...

V5.2.0

New Features

• Introducing the Registry Integrity Monitoring (RIM) module to periodically scan the registry for changes. The RIM module can be used to scan the windows registry and compare against a known baseline of registry value details including attributes and hash (sha512) details. Events are generated upon changes to registry keys, values or attributes.  The new screen in the agent allows the user to select a root key, registry path and recursively scan multiple sub-keys to include or exclude values as needed. This new feature will generate a new Snare log type called FIMLog.  For reporting in Snare Central the system will need to be patched to 7.3.0 to understand the new log type, prior to this version it will show up as GenericLog.  As part of this new feature in the agent the Latest Events page in the agent has a new tab "Registry Integrity"  to show the RIM events.
• Windows Agent now has the functionality of Snare's Epilog application built into it negating the need to install two programs on your host operating system. The new Log Auditing module contains 100% of the functionality found in the Epilog agent with events remaining of the same format thus maintaining backwards compatibility with the Snare Server and other third party SIEM systems. Not only have new menu items have been supplied in Windows Agent to allow the configuration of your log file auditing, the installation process will automatically detect and import any local configuration that may already exist due to a current Epilog installation. Note: installation will not uninstall the Epilog application so it must be done manually.

Security Updates

• Update for OpenSSL to patch to OpenSSL-1.0.2p

V5.1.3

Security Updates

• Update for OpenSSL to patch to OpenSSL-1.0.2p

...

• Addressed performance issues which see up to 4 times improvement in event log processing.

• Updated Desktop version to allow MSI builder to function properly.

V5.1.1

Security Updates

• Maintenance update for OpenSSL to patch to OpenSSL-1.0.2o.
• Resolved issues with the agents using TLS syslog to connect to servers with TLS 1.1 and 1.2 not negotiating correctly.  The agent will now correctly negotiate up to TLS 1.2.

...

• There was an issue with the 'Use Host IP' installer option. Due to this issue if this option was selected during installation then it is ignored. Consequently, all the events are associated with hostname instead of Host IP. This issue is fixed in this release and now this installer option works correctly. Please note that if this option is selected during installation then the first available static IP of the machine is selected as host IP. If there is not a static IP then any first available IP is used as that host IP for syslog messages.
• Fixed an issue where UTC was being appended to local time when displaying events in the latest events page.
• This change affects warning message for license support expiry. This change updated the warning that can appear in the top right corner of the agent web UI where the message "No further events will be logged to the specified destination."  will no longer be displayed if license support expires.
• Updated the agent to use the time the event was generated on the Latest Events Web UI page. Previously it was reporting the sent date/time.
• FIM configuration page has been changed so that when user selects Custom value from Schedule DDL then the custom text field would be Null instead of 'Midnight'.
• This change modifies the message from the FIM driver if network destinations are down. Earlier the message showed FIM driver was not running, in fact the driver is running but just not receiving any events as destinations are down. This change modifies the message to a more meaningful description.
• This change modifies the licensing status on the Agent page if a license is expired or support is expired when there are multiple licenses. The best license with active support is selected for setting in the agent Web UI.

Other

?

V5.1.0

New Features

• Introducing the File Integrity Monitoring (FIM) module to provide file or directory hash details . The FIM module can be used to scan files/directories and compare against a known baseline of file details including file attributes and hash (sha512) details. Events are generated upon changes to file contents or attributes.  The new screen in the agent allows the user to select a file, directory and recursively scan multiple directories to include or exclude files or directory locations as needed. This new feature will generate a new Snare log type called FIMLog.  For reporting in Snare Central the system will need to be patched to 7.3.0 to understand the new log type, prior to this version it will show up as GenericLog.  As part of this new feature in the agent the Latest Events page in the agent has a new tab " File Integrity"  to show the FIM events.  This new FIM feature is designed to complement the other FIM/FAM file activity event log reporting the agent current has. 
• As of <INSERT DATE> the Snare windows agent has achieved Veracode VerAfied security compliance to VL4 status. The 5.1.0 version of the Snare Windows agent now meets the Veracode VL4 certification policy criteria.  By using Veracode independent source code static analysis methods  there are no very high, high, or medium security rated vulnerabilities present based on OWASP top 10 and SANS top 25 coding vulnerabilities.  See the following for more information https://www.veracode.com/get-verafied-and-listed

...

