Snare for Firefox Snare Agent for the Firefox Browser



Similar documents
User Guide to the Snare Agent Management Console in Snare Server v7.0

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

Hyper-V Installation Guide for Snare Server

Windows ADM Templates and Group Policy

Snare Server v6 VMware Logging Guide Using the Snare Server to collect VMware ESXi Logs

Side-by-side Migration Guide for Snare Server v7

Computer Networking LAB 2 HTTP

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

SuperLumin Nemesis. Administration Guide. February 2011

Using Snare Agents for File Integrity Monitoring (FIM)

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Over-the-top Upgrade Guide for Snare Server v7

BlackShield ID Agent for Remote Web Workplace

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

Sage Accpac CRM 5.8. Self Service Guide

The Snare Agents Commercial or Open Source? - White Paper -

7.0 Self Service Guide

Internet Filtering Appliance. User s Guide VERSION 1.2

Strong Authentication for Microsoft TS Web / RD Web

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Chapter 4 Restricting Access From Your Network

Rebasoft Auditor Quick Start Guide

2X Cloud Portal v10.5

RedBlack CyBake Online Customer Service Desk

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

+27O.557+! RM Auditor Additions - Web Monitor. Contents

CA Spectrum and CA Service Desk

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Strong Authentication for Microsoft SharePoint

BMC Remedy Integration Guide

Contents Notice to Users

LOAD BALANCING 2X APPLICATIONSERVER XG SECURE CLIENT GATEWAYS THROUGH MICROSOFT NETWORK LOAD BALANCING

Setting up Hyper-V for 2X VirtualDesktopServer Manual

CA Spectrum and CA Embedded Entitlements Manager

Web Remote Access. User Guide

Configuring IBM HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on IBM WebSphere Application Server

M2Web - Browser-Based Mobile Remote Access

Installation Guide to the Snare Server Installation Guide to the Snare Server

LogLogic Trend Micro OfficeScan Log Configuration Guide

Privileged Access Management Upgrade Guide

Installation Guide for Windows May 2016

Remote Console Installation & Setup Guide. November 2009

MultiSite Manager. Setup Guide

MobileStatus Server Installation and Configuration Guide

Chapter 3 Restricting Access From Your Network

VCCC Appliance VMware Server Installation Guide

Phone Inventory 1.0 (1000) Installation and Administration Guide

IP Filtering for Patton RAS Products

LDAP Synchronization Agent Configuration Guide for

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

2X ApplicationServer & LoadBalancer Manual

Configuring IBM Cognos Controller 8 to use Single Sign- On

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on Oracle WebLogic Server

Installing a Browser Security Certificate for PowerChute Business Edition Agent

SecuraLive ULTIMATE SECURITY

Edge Configuration Series Reporting Overview

Manual to Access SAP Training Systems Technical Description for Customer On-Site Training

Wireshark Lab: HTTP SOLUTION

Dynamic DNS How-To Guide

SOA Software API Gateway Appliance 7.1.x Administration Guide

How do I set up a branch office VPN tunnel with the Management Server?

Aventail Connect Client with Smart Tunneling

Technical Brief for Windows Home Server Remote Access

Websense Web Security Gateway: What to do when a Web site does not load as expected

CA Nimsoft Monitor. Probe Guide for IIS Server Monitoring. iis v1.5 series

ibaan ERP 5.2a Configuration Guide for ibaan ERP Windows Client

v6.1 Websense Enterprise Reporting Administrator s Guide

2X HTML5 Gateway v10.6

Arti Tyagi Sunita Choudhary

HP IMC Firewall Manager

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

SonicWALL Global Management System Reporting Guide Standard Edition

NovaBACKUP Remote Workforce Version 12.5 Cloud Restore

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Dell SonicWALL SRA 7.0 Geo IP & Botnet Filters

