Specifications

Guide to Snare for Linux

Shown below is an example /etc/audit/snare.conf file. It is an example file only, and should NOT be

used for operational purposes. It has been included to demonstrate the key concepts of formulating

a snare.conf file, as discussed above.

Example Version 4.1 snare.conf file

#This is a comment line with no leading spaces

# Snare configuration file

# Note: This file may be automatically updated by the Snare agent

# This file was generated by at: Mon Sep 22 15:22:26 2014

[Config]

use_criticality=1

encrypt_msg=0

clientname=

set_audit=1

cache_size=10000

use_utc=1

syslog_facility=1

syslog_priority=5

[Linux]

audit_buffersize=360

#TCP and multiple network entries only allowed by the Enterprise agent

[Output]

networkOutput0=10.1.1.30:514:UDP:SYSLOG

networkOutput1=10.1.1.46:6161:TCP:SNARE

fileOutput0=/tmp/41logging.txt

[Remote]

allow=1

accesskey_enabled=on

restrict_ip=

listen_port=6161

accesskey=snare

restrict_ip_enabled=0

[Objectives]

criticality=1 match="" event=execve,fork,exit,kill,tkill,tgkill

criticality=3 match=""

event=fchmod,chmod,fchmodat,chown,lchown,fchown,fchownat

criticality=2 match=""

event=link,linkat,mknod,unlink,unlinkat,symlink,symlinkat

criticality=3 match="" event=mount,umount2

criticality=3 match=""

event=setfsuid,setuid,setreuid,setfsgid,setregid,setgid,setresgid

criticality=4 match=""

event=reboot,settimeofday,clock_settime,setdomainname,sethostname

criticality=1 match="" event=login_start,login_auth,logout

[Watch]

criticality=1 match=".*usesr01.*" path=/etc perms=waxr