• New command line switch /license is introduced for the agent setup configuration file (.INF). This switch can point to the license file to be used during installation. This license file selected through /license switch has the higher priority than the license options selected though installer UI.  For example /license="20180206-SnareAgent-Evaluation-AZP-CYT.sl"
• Previously, when option 'Host IP As Source' was selected the first IP address of machine network adapters was used as the source address with reported events to the syslog destination. Now the user is shown all the IP addresses of the machine through a drop-down list. User can now select the specific IP address to be used to report the source IP of the events. If the network adapter is not available, then it will default the override hostname to that of the server name. The Host IP As Source, enabling this setting will use the first network adaptor as listed in the network configuration as the source of the IP address. The agent will periodically (approximately ten minutes) check this setting and pick up any changes that occur on the host via a manual change of IP or DHCP reassignment. The value of the IP address will be displayed in the Override detected DNS Name with once selected. If the host does not have a valid IP address, i.e. DHCP has not been responded to, then the syslog message will default to the system's hostname which is the default setting for the agent. If the host does not have a valid network IP address then it can not send events regardless of any network override setting. At least one network interface must be operational for the agent to send events. 
• The Latest Events page has been changed to show the file opened on disk for a file destination . 
  As a result of this change, the file name set on file destination configuration is not shown as it is the wrong file opened on disk but will show the real file on disk with the name appended with date. For example. C:\file_destination.txt will be shown as C:\file_destination_YYYYMMDD.txt
• User Interface (UI) update that affects the IP Address allowed to remote control SNARE field. This field is disabled if Restrict remote control of SNARE agent to certain hosts is selected in Access Configuration page.
• Updated usability on the Destination Configuration page, with a Hostname Options section.
• Trace level logging now displays the bytes and events sent per second (EPS) for each configured destination after 5 secs.  This will aid in correlating and debugging the EPS rates when sending logs.
• The events filtering subsystem is modified to collect and audit File Event ID 4670 when the General Configuration | Allow Snare to automatically set file audit configuration? is selected and objective is created.

Security Updates

• Maintenance update for OpenSSL to patch to OpenSSL-1.0.2n.

...

• Installation wizard updated to include options for user to select: Quick or Advanced. The addition of the Quick option is to get agents up and running quickly without configuration. Please note, when installing the agent, on the last page of the installer there is an option to 'Launch Web UI'. If you are installing as the built in administrator account and using Microsoft Edge as the default browser, this will fail with an error due to default permissions assigned to Edge for the Administrator (Edge can't be used as the built in Administrator).

Security Updates

• Maintenance update for OpenSSL to patch to OpenSSL-1.0.2m.

...

• Changes were made to validation of 'Access Configuration', SAM IP field. Previously hostname validation was limited to accept numeric values. Changed to accept fully qualified domain names. As a result, fields depending on ip/hostname validation will accept wider range of inputs that include FQDNs in addition to IPs.
• Alters references for Evaluation Licenses to Temporary Licenses.
• Added text on the License page in the UI to aid users using SAM or standalone licensing.

Security Updates

• This modifies the SHA version for certificate in Windows and Unix agents. Enable higher level of security by using SHA2 support for newer version of Windows and Linux agents.
• Snare Agent web UI functionality in the agent has been modified to avoid potential cross-site scripting attack.  

...

• Update CEF format to parse messages for ArcSight and other platforms using CEF format. Only basic message fields are used at this time, but allow for message truncation, sorting by message class, source and destination.
• Key IDs on the Agent /license pages is now styled to show alpha characters in black and numeric characters in a red tone. This is to make it easier for those that have problems seeing the different shades of grey.
• Licenses may now list a KeyID of 0 (zero).

Security Updates

• Maintenance update for OpenSSL to patch to OpenSSL-1.0.2j.

...