Configuring Your Gateman Proxy Server

Barracuda Networks Web Application Firewall

Citrix Access Gateway Plug-in for Windows User Guide

11.1. Performance Monitoring

System Security Guide for Snare Server v7.0

DameWare Server. Administrator Guide

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

User Guide. DocAve Lotus Notes Migrator for Microsoft Exchange 1.1. Using the DocAve Notes Migrator for Exchange to Perform a Basic Migration

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

NetFlow Collection and Processing Cartridge Pack User Guide Release 6.0

CA Unified Infrastructure Management

Matrix Technical Support Mailer 61 SMDR [Offline & Online] Through Ethernet Port

CA Technologies SiteMinder

MULTIFUNCTIONAL DIGITAL SYSTEMS. TopAccess Guide

Managing Qualys Scanners

CA Nimsoft Monitor Snap

Two-Factor Authentication

Agent Configuration Guide

SyAM Software* Server Monitor Local/Central* on a Microsoft* Windows* Operating System

WebMarshal User Guide

Strong Authentication for Juniper Networks SSL VPN

SonicWALL GMS Custom Reports

Transcription:

Snare Agent for the Firefox Browser InterSect Alliance International Pty Ltd Page 1 of 11

Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General Public Licence, which covers the Snare agents and some other software. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. InterSect Alliance International Pty Ltd Page 2 of 11

About this guide This document introduces you to the functionality of the Snare Agent for the Firefox browser, and highlights a few example browser log investigation strategies. Other resources that may be useful to read include: Snare Server Installation Guide Snare Server Users Guide The Snare Toolset A White Paper. Table of Contents: 1. Snare Agent for Firefox 1.1 Web Requests 1.2 Cookie Changes 1.3 Snare internal messages 2. Installation & Configuration 3. Troubleshooting 4. Analysis Appendix A: Testing without a collection server InterSect Alliance International Pty Ltd Page 3 of 11

1. Snare Agent for Firefox Snare for Firefox is a browser add on that monitors web requests made by your browser and cookie activity by remote web sites, and sends the results to a central server for collection and analysis. 1.1 Web Requests When you access a web site, your browser connects to the main destination page, downloads the HTML data, and then attempts to access any additional files referenced by the page in question; these may be images, cascading style sheet files, or a range of other alternatives. Snare will log each of these access requests, and report the details of the transaction. Note that Snare makes no distinction between normal mode, and incognito mode in your browser. Browsing in incognito mode will NOT be recorded in your browsing history, but will still be picked up by Snare. Snare also makes no distinction between http and https mode; it will report on both. Date / Time 2013 04 1816:31:15 Source System INFERNO Log Type Browser Browser and Version Firefox 20.0 UserName user Access Type GET URL http://www.google.com.au/imghp?hl=en&tab=ii Referrer http://www.google.com.au/ Bytes downloaded 23 HTTP Result Code 200 1.2 Cookie Changes Cookie additions, deletions and modifications will be reported by Snare. Although the content of the cookies in question will not be available, the cookie name, and scope will be reported. Date / Time 2013 04 1816:32:27 Source System INFERNO Log Type Browser Browser and Version Firefox 20.0 UserName user EventID COOKIE ADDED Cookie Name recently_watched_video_id_list Cookie Scope.youtube.com 1.3 Snare internal messages Modifications to the add on settings, and attempts to restart the agent, will be sent back to the collection server prior to the application of the changes. Although by no means is this a guaranteed/fool proof way of detecting that the agent settings have been modified by the user, it will allow security administrators to detect casual or accidental modifications. InterSect Alliance International Pty Ltd Page 4 of 11

Date / Time 2013 04 1816:32:27 Source System INFERNO Log Type Browser Browser and Version Firefox 20.0 UserName user EventID SNARE Details Snare Preference change by user value for destaddress has been changed to AnotherServer.local InterSect Alliance International Pty Ltd Page 5 of 11

