Table of Contents |
---|
...
Each mapping in the list can be edited or deleted using action buttons:
Display the Snare Central Log
...
Files
This tool lets you easily access and view different Snare Central log files that is available in your system, as well as share and email a copy of the log file in situations where you request assistance from your Snare Central support team, you may be asked to email a copy of the and get asked for specific log file to aid the investigation, e.g. Snare debug log file . This file which contains generic information on what objectives were run, and what scheduled tasks are currently implemented etc. Increasing the Snare Central debug level (see the section above on "Configuration Wizard" for more information), will significantly increase the amount of data that is written to this file.
Display the Snare Service Monitor Log File
Collection is a or Snare service monitor log file which is a collection of high priority process on Snare Central, and there are backend processes that try to ensure that collection is robust and reliable. If something causes in-case something cause the collection subsystem to fail , it (which will be restarted as soon as possible, and the server will attempt to collect as many useful statistics relating to memory usage, disk usage, and process information, as it can), in order to support debugging efforts by your Snare Central support team.
- View Log File
...
This tool allows the user to schedule, monitor and administer system files integrity checks and report on any changes on such files.
The File Integrity Check objective scans the current data store and the underlying operating system and calculates the SHA3-256 checksum for every file it detects. The objective stores the data in a database on a scheduled basis. It is important that the user understands that this objective needs to be scheduled in order to generate the FIM scans and databases.
This page will also allow the user to see the difference between any two selected databases in order to verify that data has not been tampered with since the selected runs.
This comparison can take several hours to finish, so the job will be queued to be executed in the background.
Please note that the Snare Central Health Checker will, by default, report the difference between current day and yesterdays databases.
It is also important to note that when running two or more checksum comparisons simultaneously, the later one will override the results of the previous one so is a good idea to only run one concurrent comparison task.
Multiple databases can be selected and a backup file can be downloaded for safe storage. Historical database results can be deleted to free disk space as required.
All tasks performed in this objective are audited by Snare Central in real time. This means that SnareServer Log type events will be generated while interacting with this objective.
Please note that changes to the Snare system produced by a Snare Central upgrade will be detected and reported on, as this will include many system files as well as the Snare application components. If you see changes occurring in the operating system and application that were not the result of a patch or manual user intervention, then they should be investigated as part of your corporate incident management process.
IP Address Configuration
The Snare Central IP address, netmask, default gateway, and DNS servers can be modified using this objective. IP, netmask and default gateway values can be modified on a per-ethernet-card basis.
It should be noted that once the IP address has changed, the server will no longer be contactable via the old IP address, so if you were connecting to the old IP address with your web browser, your browser may become unresponsive after the address change.
Import Objectives
...
Manage Access Control
...
- Accessing and viewing Snare Central log files can now be easily done via clicking the drop-down menu and select from the list of log files available in your Snare Central
- Share or Email a Copy of Log File
- To share or email a copy of log file, first select the target log file from the drop-down menu.
- Then input the email address of the recipient int the provided input box.
- After that Click the "SEND EMAIL" button to email the log file directly.
Note | ||
---|---|---|
| ||
|
Display the Snare Service Monitor Log File
Warning | ||
---|---|---|
| ||
The separate tool for display Snare Service Monitor log file is deprecated. It is now part of a more robust Display the Snare Central Log Files tools which will let you access, view and email a copy of not only Snare Monitor log file by other log files available in you Snare Central (see Display the Snare Central Log Files section in this page). |
File Integrity Check Administration
This tool allows the user to schedule, monitor and administer system files integrity checks and report on any changes on such files.
The File Integrity Check objective scans the current data store and the underlying operating system and calculates the SHA3-256 checksum for every file it detects. The objective stores the data in a database on a scheduled basis. It is important that the user understands that this objective needs to be scheduled in order to generate the FIM scans and databases.
This page will also allow the user to see the difference between any two selected databases in order to verify that data has not been tampered with since the selected runs.
This comparison can take several hours to finish, so the job will be queued to be executed in the background.
Please note that the Snare Central Health Checker will, by default, report the difference between current day and yesterdays databases.
It is also important to note that when running two or more checksum comparisons simultaneously, the later one will override the results of the previous one so is a good idea to only run one concurrent comparison task.
Multiple databases can be selected and a backup file can be downloaded for safe storage. Historical database results can be deleted to free disk space as required.
All tasks performed in this objective are audited by Snare Central in real time. This means that SnareServer Log type events will be generated while interacting with this objective.
Please note that changes to the Snare system produced by a Snare Central upgrade will be detected and reported on, as this will include many system files as well as the Snare application components. If you see changes occurring in the operating system and application that were not the result of a patch or manual user intervention, then they should be investigated as part of your corporate incident management process.
IP Address Configuration
The Snare Central allows modification of it's IP address, netmask, default gateway and DNS server settings, these values can be adjusted individually for each Ethernet card providing flexibility in network management of your Snare Central.
- To change the settings value, click the "Edit" icon located in the upper right corner of the Ethernet card you want to modify.
- Then in pop-up Update Interface, you can modify the values then click "EDIT" button to save the changes.
Note | ||
---|---|---|
| ||
|
Import Objectives
Snare Central ships with a large number of default Reports and (starting from v8.6.0) Analytics Dashboards (AKA objectives) that suit a diverse range of organisations, and meet security-related regulatory requirements.
However, there may be situations where additional specialised Reports or Dashboards are made available to users of Snare Central, or need to be transferred from one server to another.
