InterSect Alliance - Open Source

The team at InterSect Alliance has experience with auditing and intrusion detection on a wide range of platforms such as - Solaris, Windows 2000/NT/XP/2003, Novell Netware, AIX, even MVS (ACF2/RACF); and within a wide range of IT security in businesses such as - National Security and Defence Agencies, Financial Service firms, Government Departments and Service Providers.

This background gives us an insight into how to effectively deploy host and network intrusion detection systems that support and enhance an organisation's business goals.

As long term users of the Linux operating system, we believe that an effective auditing and event logging subsystem is a key prerequisite for many large organisations; particularly those that need to meet national, or international security-related legislative requirements.

As such, the InterSect Alliance team is building on the existing audit subsystem in later generations of the Linux kernel, to try and bring a simple and effective audit subsystem to the linux operating system.

The project is called 'SNARE for Linux' (SNARE stands for System iNtrusion Analysis & Reporting Environment), and like many of our other Snare Agent tools, is available under the terms of the GNU Public License.

Snare is currently used by hundreds of thousands of individuals, and organisations worldwide. Snare for Linux is used by many large Financial, Insurance, Healthcare, Defence, AeroSpace, and Intelligence organisations to meet elements of local and federal security requirements, such as:

ACSI 33 / PSM
GLBA (Gramm-Leach-Bliley Act)
Sarbanes Oxley (SOX)
C2 / CAPP
DCID 6/3
DIAM 50-4
DDS-2600-5502-87 Chapter 4
NISPOM Chapter 8
HIPAA
PCIDSS
California Senate Bill 1386/AB 1950
USA Patriot Act
CISP
Danish Standard DS-484:2005

British Standard BS7799/ISO 17799

InterSect Alliance welcome your support, comments, and contributions. Our contact details are available from our contact page.

Screen Shots

Setting an objective using the tiny browser-compatible control system.

Viewing recent events using the internal event browser.

Download

There are some important updates in this version of the agent that you should be aware of:

There are now two release versions of the agent:

1.x series of the agent is now for RHEL5 and below only (auditd versions less than 2.0)
2.x series of the agent is for RHEL6 and above (auditd versions greater than or equal to 2.0)

A number of security enhancements have been made to the micro web interface that will eventually make their way into the other agents

Cookies are now required to commit configuration changes
The authentication method has been updated to protect passwords in transit
The Remote Configuration web page has been updated to protect password updates in transit
Configuration changes cannot be made via the address bar only

It will work on SuSE 10.1+. Download the service script here thanks to Ryan Landis.

The native audit subsystem is a prerequisite for the installation of the 1.x version of Snare. This may be available on distributions that run kernel 2.6.13 and above.

We also recommend turning on Snare's tiny web-browser compatible configuration interface by modifying /etc/snare.conf, uncommenting "allow=1" from the [Remote] section of the configuration file, and restarting the audit subsystem (/etc/init.d/auditd restart). Once this is done, you will be able to point a web browser at port 6161 on the local machine to configure objectives and otherwise manage your agent. We recommend setting a password to restrict access, and you may also want to take advantage of the application-level firewall capability.

Your feedback is important to us. Please let us know if you encounter any problems, or have a suggested base objective setup for the final release.

Version 1.7.0	Source Files (optional)	Download, and install using 'make install' SnareLinux-1.7.0.tar.gz (Aug 2011) SnareLinux-1.7.0-0.src.rpm (Aug 2011)
Version 1.7.0	RPMS	Download the following files: SnareLinux-1.7.0-0.i386.rpm 64 bit RPMS: SnareLinux-1.7.0-0.x86_64.rpm Install by running the command: `rpm -Uvh SnareLinux-1.7.0-0.i386.rpm`
Version 2.0.0	Source Files (optional)	Download, and install using 'make install' SnareLinux-2.0.0.tar.gz (Aug 2011) SnareLinux-2.0.0-0.src.rpm (Aug 2011)
Version 2.0.0	RPMS	Download the following files: SnareLinux-2.0.0-0.i686.rpm 64 bit RPMS: SnareLinux-2.0.0-0.x86_64.rpm Install by running the command: `rpm -Uvh SnareLinux-2.0.0-0.i686.rpm`

Older versions of Snare for Linux (which require kernel-level changes to your system) are available from this page.

The Sourceforge development website shows support for the open source development community by providing SNARE with a home away from home, and Snare support forums.

InterSect provides commercial Snare Agent support for our Snare Server customers, but we're always happy to help out via the Snare Sourceforge Forum.