Specifications

Guide to Snare for Linux

• Select the REGEX Match Type: Select to either include the regex match in the search or

exclude the regex match set below.

• Regex String Match: A filter term the objective should match. For example .*root.* would

cause the objective to match the word 'root' in the whole string. The Regex format uses the

same basic format as discussed in the objective section above.

• Select the Alert Level: The criticality levels are Critical, Priority, Warning, Information and

Clear. These security levels are provided to enable the Snare user to map audit events to

their most pressing business security objectives.

Note: Depending on your Linux kernel there may be an issue with the creation/deletion

of file watches. This bug in the kernel occurs if you create a file watch, and then do

not apply the audit configuration, and then delete the file watch, with the result

locking up your operating system. To prevent this issue ensure you set the audit

configuration after creation.