The 'Upload a previously saved Objective(s) or Analytics Dashboards archive' section allows you to select and import objectives from a file stored on your local workstation.
In situations where you have previously used the 'Objective Export' capability by right-clicking on a container, the objectives will be exported to either a local file, or via email, to a selected destination user.
Objectives will be imported into a new container, called "Imported Objectives YYMMDDHHMMSS" (where YYMMDDHHMMSS represents the date/time of import).
The 'Import from a locally stored snapshot of the InterSect Alliance Objective Store' section allows to import objectives from a local objectives store. Click the icon besides the desired objective package to import it.
Manage Access Control
To access this area, LDAP groups should be enabled in Configuration Wizard | Security Setup | Snare Central, or Local User groups should be defined in User Administration. This objective provides an easy and flexible interface for changing Objectives access controls at the group level for both local groups or groups defined on an identified LDAP/Active directory server.
...
Manage Access Control allows to select one, many, or all existing objectives, and add or delete “Access” permissions (Read access) and/or “Change” permissions (Write access) to those objectives for a group or set of groups.
Clicking the Objective name (or Objective directory) at the tree representation on the left (see image below) will select or deselect the objective(s). Once selected, one or more groups are required to be highlighted from the list on the right and at least one access level to be selected from Permissions list in order to apply to selected objectives.
Note that users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Server Administrators have the ability to Delete the objective and Add new users to the objective.
Manage Nightly Updates
This objective allows an administrator to manage the updates of third party data files that Snare Central uses such as:
- The GeoIP2 database from MaxMind
- The MAC address database from standards.ieee.org
- The Malware database from malwaredomainlist.com
Info | ||
---|---|---|
| ||
In order for Snare Central to download the latest GeoIP2 database from MaxMind, you must first configure a MaxMind license key. Click "Configure" in the "Manage Nightly Updates" page, enter your MaxMind license key in the dialog box then click set. |
The update tasks are disabled by default and scheduling for each task is fully configurable.
Manage Objective Schedules
This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.
Manage Plugins
The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements. We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."
My Account
Your Snare Central password can be changed in this objective. Last login date/time information is also available.
Note that Snare Central implements several password security policies, including:
- 90 Day Rotation
- Password reuse protection
- Last password similarity checks
- Password complexity requirements
- Dictionary word exceptions
Shutdown / Reboot Snare Central
Users with administrative-level access to Snare Central will be able to shut down, or reboot Snare Central from this objectiveobjectives, and add or delete “Access” permissions (Read access) and/or “Change” permissions (Write access) to those objectives for a group or set of groups.
Clicking the Objective name (or Objective directory) at the tree representation on the left (see image below) will select or deselect the objective(s). Once selected, one or more groups are required to be highlighted from the list on the right and at least one access level to be selected from Permissions list in order to apply to selected objectives.
Note that users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Server Administrators have the ability to Delete the objective and Add new users to the objective.
Manage Nightly Updates
This objective allows an administrator to manage the updates of third party data files that Snare Central uses such as:
- The GeoIP2 database from MaxMind
- The MAC address database from standards.ieee.org
- The Malware database from malwaredomainlist.com
Info | ||
---|---|---|
| ||
In order for Snare Central to download the latest GeoIP2 database from MaxMind, you must first configure a MaxMind license key. Click "Configure" in the "Manage Nightly Updates" page, enter your MaxMind license key in the dialog box then click set. |
The update tasks are disabled by default and scheduling for each task is fully configurable.
Manage Objective Schedules
This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.
Manage Plugins
The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements. We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."
My Account
Your Snare Central password can be changed in this objective. Last login date/time information is also available.
Note that Snare Central implements several password security policies, including:
- 90 Day Rotation
- Password reuse protection
- Last password similarity checks
- Password complexity requirements
- Dictionary word exceptions
Shutdown / Reboot Snare Central
Users with administrative-level access to Snare Central will have the capability to execute various Snare Central system commands for managing and maintaining the Snare Central server and services.
- Server Commands
- REBOOT SERVER : Administrators can use this to restart the Snare Central server. This process may take several minutes, during which time the Snare web interface will be unavailable.
- SHUTDOWN SERVER : Administrators can use this to safely shut down the Snare Central server. This process may take several minutes after which the Snare Central will turn itself off.
- Service Commands
- RESTART SNARE SERVICES : Administrators can use this to restart snare services to refresh it's operation or apply some configuration changes.
- STOP SNARE SERVICES : Administrators can use this to stop snare services for troubleshooting or maintenance.
- START SNARE SERVICES : Administrators can use this to start the stopped snare services and resume it's operation.
Snare Central Update
Updates will be released to:
...
Threat Intelligence Configuration
Snare Server 8.0+ includes an updated collection infrastructure, which is capable of interfacing with the new Snare Advanced Threat Intelligence (SATI) module. Enabling the threat intelligence capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.
Delivery of data to a non-local elasticsearch instance is also supported. Currently all log types that Snare Central receives will be forwarded to the destination server.the list of log types are as follows:
...
Enabling SATI delivery will display an overview of the currently enabled forwarding filters.
...
...
Delivery of data to a non-local elasticsearch instance is also supported. The Snare Server can be configured to log to a local elastic instance (which is installed and available as part of version 8.0 of the Snare Central server), or can be configured to log to a remote elastic instance. If the remote elastic instance is protected by either X-Pack or ElasticShield from InterSect Alliance, HTTPS/TLS and authentication can be activated.
...