Versions Compared

Version Old Version 28 New Version 29
Changes made by

Leigh Purdie

Leigh Purdie (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

Antivirus Administration

The Snare Central is based on a custom distribution of Linux, and is therefore potentially susceptible to (significantly) less than 1% of all viruses currently in the wild. The Snare Central does not provide desktop-level functionality, and the risk profile for virus infection on the Snare Central is extremely low. However, the Snare Central integrates the ClamAV virus checker, which is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It includes a high performance mutli-threaded scanning daemon that provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats.

...

It is the customers responsibility to ensure the antivirus software is kept up to date and is scheduled to run in accordance with your corporate security policy.

Change IP address

The Snare Central IP address, netmask, default gateway, and DNS servers can be modified using this objective. IP, netmask and default gateway values can be modified on a per-ethernet-card basis.

...

The front page will display a snapshot of the state of the reflector. It will update every few seconds with new data, as long as the Snare Central collection/reflection service is active.

Image Modified

Image Modified

Image Modified


The first two 'destinations' in the configuration interface are reserved for use by the Snare Central internally. They send incoming syslog events to the Snare Central syslog interpreter, and all other events to the normal Snare Central log interpreter.  The destinations do this by utilising the regular expression filter capabilities of the reflector.  All 'listeners' are currently locked by the Snare Central collection server.  Configuration options present in the dialog include:

...

IP Address, or DNS Name of the destination server to which the Snare Central should send events.

...

  • Snare Central 7.1+: The destination server is a Snare Central, and is running at least 7.1 of the software.
  • Snare Central Historical: The destination server is a Snare Central, and is running a version of the software prior to 7.1. The reflector will fall back to a slightly less optimised version of an event transfer format.
  • Syslog RFC 5424: The newer version of the Syslog protocol. Amongst other positives, RFC 5424 includes 'year' information in the date, which is excluded from the RFC3164 format.
  • Syslog RFC 3164: The older version of the Syslog protocol.
  • QRadar: A customised version of Syslog RFC 3164 protocol that works around a bug in the QRadar log parser. It detects Snare agent logs, and specifically removes the first 'hostname' entry supplied by the agent, in the eventlog data.
  • RSA Envision: A customised version of Syslog RFC 3164 that prefixes the event with "[][][IPAddress][unixDate][] " (where 'IPAddress' is the IP address of the source system that reported the event to the Snare Central, and 'unixDate' is the date/time in unix format (seconds since epoch).
  • Raw - No conversion - the Snare Central will push the event out in exactly the same format in which it arrives.

...

Configure Server Time Zones

The Snare Central has the ability, on a per-source basis, to time-shift the data at query time. In general, agents will report data back to the Snare Central using their local time and time-zone. For objectives such as "Tell me whenever someone logs in before business hours", this strategy works perfectly well. However, if you have a reporting agent in Paris, another in London, and your Snare server was based in New York, and your reports predominantly needed to be based around the time in New York (EST), then you may wish to turn time zone manipulation on.

...

Collection is the process that the Snare Central is most anxious to ensure is robust and reliable. If something causes the collection subsystem to fail, it will be restarted as soon as possible, and the server will attempt to collect as many useful statistics relating to memory usage, disk usage, and process information, as it can, in order to support debugging efforts by your Snare Central support team.

...

The team at InterSect Alliance have come up with a quantity of default objectives that suit a diverse range of organisations, and security-related regulatory requirements. However, there may be situations where additional specialised objectives are made available to users of the Snare Central. The 'Import from the InterSect Alliance Objective Store' button will allow you to select, and import, objectives.

...

Once LDAP user and group authentication has been enabled, any valid LDAP user can have access to Snare Central web interface but will not be able to see any objectives until the correct access rights are granted to each objective, achieved via this objective.

Every objective on the Snare Central can be individually secured so that only authorised staff have access to it. Access is granted at group level; therefore, an LDAP user must be attached to an LDAP group in order to view or change an objective. This also applies to local users and groups. The  Manage Access Control objective detects if Snare is in LDAP mode or not and objectives will change access rights accordingly.

...

This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.

Manage Plugins

The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements.  We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."

My Account

Your Snare Central password can be changed in this objective. Last login date/time information is also available. Note that the Snare Central implements several password security policies, including:

...

This objective runs a number of checks on your Snare Central to ensure it is ready to be upgraded to the next major version using the 'over-the-top' upgrade method.
Note that until a new major version of the Snare Central is available, this objective will not provide any significant functionality.

...

Users with administrative-level access to the Snare Central will be able to shut down, or reboot the Snare Central from this objective.

...

The team at InterSect Alliance will release updates to:

  • Add features to the Snare Central
  • Fix issues that have been reported
  • Update operating system components in response to security issues that specifically affect Snare, or tangentially affect the operating system on which Snare relies.
  • Update virus checker signatures.

...

Threat Intelligence Configuration

Snare Server 7.4+ includes an updated collection infrastructure, which is capable of interfacing with the new Snare Advanced Threat Intelligence (SATI) module. Enabling the threat intelligence capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.

Delivery of data to a non-local elasticsearch instance is also supported. Note that only a limited high value subset of the data received by the Snare Central Server, will be forwarded to the destination server.

...


Enabling SATI delivery will display an overview of the currently enabled forwarding filters.

...


The Snare Server can be configured to log to a local elastic instance (which is installed and available as part of version 7.4 of the Snare Central server), or can be configured to log to a remote elastic instance. If the remote elastic instance is protected by either X-Pack or ElasticShield from InterSect Alliance, HTTPS/TLS and authentication can be activated.

...


...

It is recommended that a number of users be created after the Snare Central has been installed, so that:

...

Info

The groups built into the Snare Central are: Administrators, SuperUsers, PowerUsers and Default.

...

After the group has been created, you may fine tune access rights for each particular group via System | Administrative Tools | Manage Access Control.
The
  Snare Central implements several password security policies, including:

...

If a users account exceeds the 90 day password validity limit, the Snare Central will request a password update.

...

The operating system password controls are managed by the Pluggable Authentication Modules (PAM) in Linux. The configuration files are located in /etc/pam.d directory. The password controls for the Snare Central are detailed in the /etc/pam.d/common-password file. The file can be updated to reflect your corporations security policy.

...

The configuration will enforce the password policy rules for the following operating system accounts root, snare and snarexfer. For additional information on the values of each setting refer to the manual pages for pam.d and pam_cracklib.