V5.2.1
Bug Fixes
Increased the maximum message size for the NCR ATM logs to 1MB to cater for large journal records.
Fixed issue where the Syslog Priority field in the Destination Configuration was not taking effect when set to Dynamic.
Fixed a race condition that can occur when handling a USB device event received from the system.
V5.2.0
New Features
- Introducing the Registry Integrity Monitoring (RIM) module designed to periodically scan the registry for changes. The RIM module can be used to scan the windows registry and compare against a known baseline of registry hash (sha512) details. Events are generated upon changes to registry keys, values or attributes. The new screen in the agent allows the user to select a root key, registry path and multiple sub-keys/values to include or exclude from the scan as needed. This new feature will generate a new Snare log type called FIMLog. For reporting in Snare Central the system will need to be patched to 7.3.0 to understand the new log type, prior to this version it will show up as GenericLog. As part of this new feature in the agent the Latest Events page in the agent has a new tab "Registry Integrity" to show the RIM events.
- Windows Agent now has the functionality of Snare's Epilog application built into it negating the need to install two programs on your host operating system. The new Log Auditing module contains 100% of the functionality found in the Epilog agent with events remaining of the same format thus maintaining backwards compatibility with Snare Central and other third party SIEM systems. New menu items have been supplied in Windows Agent to allow the configuration of your log file auditing and, if required, the installation process will automatically detect and import any local configuration that may already exist due to a current Epilog installation. Note: installation will not uninstall the Epilog application so it must be done manually and will display a warning to the user until it has been done.
Security Updates
- Update for OpenSSL to patch to OpenSSL-1.0.2p.
- Removed non-secure ciphers usage, according to the OWASP broad compatibility list.
Enhancements
- FIM/RIM now inserts scanned data into database in batches (or chunks) to keep memory consumption to a minimum.
Bug Fixes
- Fixed an issue related to treating the non-English characters event log sources. Due to this issue, Snare might omit the event tracking of non-English character event logs. This issue is fixed in this release and now Snare properly handles the non-English characters event log sources.
- This change affects the warning messages that are display when protocol for destination is set to TCP or TLS for web UI port 6161 as it can slow down the agent receiving log messages, which will be ignored on the web interface. In high volume environments the agent may appear to hang as a result. As it is not a recommended configuration this will now show as a warning if the agent is configured in this way. In general sending logs to the localhost is only used for testing and only used when its UDP protocol so the logs are discarded. Any real destination should use a real hostname or IP address and not localhost. This change does not affect any other functionality.
- During agent uninstall process, the installer attempts to remove the FIM/RIM databases from the host filesystem. On Windows, the installer may not have access to the Snare storage directory. The data can be manually removed after uninstalling from the following location: C:\Windows\System32\config\systemprofile\AppData\Roaming\Snare
V5.1.3
Security Updates
- Update for OpenSSL to patch to OpenSSL-1.0.2p
Bug Fixes
Snare WEC agent was not starting as the service was not pointing to the right executable. This task will fix this so that Snare WEC now points to the right executable.
V5.1.2
Bug Fixes
Addressed performance issues which see up to 4 times improvement in event log processing.
Updated Desktop version to allow MSI builder to function properly.
V5.1.1
Security Updates
- Maintenance update for OpenSSL to patch to OpenSSL-1.0.2o.
- Resolved issues with the agents using TLS syslog to connect to servers with TLS 1.1 and 1.2 not negotiating correctly. The agent will now correctly negotiate up to TLS 1.2.
Bug Fixes
- There was an issue with the 'Use Host IP' installer option. Due to this issue if this option was selected during installation then it is ignored. Consequently, all the events are associated with hostname instead of Host IP. This issue is fixed in this release and now this installer option works correctly. Please note that if this option is selected during installation then the first available static IP of the machine is selected as host IP. If there is not a static IP then any first available IP is used as that host IP for syslog messages.
- Fixed an issue where UTC was being appended to local time when displaying events in the latest events page.
- This change affects warning message for license support expiry. This change updated the warning that can appear in the top right corner of the agent web UI where the message "No further events will be logged to the specified destination." will no longer be displayed if license support expires.
- Updated the agent to use the time the event was generated on the Latest Events Web UI page. Previously it was reporting the sent date/time.
- FIM configuration page has been changed so that when user selects Custom value from Schedule DDL then the custom text field would be Null instead of 'Midnight'.
- This change modifies the message from the FIM driver if network destinations are down. Earlier the message showed FIM driver was not running, in fact the driver is running but just not receiving any events as destinations are down. This change modifies the message to a more meaningful description.
- This change modifies the licensing status on the Agent page if a license is expired or support is expired when there are multiple licenses. The best license with active support is selected for setting in the agent Web UI.
Other
?
