How To

Install a SNARE agent on AD

Warren Caron
Warren Caron • 9 September 2024
0 comments

Installing SNARE Agent on Active Directory

 

Download and Install SNARE

For each machine:

  1. a) Navigate to https://www.snaresolutions.com
  2. b) Register, download the installer and run as administrator.
  3. c) The default SNARE port is 6161.
  4. d) Ensure that that the SNARE service is running.
  5. e) There is no login after installing SNARE; the user login is “snare”. You can set a new password.

Configure SNARE

For each machine:

  1. a) Using SNARE’s Network Configuration Option, instruct SNARE to send messages to the GigaFlow server IP address.
  2. b) Navigate to SNARE Filtering Objective Configuration and select the messages that you are interested in, e.g. Logon or Logoff events.
  3. c) Remove all other Objectives.
  4. d) Click Apply latest Audit Configuration.

Configure GigaFlow

  1. a) In GigaFlowa syslog parser is required to parse the username and IP into the database. Navigate to System > Syslog Parsers.
  2. b) The parser type must be set to User.

Verifying the Installation

  1. a) Navigate to System > Syslog Parsersclick to edit the syslog parser just created. If the system is working correctly, matched syslog entries will be displayed in the Matches table.

Configuration on GigaFlow Syslog Parser

Use the following Regex expression to parse out logon events and the user information

  1. User
  2. Domain
  3. Logon IP

4624.*Logon Type:  3.*Account Name:(.+?)\s+Account Domain:(.+?)\s+Logon ID.*Source Network Address: (.+?)\s

Snare Open Source is free to download and can be utilized at free of cost but for the advanced features and support, you will need to purchase SNARE Enterprise Tool.  Following is recommendation from Snare itself.

  1. Snare Open Source and Enterprise Agents

Snare recommends upgrading from its Open Source Agents to its Enterprise Agents solution. From Snare’s website:

We know that there are still plenty of users around the world who lean on our open source agents so we still make them available to download. We would like to reiterate that they have been out of date for years and we highly recommend that you use Snare Enterprise Agents.

  1. Installation Locations

Snare Open Source Agents must be installed on each Microsoft Active Directory (AD) server that is in use and on the device that stores the Windows logs.

Be the first one to comment

Please log in or sign up to comment.