Lock IT Down: Secure the integrity of your servers with SNARE

Use this tutorial for setting up SNARE, a host-based intrusion detection system for Linux.

When the term "intrusion detection system," or "IDS," is used in IT today, it typically refers to a network-based IDS, which can be used to spot incoming attacks. Such a system relies on a static database of signatures to watch for. Although this is good for identifying documented exploits, it can't do much against new or original methods. It's beneficial, if not essential, to have some form of network-based IDS security. But it is just as important to have the kind of system auditing offered by a host-based IDS, which scans the operating system and checks for inconsistencies. In fact, a host-based tool is actually more reliable than a network-based system because it does not depend on a database that needs to be updated.

SNARE (System iNtrusion Analysis & Reporting Environment) is an excellent host-based IDS that looks at a system and helps you determine whether an intrusion has occurred. It can also monitor and log numerous types of system events, including when a program is executed, who executed it, and what, if any, files it accessed. This differentiates it from a network-based IDS that just attempts to stop attacks from the outside using a signature-based mechanism.

We're going to look specifically at the Linux version of SNARE, but versions are also available for Windows and Solaris. All three are open source packages that can be used for free.

What SNARE does
SNARE for Linux consists of three main components:
  • A dynamically loadable kernel module
  • An audit daemon
  • A graphical user interface (GUI)

The kernel module audits system calls in real time and provides this information to the GUI. Such calls as chmod, unlink, mkdir, open, and execve are monitored. Information about the process, such as the timestamp and initiating user, are recorded. By default, the amount of data being checked is going to be fairly large, even on a moderately used system. To help with this, SNARE allows you to set filters so that you can define exactly what to look for. For instance, you can choose to monitor only certain alert levels or to look for a specific user's events.

C2 security
Note that SNARE uses C2-level auditing and event logging. C2 is a high security standard created by the National Computer Security Center (NCSC), a division of the U.S. National Security Administration.

Installing SNARE
You can download SNARE here. It's also widely available at any number of other HTTP and FTP locations. The package itself is divided into two components, the core (audit kernel module and audit daemon) and the GUI.

First, download the core package (e.g., snare-core-0.9.2.tar.gz). You will then need to unpack and compile the program with the following commands:
tar xvfz snare-core-0.9.2.tar.gz
cd snare-core-0.9.2
make install

This will install the core package onto your system. To be able to view the data pulled from the audit facilities, you will next need to install the GUI. Download the GUI package (e.g., snare-0.9.tar.gz) and run the following commands to install it:
tar xvfz snare-0.9.tar.gz
cd snare-0.9
make install

You may also need to copy some included files to their corresponding system locations using the following commands:
cp snare-icon.png /usr/share/pixmaps
cp snare.desktop /usr/share/gnome/apps/System
cp snare.desktop /usr/share/gnome/ximian/Programs/Utilities
cp Snare.kdelnk /usr/share/applnk/System

RPM installation
RPMs are also provided on the download page. If you want, you can largely bypass the steps above by downloading the RPMs and installing them (if your Linux distribution supports RPMs) with these simple commands:
rpm –Uvh snare-core-0.9.2-1.i386.rpm
rpm –Uvh snare-0.9-1.i386.rpm

Running the GUI
Once your installation is complete, the Linux X-Windows Manager should pick up the installed SNARE GUI and make it accessible through the menu system. If not, the GUI can be launched by typing "snare" from the command line.

Configuring and running SNARE
You can view and modify SNARE settings via the GUI, which in turn modifies /etc/audit/audit.conf. The daemon is controlled with /etc/init.d/audit stopand /etc/init.d/audit start. To change the configurations in the GUI, go to Setup | Audit Configuration. Here, you will be able to set how SNARE audits, either by filtered "objectives" or raw kernel events. You can also specify how you want logging to take place—via local file, network host, or both.

The objectives mentioned above are merely user-defined filters. In the Objectives tab, you will be able to edit or add filters. You can specify the alert level: Critical, Priority, Warning, Information, or Clear. These levels will be color-coded in the event display window, allowing you to quickly determine which event takes priority. You will also be able to configure matching based on users. You can list events by all users, include only specific users, or exclude certain user accounts. You should use a comma to separate multiple users. By default, all users performing a monitored event will be audited, but this may not always be what you want. Excluding the root account from everyday file accesses may help cut down on the amount of data you have to sift through.

You can also allow the filter to match an exact string, a partial string, or a regular expression. You may want to check for accesses to /etc/hosts but may not care to see events related to /etc/hosts.old. Or you might want to use a regular expression along the lines of ".*[Pp]ass(word|wd).*" to include /etc/passwdor /root/Passwords. This will be specific to each host and will depend on what you want to have monitored.

Certain events, such as open, allow you to drill down even further. Additional flags include (but are not limited to) O_WRONLY, O_RDWR, O_RDONLY, O_CREAT, and O_APPEND. This shows you how detailed you can be on what you want to watch for. I highly recommend going through the thorough documentation provided with the package, as well as some of the third-party links provided on SNARE's Web site.

Auditing the raw kernel events, as opposed to filters, results in all selected events being logged. You select the kernel events you want to be monitored in the Kernel tab. This area is further broken down into Resource Access And Security, Command Execution, and Resource Creation And Deletion. The Resource Access And Security section includes such events as open, rename, chmod, and chown. Command Execution includes execve, socketcall, and reboot. Resource CreationAndDeletion includes mkdir, rmdir, mknod, and create_module. Many other options are available, but these give you the general idea of what can be configured.

Once you have determined your configuration, events will be displayed in the Real Time Event Display. These will have a color-coded priority, timestamp, and a single line of details. You can select an event with the mouse and get more detailed information, including the User ID, process ID, and any arguments to the command.

Data from the user-space audit daemon is read from /proc/audit, converted from binary into text format, and outputted. An event in the logs will look something like this.

This data can then be processed or monitored by an in-house script or program. This allows you to extend the capabilities of SNARE and provide notification or reporting based on your particular needs.

Security auditing with a host-based IDS is an extremely valuable measure to take. SNARE allows you to track system calls and file accesses, creating a way to trace not only system issues but also exploitation attempts and security violations. Through the combined use of a signature-based network IDS and a host-based IDS for servers, you can greatly improve the level of managed security on your network.

Editor's Picks