Snare Central v8.4.0 was released on 26th August 2021.
...
...
| Tip |
|---|
Snare Central v8.4.0 was released on 25th August 2021. Snare Central incorporates the Agent Management Console (AMC), Reflector v3.0.0, Snare Agent Manager (SAM) v1.5.0, and Snare Enterprise Agent for Linux v5.5.0. If the threat intelligence component is active, version 6.8.7 of ElasticSearch is activated. |
...
| Tip |
|---|
Customers that use Snare Central for licensing Snare Agents v5.5.0 or above need to upgrade to Snare Central v8.4.0 |
Overview
Snare Central version 8.4.0 introduces several new capabilities including Snare Central configuration backup and restore, consuming events in Snare v2 format, forwarding events in JSON and Syslog RFC5424 JSON formats, ingesting FortiGate and Cisco FTD logs, linking multiple Snare Central servers in a high availability cluster, over 200 additional reports and a number of other enhancements and bug fixes.
Features and Enhancements
- Ability to configure Snare Central servers to run in a high availability cluster to achieve collection and reflection redundancy.
For details please refer to the User Guide > Appendix B - Configuring High Availability in Snare Central. - The backup and restore has a new revamped UI for more granular backup and restore control. Ability to perform full or partial backup and restore of the Snare Central configuration and archive with easier selection box for components and process flow.
The supported media includes network storage (NAS), ISO images and USB devices.
For details please refer to the User Guide > Data Backup and Restore.
This functionality replaces the previous Data Backup and Snare Data Import pages with all components now under Data Management Tools. - Updated SAM 1.5.0. This version contains SAM 1.5.0 to allow the usage of Snare Agents 5.5.0+ where Snare Central is used for Agent licensing and binary updates.
- Ingest events sent by Snare Agents for Windows, MS SQL, Linux and macOS in the new Snare v2 format from 5.5.0+ agents. Snare v2 format allows sending more detailed events from Snare Enterprise Agents to Snare Central. The events will include time zone context, event time to the millisecond, and a number of additional fields for more granular audit event details.
- Integrated next generation Snare Collector/Reflector v3.0.0 offering better flexibility and scalability of the Snare Central events collection and processing.
The updated collector/reflector includes the following capabilities:Integrated full Snare Reflector User Interface (UI)
in Snare Central, allowing more granular control over the Reflector configuration.
Navigating to System > Administrative Tools > Configure Collector/Reflector in the menu, will result in Reflector UI opening in a new browser tab. This replaces old Reflector configuration page.in Snare Central, allowing more granular control over the Reflector configuration.
Navigating to System > Administrative Tools > Configure Collector/Reflector in the menu, will result in Reflector UI opening in a new browser tab. This replaces old Reflector configuration page.
For details, please refer to the User Guide > /wiki/spaces/SCV8/pages/1596719105Note Starting from Snare Central 8.4.0, Destination regular expressions are using RE2 syntax. Earlier versions used PCRE syntax.
Customers who use regular expressions for Destination filtering or search-and-replace functionality may need to update the regular expressions syntax to RE2.
Incompatible features include usage of back-references, look ahead and look behind statements.Ability to ingest events sent by Snare Agents for Windows, MS SQL, Linux and macOS in the new Snare v2 format.
Snare v2 format allows sending more detailed events from Snare Enterprise Agents to Snare Central.
The events will include time zone context, event time to the millisecond, and more granular audit event details.
- Ability to forward events in Generic JSON format.
Events that are received by Snare Central can be forwarded to an external destination in Generic JSON format(ie JSON raw format). For those formats that can be recognized by the ingest module, and broken up into key/value pairs, JSON key/values will be enhanced accordingly.
Example:Code Block title Generic JSON Format Example {"DATE":"2021-01-02","EVENT":"sudo: myuser1 : TTY=unknown ; PWD=/home/myuser1 ; USER=root ; COMMAND=/bin/ls","SYSLOGROUTING":"23","SYSTEM":"MYSYSTEM","TIME":"13:14:15","SOURCEUSERTOKEN":"myuser1","DESTUSERTOKEN":"root","COMMAND":"/bin/ls"} - Ability to forward logs to batch-mode HTTP post destinations; in particular, OpenSearch(Amazon fork of ElasticSearch) and ElasticSearch bulk upload destinations.
- Ability to forward events in Syslog RFC5424 JSON format.
Events that are received by Snare Central in any of the Snare, Snare v2, Syslog RFC 5424 formats, can be forwarded to an external destination in Syslog RFC5424 JSON format.
