How to Install and run Snare under Linux
An appropriate Linux distribution.
A distribution that has the audit capability turned on in its supplied kernel. At
present, Red Hat Enterprise 4, CentOS 4, and SuSE 10.1 are known to support
â€¢ audit version 1.0.15 or newer
This provides the necessary binaries to funnel audit event information from
the Linux kernel, into Snare via the â€œdispatcherâ€ configuration option. This
package will generally be provided by your Linux distribution vendor.
â€¢ The SnareLinux package in RPM format, or a format appropriate for
installation on your system.
Snare for Linux provides the infrastructure required to filter, format and
distribute audit log data to one or more central log collection systems.
NOTE that the InterSect Alliance site provides binaries for several common
distributions, but if your distribution is not supported, you may need to
recompile & install Snare from either the source RPMs, or the basic ‘tar
Compile from a source RPM
To recompile, and install for your own system, try the following commands as root:
1. rpm –rebuild SnareLinux-1.4-1.src.rpm
The software should compile. Near the end of the build text, a line similar to the
following will appear:
2. Use this filename to install the new SnareLinux package:
rpm -Uvh /usr/src/redhat/RPMS/i386/SnareLinux-1.4-1.i386.rpm
Install Snare and SnareCore binary RPM packages.
Installation of the Snare package is reasonably straightforward:
1. Download the required RPMs, as above 2. Logon as root user, i.e. enter the command /bin/su - at the command prompt, and enter the root password when prompted. Issue the command, as root: rpm -Uvh SnareLinux-1.4-1.i386.rpm 3. Note that the audit daemon will restart after Snare has been installed.