Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.

Manage Plugins

The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements.  We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."

My Account

Your Snare Central password can be changed in this objective. Last login date/time information is also available.

...

Threat Intelligence Configuration

Snare Server 8.0+ includes an updated collection infrastructure, which is capable of interfacing with the new Snare Advanced Threat Intelligence (SATI) module. Enabling the threat intelligence capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.

Delivery of data to a non-local elasticsearch instance is also supported. Currently all log types that Snare Central receives will be forwarded to the destination server.the list of log types are as follows:


...


Enabling SATI delivery will display an overview of the currently enabled forwarding filters.

...


...

Delivery of data to a non-local elasticsearch instance is also supported. The Snare Server can be configured to log to a local elastic instance (which is installed and available as part of version 8.0 of the Snare Central server), or can be configured to log to a remote elastic instance. If the remote elastic instance is protected by either X-Pack or ElasticShield from InterSect Alliance, HTTPS/TLS and authentication can be activated.

Info

Image RemovedImage RemovedImage AddedImage Added

For a fresh install of elastic the index name will be called active-snare-snare. Where the index is used in SAA/SATI then the index name is called snare-snare-000001. The application will manage the index and rotate it around and increment the index name with -000002 etc based on the system index rotate settings. For external indexes the index will have to be managed by the admins managing the external elasticsearch index as it will keep growing until its rotated out. Below is an example of a managed index environment.

...

Note
titleMore Details

The events that are forwarded to the Threat Intelligence instance, or a remote elastic server, are governed by the configuration file /data/Snare/ConfigSettings/RealTime.config on the Snare server. This file is not intended to be user-editable at this stage, since it ties directly in with the available dashboard capabilities of the Threat Intelligence server.

Event collection rates may be significantly impacted, when this feature is active. ElasticSearch ingest rates are significantly lower than those supported by the Snare Central Server, on similar hardware. When this feature is activated, the potential Snare Server collection rates, will be governed by the elasticsearch bulk upload capabilities. In general terms, there may be one or two orders of magnitude difference between Snare Central Server collection rates, and elasticsearch ingest capabilities.

If the destination elastic instance version is v5.x you need to enable/checked the "Enable Elastic v5 Compatibility Mode" otherwise leave it unchecked.

Warning: Activating the Threat Intelligence configuration, without installing the corresponding Threat Intelligence module to manage the generated data, will mean that your Snare Central Server will store significantly more data per received event, without being able to remove the associated data from the file-system via the Snare Central Server user interface.

...