V5.1.0
New Features
- Introducing the File Integrity Monitoring (FIM) module to provide file or directory hash details . The FIM module can be used to scan files/directories and compare against a known baseline of file details including file attributes and hash (sha512) details. Events are generated upon changes to file contents or attributes. The new screen in the agent allows the user to select a file, directory and recursively scan multiple directories to include or exclude files or directory locations as needed. This new feature will generate a new Snare log type called FIMLog. For reporting in Snare Central the system will need to be patched to 7.3.0 to understand the new log type, prior to this version it will show up as GenericLog. As part of this new feature in the agent the Latest Events page in the agent has a new tab " File Integrity" to show the FIM events. This new FIM feature is designed to complement the other FIM/FAM file activity event log reporting the agent current has.
- As of <INSERT DATE> the Snare windows agent has achieved Veracode VerAfied security compliance to VL4 status. The 5.1.0 version of the Snare Windows agent now meets the Veracode VL4 certification policy criteria. By using Veracode independent source code static analysis methods there are no very high, high, or medium security rated vulnerabilities present based on OWASP top 10 and SANS top 25 coding vulnerabilities. See the following for more information https://www.veracode.com/get-verafied-and-listed
Enhancements
- New command line switch /license is introduced for the agent setup configuration file (.INF). This switch can point to the license file to be used during installation. This license file selected through /license switch has the higher priority than the license options selected though installer UI. For example /license="20180206-SnareAgent-Evaluation-AZP-CYT.sl"
- Previously, when option 'Host IP As Source' was selected the first IP address of machine network adapters was used as the source address with reported events to the syslog destination. Now the user is shown all the IP addresses of the machine through a drop-down list. User can now select the specific IP address to be used to report the source IP of the events. If the network adapter is not available, then it will default the override hostname to that of the server name. The Host IP As Source, enabling this setting will use the first network adaptor as listed in the network configuration as the source of the IP address. The agent will periodically (approximately ten minutes) check this setting and pick up any changes that occur on the host via a manual change of IP or DHCP reassignment. The value of the IP address will be displayed in the Override detected DNS Name with once selected. If the host does not have a valid IP address, i.e. DHCP has not been responded to, then the syslog message will default to the system's hostname which is the default setting for the agent. If the host does not have a valid network IP address then it can not send events regardless of any network override setting. At least one network interface must be operational for the agent to send events.
- The Latest Events page has been changed to show the file opened on disk for a file destination .
As a result of this change, the file name set on file destination configuration is not shown as it is the wrong file opened on disk but will show the real file on disk with the name appended with date. For example. C:\file_destination.txt will be shown as C:\file_destination_YYYYMMDD.txt - User Interface (UI) update that affects the IP Address allowed to remote control SNARE field. This field is disabled if Restrict remote control of SNARE agent to certain hosts is selected in Access Configuration page.
- Updated usability on the Destination Configuration page, with a Hostname Options section.
- Trace level logging now displays the bytes and events sent per second (EPS) for each configured destination after 5 secs. This will aid in correlating and debugging the EPS rates when sending logs.
- The events filtering subsystem is modified to collect and audit File Event ID 4670 when the General Configuration | Allow Snare to automatically set file audit configuration? is selected and objective is created.
Security Updates
- Maintenance update for OpenSSL to patch to OpenSSL-1.0.2n.
Bug Fixes
- Fix issue with heartbeat license messages spamming the logs with a license heatbeat every 60 minutes (if heartbeats are disabled) or every heartbeat period. Also fixed an issue with SAM issued licenses being immediately marked as expiring in 30 days and thus warning the customer that it was about to expire.
- Heartbeats events are added for the Information level to provide more information regarding the working of agent. These new heartbeats are sent when any setting is changed from GUI and when the agent service status is changed.
- This change modifies Agent behavior to not log any heartbeat if there is no SAM configured to connect. If there is a SAM configured, then to log a heartbeat if the connection is lost for every 2 hours.
- Objective matching in Snare now supports wildcards properly. In existing release of Snare in some situations this wildcard matching can cause stack overflow crash. This issue is fixed in this release and stack overflow possibility is removed during wildcard matching.
- The agent installer is capable of listing any license files it finds in the same directory as the agent executable. This change updates the agent installer to include a "None" option, to not install any license file if present.
- Fixed a bug where the Snare Agent would not import the SyslogPriority, SyslogFacility, CacheSizeSet values from an .INF (agent setup configuration file). Consequently CacheSizeEventLog was not used due to this bug.
An installation issue in the previous release of Snare may cause the installation to fail on some busy machines for 32-bit OS. Now installer properly checks the status of service operations and retries appropriately when needed.
Resolved issue where an incorrectly defined destination in Super Group Policy could prevent the agent from starting.
Some agent settings are machine specific i.e. Clientname, HostIP and HostGUID. There was an issue in the export settings command -x that was causing these machine specific settings to be exported into the .inf file and then can subsequently be loaded with /loadinf option during install. This issue is fixed in this release and now machine specific values are not exported into .inf file and even if .inf file is manually edited; these values are ignored during loadinf option.
