Specifications

Guide to Snare for Linux

[Remote]

This section allows you to specify settings relating to the

Remote Control Interface used to control Snare.

allow=[1|0]

Turn the Remote Control Interface on or off.

listen_port=6161

Set a port that the Snare for Linux agent should listen on.

accesskey_enabled=on

Password is required to be set

accesskey=md5password

Md5 checksum of the password used to protect the

embedded web server

restrict_ip_enabled=0

Restrict the Remote Control Interface to an IP.

restrict_ip=1.2.3.4

IP address of a system that is used to remotely control

the agent. All requests from other systems will be

dropped.

[Output]

By default, if no output section exists within the

configuration file, the audit daemon will not send any

data to anywhere. Otherwise, audit events will be sent to

all valid destinations specified in the Output section. As

such, events can be sent to one or all of a file, or to a

remote network destination

file=/fully/qualified/file/name

The audit daemon will send data to the fully qualified

filename. The directory must exist. The file will be

created if it doesn't exist. E.g

file=/var/log/filewatch.log

network=hostname:port:protocol:

format

Data will be sent to the remote host, and network port

specified here. Audit data can be sent to a remote

system using the UDP or TCP protocol. SSL may also be

used to indicate an encrypted TCP connection. Format

may be either SNARE or SYSLOG. E.g

networkOutput0=10.1.1.30:6161:TCP:SNARE

[Linux]

audit_buffersize=360 Adjustment of audit buffers if required to

avoid causing a too heavy audit load on

your system. To be added to the Remote

Control Interface as a setting in the

future release of version 5.0 of the Snare

for Linux agent.