2. Installation & Configuration What You Need.. The Snare for Firefox XPI installation package, from the InterSect Alliance web site. A log collection server such as: The Snare Server by InterSect Alliance International. A TCP capable syslog server. Snare for Firefox is available from the InterSect Alliance web site. If you are running Firefox as your current browser, the following window will appear: If you do not wish to install Snare for Firefox on your current browser session, it is recommended that you RIGHT CLICK on the download link, and choose the Save link as.. option, in order to download the installation package to your local workstation. If you wish to install the package on your current browser, choose the Install button once it becomes active. InterSect Alliance International Pty Ltd Page 6 of 11

To configure the agent / add on, select the Add ons menu item from your Firefox Tools menu. A new tab will open, displaying the Add ons manager. Select the Preferences button, to make changes to the Snare for Firefox settings. You may also choose to Disable the add on, or Remove the add on. Note that, due to the security strategy employed by most browsers, including Firefox, the user has permission to add, remove, or modify the settings of, any installed add on. Snare will do its best to send out a log event to the original server whenever settings are changed, or when the user has requested that the add on be disabled, but there is fundamentally no way for Snare to block manual modifications to configuration settings, or complete removal of the add on.

Snare for Firefox provides the following preference settings: Destination Address The IP address or domain name, for the server that should receive Snare for Firefox log data. Destination Port Choose from either Snare (TCP port 6161) or Syslog (TCP port 514). If either of the settings need to be changed, please tell the add on to attempt to close, and re open it s TCP connection to the target server/port by clicking the Apply Changes button. InterSect Alliance International Pty Ltd Page 8 of 11

3. Troubleshooting Snare operates as a background task, and there are no interactive indications that Snare is unable to forward log data to the correct destination. However, if log data cannot be sent to the remote server, Snare adds the log to an internal cache. The cache is able to hold approximately 3,000 messages. Every 60 seconds, Snare will attempt to flush the cache by reconnecting to the remote server, and pushing the data out. If, at the end of this attempt, Snare is still unable to send events, it will write a message to the Firefox console. You can access the Firefox console from your Tools menu. Select the Web Developer submenu, and the Error Console item. A new window will appear. Choose the Messages button to filter out extraneous information. If Snare cannot send log data to the remote server, the following messages will be displayed: You may also wish to use a network analysis tool (such as Wireshark ) to inspect packets as they traverse your network. InterSect Alliance International Pty Ltd Page 9 of 11

4. Analysis Version 6.1 of the Snare Server, incorporates new objective templates relating specifically to Browser logs. The templates currently include: Inappropriate material (pornographic links) Cookie changes Social media access Snare agent related messages Ad hoc queries of arbitrary scope. Output components for Browser related content include, but are not limited to: A pattern map, divided into 15 minute segments. Tabular output Pie, Line and Horizontal graphs of various types. Bandwidth analysis graphs. CSV/TXT output Random image samples InterSect Alliance International Pty Ltd Page 10 of 11

Appendix A: Testing without a collection server If you wish to test the Snare for Firefox agent, but do not have a Snare or Syslog server available, the free tool socat is available on both Unix and Windows operating systems, and can function as a simple display system for incoming events from the Snare for Firefox agent. A sample invocation is available below: user@myhost ~ $ socat tcp4-listen:6161 - inferno Browser 2013-04-19 16:08:14 Firefox 20.0 user GET https://sb-ssl.google.com/safebrowsing/newkey?client=navclient-auto-ffox 154 200 inferno Browser 2013-04-19 16:08:14 Firefox 20.0 user COOKIE ADDED PREF.google.com 0 inferno Browser 2013-04-19 16:08:17 Firefox 20.0 user GET http://www.google.com.au/ -1 200 inferno Browser 2013-04-19 16:08:17 Firefox 20.0 user COOKIE ADDED PREF.google.com.au 0 inferno Browser 2013-04-19 16:08:17 Firefox 20.0 user COOKIE ADDED NID.google.com.au 0 inferno Browser 2013-04-19 16:08:18 Firefox 20.0 user GET http://www.google.com.au/images/icons/product/chrome-48.png http://www.google.com.au/ 1834 200 InterSect Alliance International Pty Ltd Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information