In this tutorial, I will be installing and configuring snare agent on hosts for monitoring them with OSSIM Open-source SIEM.
Let’s get started…
– Download Snare Client edition from: sourceforge.net/projects/snare/
– Enable Snare Plugin on OSSIM Server by
– Select option “snare“, select OK
– Select Back
– Select “Apply Settings“, it will take some time to complete.
Installing Snare Agent on Windows Client:
– Current latest file Downloaded is “SnareForWindows-220.127.116.11-MultiArchOpenSource.exe”
– Execute downloaded “SnareForWindows-XXXX-MultiArchOpenSource.exe“.
– Select option “Yes” when setup asks about to “Takeover Control of logs” as shown below:
– Remember, Username is by default: snare and Password is what we have entered in this step.
– Access Snare Client Web interface in Web Browser at following URL:
– Web interface will be shown as below:
– Set Port to 514
– Enable Option: “Enable Syslog Header”
– Apply Settings
– Double Click “Delimeter” and enter SemiColon “;” (without quotes) and click OK.
> net start snare
Configure Snare on OSSIM Server:
– Jailbreak the System and edit “/etc/ossim/agent/plugins/snare.cfg”
– Do following changes:
– Add Line: location=/var/log/syslog
Installing Snare Agent on Linux client:
– Download Snare for linux from:
– x86: http://downloads.sourceforge.net/project/snare/Snare%20for%20Linux/2.1.0/SnareLinux-2.1.0-1.i686.rpm
– x64: http://downloads.sourceforge.net/project/snare/Snare%20for%20Linux/2.1.0/SnareLinux-2.1.0-1.x86_64.rpm
– Add OSSIM Server’s IP in Output Destination with port 514 after colon as shown below: