Specifications

Guide to Snare for Linux

File Watches

File watches are somewhat different to event filters. Rather than asking the kernel to report on all

file activity, a 'file watch' will cause Snare to ask the kernel to 'tag' certain files, or directories, and

only generate file-related events when activity associated with those particular files or directories,

occur. This generally results in a spectacular drop in resource usage by the Snare and audit

processes, as potentially thousands of file-related events-per-second no longer have to be discarded

when they do not match a Snare agent objective. This method does not require that each targeted

file or directory exist prior to Snare starting up. Where a directory is specified, Snare will also

watch for the creation of new files and directories.

See Figure 6 for configuring a Snare file watch.

Figure 6: Adding/Modifying a File Watch Objective

The following parameters may be set:

• File watch path: Any file or directory, currently existing or not, can be specified. In order

not to generate too many events, it is strongly recommended that file watches be set on the

exact directory(ies) of choice, with as few permissions as possible. It is far more desirable to

use file watches to monitor accesses to files and directories, than to use syscall/event

filters.

• Permissions to trigger an event: A file watch is associated with monitoring four types of

permissions, namely rwxa. These are read (r), write (w), execute (x) or attributes (a). A file

MUST be specified with a minimum of 1 and a maximum of 4 permissions.