Historically, any enterprise search for a host-based IDS (intrusion-detection system) to protect its Linux environment has found itself stymied by a lack of available solutions.
Network-based IDSes such as Snort have been available for some time, but the host-based approach offers certain advantages, such as the capability to detect attacks that network-based solutions sometimes miss and greater flexibility for fine-tuning which activities should be monitored.
Thankfully, the market opened up last November when an Australian security company called InterSect Alliance released SNARE (System iNtrusion Analysis and Reporting Environment), an open-source, host-based intrusion-detection tool for Linux. SNARE consists of three main components: a dynamic kernel audit module, an audit daemon, and a front-end GUI. The kernel audit module wraps critical system calls such as mkdir, open, and execve and gathers information about the process and the user that executed the call. This information is then stored in a temporary buffer. The user-space audit daemon reads the event data from the temporary buffer via the /proc/audit device and converts it from binary format to a delimited text format. Meanwhile, SNARE's GUI displays these events in a colourful, easy-to-read window, and also provides configuration screens to define which events should be logged.
We tested SNARE on a default Red Hat 7.1 distribution and were impressed with the solution's performance. Using the GUI, you can configure SNARE to monitor either raw kernel events or defined filtered objects. If you choose the former, SNARE will log every instance of a given process, which can lead to very large log files. By defining filtered objectives, you can achieve more granular control, allowing you to monitor different kinds of alerts or specific users.
And there's more good news: significant enhancements are already in the works for future versions of SNARE. InterSect is planning features such as a user-exclusion list, open-flag filtering (to log events only when files are opened in write mode), and a tool to connect the GUI to remote SNARE installations via a network.
While they're at it, InterSect might want to consider other enhancements such as centralised logging and more granular filtering capabilities. We also uncovered one error in the documentation, which states that the audit daemon auditd file is located in /etc/init.d. In our installation, the file was found in /usr/sbin.
Those shortcomings aside, SNARE performed admirably in our tests, proving itself a remarkably easy-to-use and potent security solution. Any organisation running Linux servers would be well-advised to evaluate what SNARE has to offer.
InterSect Alliance is currently putting the finishing touches on SNARE 0.9, which will include a few extra features such as user exclusion, file open-flag filtering, network connect/accept auditing and remote audit distribution.
System iNtrusion Analysis and Reporting Environment 0.8 can be downloaded for free at www.intersectalliance.com.
- Ease of Use 10.
- Implementation 10.
- Innovation 8.
- Interoperability 8.
- Scalability 5.
- Security 8.
- Suitability 8.
- Support 9.
- Training 7.
- Value 10.
- Overall: 8.