Versions Compared

Version Old Version 9 New Version 10
Changes made by

maria ieropoulos

Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

V5.1.0

Enhancements

  • New command line switch /license is introduced for the agent setup configuration file (.INF). This switch can point to the license file to be used during installation. This license file selected through /license switch has the higher priority than the license options selected though installer UI.  For example /license="20180206-SnareAgent-Evaluation-AZP-CYT.sl"
  • Previously, when option 'Host IP As Source' was selected then first IP address of machine was used as source address with reported events. Now user is shown all the IP address of the machine through a drop-down list. User can select the specific IP address to be used to report the source IP of the events. @maria - document that if network adapter is not available, then it will default to the override hostname, and if that doesn't exist it will default to the systems hostname. User guide words need updating - please review: Host IP As Source. Enabling this setting will use the first network adaptor as listed in the network configuration as the source of the IP address. The agent will periodically (about ten minutes) check this setting and pick up any changes that occur via a manual change of IP or DHCP reassignment. The value of the IP address will be displayed in Override detected DNS Name with once selected. If the host does not have a valid IP address, i.e. DHCP has not been responded to, then the syslog message will default to the system's hostname which is the default setting for the agent.
  • Any file destination now shows the real file name along with any date appended to file name for rotation, for example C:\file_events_YYYYMMDD.txt.
  • User Interface (UI) update that affects the the IP Address allowed to remote control SNARE field field on the Access Configuration page. This data entry field is disabled if if Restrict remote control of SNARE agent to certain hosts  check box is selected in Access Configuration pagenot selected. Host IP Address or hostname details can only be entered if the checkbox has been selected.
  • Updated usability on the Destination Configuration page, with a Hostname Options section.
  • Trace level logging now displays the bytes and events sent per second (EPS) for each configured destination after 5 secs.  This will aid in correlating and debugging the EPS rates when sending logs.

...

  • In previous releases of SnareMSSQL when 'Use HostIP' option was selected, SnareMSSQL use to select the IP address of the physical machine on which it is running. This was same for cluster mode too. Though, in cluster mode it should select the IP address of the virtual server on which SQL Server is installed. This issue is fixed in this release and now when 'Use HostIP' option is selected, SnareMSSQL selects the IP address of the virtual server on which cluster instance of SQL server is installed.
  • There was a bug that can cause the installation of the SnareMSSQL on a clustered environment to fail when the SQL server instance name is default i.e. MSSQLSERVER on a cluster machinedetected was MSSQLSERVER. This issue is fixed in this release and now SnareMSSQL installer properly handles the default SQL server instance name.
  • Issue with agent running on SQL server cluster machine and Use Host IP options is selected. Due to this issue SnareMSSQL fails to determine the correct IP address of SQL cluster in some cases. This issue is fixed and now SnareMSSQL properly computes the IP address of SQL server cluster systems
  • There was an issue in previous release of SnareMSSQL where installation for some local instances of SQL server can be omitted in a hybrid installation environment i.e. where cluster instances and standalone instances of SQL server are installed on the same machine. This issue is fixed and now SnareMSSQL installer properly handles the installation of local and cluster instances of SQL server on the same machine.
  • There was an issue in previous release the way SnareMSSQL used to determine the hostname of the generated SQL event. Due to this issue, the hostname of the SQL event may be determined as the machine hostname on which SnareMSSQL agent is running. This issue is fixed and now SnareMSSQL property determines the machine hostname as per user preferences.
  • Fix for failed installations occurred on busy machines. The installer now properly checks the status of service operations and retries appropriately when needed.
  • There was minor issue in existing release of SQL agent when installed on SQL server cluster installations. Due to this issue the web GUI ports were not sequentially allocated to the different instances of the Snare SQL agent on the same cluster node. In this release the agent correctly allocates the web ports sequentially. To work use this sequential installation, the existing installation of the agent should be removed (uninstalled) or the agent installer should be run rerun with the reinstall option.
  • There was an issue in the installer of not working correctly in the previous release of SnareMSSQL where local SQL agent if localQL Server instances may fail in were in a failed state in a cluster environment. This problem was specifically prevalent in mixed installation scenarios where local and cluster instances of SQL Server are installed on a same cluster node.
  • There was an issue the way SnareMSSQL was handling the username for Latest Events page. Due to this issue, username was shown on Latest Events page for some events. This issue is fixed in this release and now SnareMSSQL properly handles the username for Latest Events page. It is worthwhile to mention that if username is not reported by underneath SQL Server trace then it will still not be shown and username column will show '-'
  • Previous release with the agent where it cannot detect the 32-bit instances of SQL server installed on 64-bit machine. Due to this issue SnareMSSQL was unable to create objectives for such 32-bit SQL server instances on 64-bit machine. This is fixed and now SnareMSSQL is able to detect 32-bit instances on 64-bit machines and also able to generate trace logs from such instances.
  • Fixed an issue with the CEF message format having missing/incorrect information as well as possible special characters causing the message to not display correctly in ArcSight
  • The agent installer is capable of listing any license files it finds in the same directory as the agent executable.  This change updates the agent installer to include a "None" option, to not install any license file if present.
  • Fixed a bug where the Snare Agent would not import the SyslogPriority, SyslogFacility, CacheSizeSet values from an .INF (agent setup configuration file). Consequently CacheSizeEventLog was not used due to this bug.
  • Objective matching in Snare support wildcards. In existing release of Snare in some situations this wildcard matching can cause stack overflow crash. This issue is fixed in this release and stack overflow possibility is removed during wildcard matching.

