Sunday , October 21 2018
Home / Information Security / Installing and Configuring Snare Agent on Hosts

Installing and Configuring Snare Agent on Hosts

In this tutorial, I will be installing and configuring snare agent on hosts for monitoring them with OSSIM Open-source SIEM.

Let’s get started…

– Download Snare Client edition from:             sourceforge.net/projects/snare/
– Enable Snare Plugin on OSSIM Server by

Console Menu  >  Configure Sensor   >   Configure DataSource Plugins.
– Select option “snare“, select OK
– Select Back
– Select “Apply Settings“, it will take some time to complete.

Snare-1-OSSIM-1

Snare-2-OSSIM-2

Snare-3-OSSIM-3

Installing Snare Agent on Windows Client:

– Current latest file Downloaded is “SnareForWindows-4.0.2.0-MultiArchOpenSource.exe
– Execute downloaded “SnareForWindows-XXXX-MultiArchOpenSource.exe“.
– Select option “Yes” when setup asks about to “Takeover Control of logs” as shown below:

Snare-4-Win-1
– Select “Use System Account” as recommended or provide any Windows Log reading level account for Snare. Shown below is selection of using System Account.

Snare-5-Win-2
– Select “Enable Web Access” on next screen and provide password for Web Access Snare panel as shown below:

Snare-6-Win-3
– Remember, Username is by default: snare   and Password is what we have entered in this step.
– Access Snare Client Web interface in Web Browser at following URL:
– http://localhost:6161
– Web interface will be shown as below:

Snare-7-Win-4
– Change following options in it:

Destination Address  — It will be OSSIM’s Logs Interface IP Address, as in my case it is 192.168.1.6
Set Port to 514
– Enable Option:  “Enable Syslog Header
Apply Settings

Snare-8-Win-5
– Open Registry Editor and goto following address:

> HKEY_LOCAL_MACHINE > SOFTWARE > Intersect Alliance > Audit Service > Config
– Double Click “Delimeter” and enter SemiColon “;” (without quotes) and click OK.

Snare-9-Win-6
– Execute following commands:

> net stop snare
> net start snare

Configure Snare on OSSIM Server:

– Jailbreak the System and edit “/etc/ossim/agent/plugins/snare.cfg
– Do following changes:

Comment out:  location=/var/log/snare.log
Add Line:        location=/var/log/syslog
– Restart OSSIM Agent:
 # /etc/init.d/ossim-agent restart

Snare-10-OSSIM-1
– Now Snare should be shown in “Data Sources” Drop Down Menu in   Analysis Security Events (SIEM), as shown below:

Snare-11-OSSIM-2
– Now, when I tried to login to Snare Monitored host WinXP-1-21, I’ve got Snare alerts in this Menu as shown below:

Snare-12-OSSIM-3

Installing Snare Agent on Linux client:

– Download Snare for linux from:
– x86:    http://downloads.sourceforge.net/project/snare/Snare%20for%20Linux/2.1.0/SnareLinux-2.1.0-1.i686.rpm
– x64:    http://downloads.sourceforge.net/project/snare/Snare%20for%20Linux/2.1.0/SnareLinux-2.1.0-1.x86_64.rpm

# rpm -Uvh SnareLinux-2.1.0-1.i686.rpm
 if error:      perl(Time::HiRes) is needed by SnareLinux-2.1.0-1.i686
# yum install -y perl-Time-HiRes

Snare-13-Linux-1

# vim /etc/snare.conf
– Add OSSIM Server’s IP in Output Destination with port 514 after colon as shown below:

Snare-14-Linux-2
– Restart snare service after changing configuration.

#  service auditd restart 

About Muhammad Attique

Check these out :)

How to Modify GRUB Bootloader version 2

I’m going to show you how can we edit and modify GRUB Bootloader version 2, …

2 comments

  1. Thank you for this tuto

  2. Perfect tutorial and great peace of work , so helpful and clear .. thank you so much
    i would seize the opportunity to ask you if current version of snare opensource version has support for windows server 12R2 ?

Leave a Reply

Your email address will not be published. Required fields are marked *