Specifications
Guide to Snare for Linux
• Select the REGEX Match Type: Select to either include the regex match in the search or
exclude the regex match set below.
• Regex Match: A filter term the objective should match. For example .*data.* would cause
the objective to match the word 'data' in the whole string. To use multiple matches use the
virtual bar symbol which will act as the OR operator.
Complex matches such as the following are possible. For example to include/exclude various
commands from the log output use the following syntax:
.*/bin/grep.*|.*/bin/bash.*|.*/bin/sleep.*|.*/usr/bin/wc.*|.*/usr/bin/
cut.*|.*/usr/bin/expr.*|.*/usr/bin/bc.*|.*/usr/bin/du.*|.*/usr/bin/tai
l.*|.*/usr/bin/head.*|.*/usr/bin/sum.*|.*/usr/bin/who.*
It is recommended to perform all the excludes for a particular high level event in one
objective, for example to exclude events that contain either auditctl or top in the high level
event open a file/directory for reading or writing, then select Exclude and in the Regex
Match type .*auditctl.*|.*top.* (as shown above).
• Select the Alert Level: The criticality levels are Critical, Priority, Warning, Information and
Clear. These security levels are provided to enable the Snare user to map audit events to
their most pressing business security objectives.
To save and set changes to these settings, and to ensure the audit daemon has received the new
configuration, perform the following:
1. Click on Change Configuration to save any changes.
2. Click on the Apply the Latest Audit Configuration menu item.
© InterSect Alliance, September 2014 Page 17 of 30 Version 4.1