  • In previous release there was a bug in the user match using wildcard match. Due to this issue expected user names can be filtered in or out. This is fixed and now wildcard filter for user match works fine. Now the wildcard pattern for user matching should be included within () i.e. (*sa*) and user filter on specific user should be included by mentioning it's name i.e sa. For example include user pattern {sysadmin:^sa},(!dummy*),*tom*,micky is that include all SQL server systadmin users, do not include users starting with dummy,and include user name having tom in it and user micky.

  • Some agent settings are machine specific i.e. Clientname, HostIP and HostGUID. There was an issue in the export settings command -x that was causing these machine specific settings to be exported into the .inf file and then can subsequently be loaded with /loadinf option during install. This issue is fixed in this release and now machine specific values are not exported into .inf file and even if .inf file is manually edited; these values are ignored during loadinf option.

  • Fix issue with heartbeat license messages spamming the logs with a license heatbeat every 60 minutes (if heartbeats are disabled) or every heartbeat period. Also fixed an issue with SAM issued licenses being immediately marked as expiring in 30 days and thus warning the customer that it was about to expire.
  • Heartbeats events are added for the Information level to provide more information regarding the working of agent. These new heartbeats are sent when any setting is changed from GUI and when the agent service status is changed.
  • This change modifies Agent behavior to not log any heartbeat if there is no SAM configured to connect.  If there is a SAM configured, then to log a heartbeat if the connection is lost for every 2 hours.
  • There was an issue with the internal restart of the agent. Due to this issue agent might keep holding a token handle during internal restart. This issue is fixed in this release and now agent properly releases all the token handles.

...

  • Notification and warning on Snare agents has been changed to to allow syslog_5424 format on port 514. As a result of this change, notification and warning will no longer appear for valid syslog format's when using port 514.
  • Fix a potential for memory corruption of event data being sent via TCP, TLS or UDP when under very heavy loads.
  • There was an issue in previous release of the snare agent where it was not properly handling the objectives during upgrade to latest release. Due to this issue, objectives may not be available after upgrade. This issue is fixed in this release and now snare properly handles the objectives during upgrade and all objectives are available after upgrade.
  • Snare agent warning and notification messages has been changed to issue warning for selecting non-TAB delimiter for SNARE format(Snare Server destination). As a result of this change, new warning's will be issued when non-TAB delimited for SNARE format (for Snare Server destination) is selected.
  • There was a debug logging issue in previous release of SnareMSSQL agent. Due to this issue, SnareMSSQL was not able to properly show the log messages on console if run from console. The fix ensures SnareMSSQL logs all the messages to console window as per input parameter -d when run from console. (e.g. snaremssql -c -d SAM:trace > mysnare.log 2>&1 )
  • There was an issue with the uninstaller of the SnareMSSQL agent. Due to this issue uninstaller was not properly cleaning the registry of the SnareMSSQL agent. This issue is fixed in this release and now uninstaller properly cleans the registry during uninstall.
  • There was in issue the way SnareMSSQL was saving/updating the objective. Due to this issue, an objective would not save correctly when 'Including SELECT' check box was checked on objective page. This issue is fixed in this release and now SnareMSSQL properly save the value of 'Including SELECT' checkbox.
  • There was an installing issue in previous release of SnareMSSQL where installation was made using .inf file on machines that are part of Windows Cluster or machines running with Windows Server 2016. Due to these installation issues, SnareMSSQL installation might fail or objectives might fail to load from .inf file. These issues are fixed in this release. Now SnareMSSQL handles cluster installation as well as properly supports Windows Server 2016.
  • There was an issue in previous release of SnareMSSQL where setting 'Use plain text objective data' under General Configuration was not working. Due to this issue objectives were not stored in plain text even when this option is checked. This issue is fixed in this release and now SnareMSSQL properly honors the setting 'Use plain text objective data' .
  • Updated the validation of event types in objectives. An objective cannot be saved if at least one event type is not selected. This is to ensure that only a valid objective is saved.

...