Specifications

Guide to Snare for Linux

Event Objectives

Select 'Add' to insert an objective or 'Modify' to edit an objective. Generally the order of objectives

is not important.

Figure 5: Adding/Modifying a Syscall Objective

The following parameters may be set as displayed in Figure 5:

• Identify the high level event: Each of the objectives provides a high level of control over

which events are selected and reported. Events are selected from a group of high level

requirements, and further refined using selected filters. Events are generally grouped into

the following:

• Start or stop program execution: execve,fork,exit,kill,tkill,tgkill

• Open a file/dir for reading or writing: open,close

• Change a file or directory attribute: fchmod,chmod,fchmodat,chown,lchown,

fchown,fchownat

• Remove a file or directory: rmdir, unlink

• Mount a new filesystem: mount, umount2

• Change user or group identity:

setfsuid,setuid,setreuid,setfsgid,setregid,setgid,setresgid