- Fixed an issue whereby the Snare Server (via AMC) could not retrieve the master configuration from an agent using digest authentication.
Other
Version 5.1 is the final version to support operating system Windows XP for 32-bit and 64-bit.
V5.0.3
Enhancements
Security Updates
- Maintenance update for OpenSSL to patch to OpenSSL-1.0.2m.
Bug Fixes
- Fix to send the fully qualified machine name in log message and also when generating SSL certificates.
- Update the agent to correctly display hostname when running on windows 8.1, Windows 10, Windows Server 2016.
V5.0.2
Enhancement
- Changes were made to validation of 'Access Configuration', SAM IP field. Previously hostname validation was limited to accept numeric values. Changed to accept fully qualified domain names. As a result, fields depending on ip/hostname validation will accept wider range of inputs that include FQDNs in addition to IPs.
- Alters references for Evaluation Licenses to Temporary Licenses.
- Added text on the License page in the UI to aid users using SAM or standalone licensing.
Security Updates
- This modifies the SHA version for certificate in Windows and Unix agents. Enable higher level of security by using SHA2 support for newer version of Windows and Linux agents.
- Snare Agent web UI functionality in the agent has been modified to avoid potential cross-site scripting attack.
Bug Fixes
- Notification and warning on Snare agents has been changed to to allow syslog_5424 format on port 514. As a result of this change, notification and warning will no longer appear for valid syslog format's when using port 514.
- Fix for Snare generated events whereby host name or IP address was set to "unknown" in the message body.
- Fix a potential for memory corruption of event data being sent via TCP, TLS or UDP when under very heavy loads.
- Updated the agent to output events in utf-8 format. Some languages such as French have additional character sets as part of the locale which were not formatted correctly in UTF-8 format in the syslog message sent to third party SIEM servers. This update corrects the output of the syslog message to correctly translate the characters to utf-8 format. The browser interface to the agent will convert the characters based on the regional settings of the client system so is unaffected from this update.
- There was an issue in previous release of the snare agent where it was not properly handling the objectives during upgrade to latest release. Due to this issue, objectives may not be available after upgrade. This issue is fixed in this release and now snare properly handles the objectives during upgrade and all objectives are available after upgrade.
- Fixed a bug where if checksum for events was enabled it didn't apply the checksum correctly. Checksum may only be enabled in the registry and appends a checksum of the event. Note that checksums are applied for Snare and Syslog formats only if configured.
- Snare agent warning and notification messages has been changed to issue warning for selecting non-TAB delimiter for SNARE format(Snare Server destination). As a result of this change, new warning's will be issued when non-TAB delimited for SNARE format (for Snare Server destination) is selected.
- Resolves a bug which resulted in Windows Agent Objectives not being saved with the “Identify the event logs” as requested by the user.
V5.0.1
Enhancement
- Update CEF format to parse messages for ArcSight and other platforms using CEF format. Only basic message fields are used at this time, but allow for message truncation, sorting by message class, source and destination.
- Key IDs on the Agent /license pages is now styled to show alpha characters in black and numeric characters in a red tone. This is to make it easier for those that have problems seeing the different shades of grey.
- Licenses may now list a KeyID of 0 (zero).
Security Updates
- Maintenance update for OpenSSL to patch to OpenSSL-1.0.2j.
Bug Fixes
- Fix an issue where USB Device arrival and removal events were not correctly being picked up and sent.
- The Statistics page will no longer reset when the agent syncs with the SAM without any settings change. It will correctly display 24 hours worth of data in the graph.
- The AccessKeySet registry setting will no longer contain a valid hash if not set during the install.
- Fixed the handling of the conversion of logging levels in Group Policy when upgrading from v4 to v5.
- There was an issue that if a Snare agent and SAM are running on the same machine then Snare agent can be licensed even without configuring the SAM details in them. This issue is fixed in this release and now the SAM details should be included in the Snare agent to get it licensed from SAM.
- Host validation updated for Restrict IP when comma separated list of hosts is used
- Fix a bug where the SAM and Certificate Section of an inf file were not imported correctly by the installer
- Corrected errors related to Uninstall of the agent, where is some cases may leave a service running.
- There was an issue in the Snare Agent that was causing some settings to be marked GPO incorrectly; causing the local registry values to be ignored. The issue was specifically related to those settings that are being updated from v4 versions and upgrading to v5. The issue is fixed in this release and now Snare correctly handles the GPO source and the upgrade of settings from v4 versions when upgrading to v5.
- There was an issue the way agent handles the missing registry keys due to a corrupt configuration or a user manually removing registry keys. Due to this issue, if an agent cannot open a registry key then it just ignores it; causing snare get an error. This issue is fixed in this release. Now if snare cannot open a registry key then it creates the key with default values so that registry values can be written in newly created key. Snare logs an error if it cannot create the registry key if there is a permission problem.
...