software, the Snare Server from InterSect Alliance provides a central collection, analysis, reporting and archival tool for a very wide variety of log formats.

    Click here for more information
    Snare Demonstration

    Snare Introduction

    Snare Agents

    Snare Server
    Click on a video above, to find out more about Snare and to access the Snare Demonstration Server
    Copyright (c) 1999-2011 InterSect Alliance Pty Ltd