Analysis and Review

How to Install Snare on Windows Server

by

snare-log-serverHow to Install Snare on Windows Server and configure it to log to Cisco MARS or any other logging server.

Install the SNARE Agent on the Microsoft Windows Host
To install the SNARE agent, follow these steps:

  • Step 1 Log in to the target host using a username with proper administrative privileges. The username must have the permission to publish audit data as well as to install new programs.
  • Step 2  Download the SNARE Agent for Windows from the following URL that corresponds to the operating system type installed on the target host: download snare –> http://sourceforge.net/projects/snare/
  • Step 3 Double-click the SnareSetup<version>.exe file to start the install program.
  • Step 4 Click Next.
  • Step 5 Select the target install folder and click Next.
  • Step 6 Select Normal Installation in the Components list and click Next.
  • Step 7  Select the target Start menu location and click Next.
  • Step 8Verify the selection options and click Install.

SNARE is installed and started on the local host. A dialog box appears, prompting you to specify whether to allow SNARE to control the EventLog configuration for the Microsoft Windows host.

  • Step 9 Select Yes to enable SNARE to control the EventLog configuration for this Microsoft Windows host. The SNARE – Remote Event Logging for Windows user interface appears.
  • Step 10 To configure the Snare agent, continue with Enable SNARE on the Microsoft Windows Host, page 36-6.

Enable SNARE on the Microsoft Windows Host
Once you have downloaded and installed the SNARE agent on the target Microsoft Windows host, you must configure the agent to forward the correct event data in the correct format to the MARS Appliance.
To configure the SNARE agent, follow these steps:

  • Step 1 Click All Programs > InterSect Alliance > Snare for Windows to run the SNARE – Remote Event Logging for Windows user interface.
  • Step 2 Click Setup > Network Configuration….
  • The Network Configuration page appears.
  • Step 3 Specify values for the following fields:
  1. Override detected DNS Name with—Specify the IP address or DNS name of the local host in the field.
  2. Destination Snare Server address—Specify the IP address or the DNS name of the MARS Appliance.
  • Step 4 Verify that the following options are selected:
  1. Allow SNARE to automatically set audit configuration
  2. Allow SNARE to automatically set file audit configuration
  3. Enable SYSLOG Header
  • Step 5 Click Apply the Latest Audit Configuration on the Network Configuration page.
  • Step 6 Click File > Close to close SNARE – Remote Event Logging for Windows user interface. The SNARE agent is stopped and restarted to pick up the configuration changes.