This format is comprised of Syslog RFC 5424 header and single-line JSON payload. For events that arrive in the original Snare v2 Syslog JSON format, the underlying keys/values will remain unchanged. Tokens and other enhancements will be injected into the SnareDataMap key. This format is useful for Splunk. There is KB article for how some Splunk parser config files need to be created. (https://prophecyinternational.atlassian.net/wiki/x/AYBoZg) - The Snare Central collection subsystem includes corrections for syslog data sources that do not follow RFC3164 or RFC5424 formats. Snare Central will correct these events to syslog RFC-compliant versions when the events are reflected out to their ultimate destination.
- An optimised internal JSON-like communications protocol between reflector and collector components has been included ("SnareJSON"). This format can also be used to communicate data between Snare Reflectors without information loss. Other internal communications protocols are also available, but not recommended for customer use: SNAREOLD, SnareLegacyRealtime.
- Ability to forward events in Generic JSON format.
- Added support for separate LDAP Distinguished Names for users and groups. Added support for logins using sAMAccountName LDAP attribute.
Added support for FortiGate logs, including out-of-the-box reports.
For details on FortiGate log types and sub-types please refer to the User Guide: Log Types: FortiGate
33 new out-of-the-box reports were added for various Fortigate log sub-types:Expand title Click here to expand the list of Reports... - Reports/Network/FortiGate/Event/
- FortiGateEventConnector
- FortiGateEventEndpoint
- FortiGateEventFortiExtender
- FortiGateEventHA
- FortiGateEventRouter
- FortiGateEventSDWAN
- FortiGateEventSecurityRating
- FortiGateEventSystem
- FortiGateEventUser
- FortiGateEventVPN
- FortiGateEventWAD
- FortiGateEventWireless - Reports/Network/FortiGate/Traffic/
- FortiGateTrafficForward
- FortiGateTrafficLocal
- FortiGateTrafficMulticast
- FortiGateTrafficSniffer - Reports/Network/FortiGate/UTM/
- FortiGateAnomaly
- FortiGateAntivirus
- FortiGateAppCtrl
- FortiGateCIFS
- FortiGateDLP
- FortiGateDNS
- FortiGateEmailFilter
- FortiGateFileFilter
- FortiGateGTP
- FortiGateICAP
- FortiGateIPS
- FortiGateSSH
- FortiGateSSL
- FortiGateVoIP
- FortiGateWAF
- FortiGateWebFilter - Reports/Network/FortiGate/
- Unclassified FortiGate
- Reports/Network/FortiGate/Event/
Added support for Cisco Firepower Threat Defence (FTD) log types, including 54 new out-of-the-box reports:
Expand title Click here to expand the list of Reports... - Reports/Network/Cisco/Security/
- ConnectionOperations
- FailedFileOperations
- FileOperations
- HighPriorityIntrusionAttacks
- IntrusionAttacks
- IPSShunAddition
- IPSShunDeletion
- IPSShunFailures
- LowPriorityIntrusionAttacks
- MalwareFileOperations
- MediumPriorityIntrusionAttacks
- RegularFileOperations
- ThreatDetectionDevicesUnderAttack
- ThreatDetectionHostAttacks
- ThreatDetectionShunAddition
- ThreatDetectionShunDeletion - Reports/Network/Cisco/Firewall/
- ApplicationFirewallReports
- DroppedConnectionsReports
- InterfaceUpdatesReports
- LocatingInterfaceFailureReports
- ResetConnectionReports
- RoutingFailureReports
- TransparentFirewallReports - Reports/Network/Cisco/Access/
- Access Lists Reports
- Access Lists Alert Reports
- Access Lists Critical Reports
- Access Lists Error Reports
- Access Lists Deny Operation Reports
- PKI Certification Authority Reports
- PKI Certification Authority Alert Reports
- PKI Certification Authority Critical Reports
- PKI Certification Authority Error Reports
- PKI Certification Authority Fail Operation Reports
- User Authentication Reports
- User Authentication Critical Reports
- User Authentication Error Reports
- User Authentication Failure Reports
- User Authentication CoA Reports - Reports/Network/Cisco/VPN/
- VPN Client Reports
- VPN Client Error Reports
- VPN Client Fail Operation Reports
- VPN Failover Reports
- VPN Failover Fail Operation Reports
- VPN Failover Primary Unit Reports
- VPN Failover Secondary Unit Reports
- WebVPN Failover Reports
- WebVPN Failover Fail Operation Reports
- WebVPN Failover Access List Reports
- WebVPN Failover HighAvailability Reports
- WebVPN Failover Session Reports - Reports/Network/Cisco/SNMP
- SNMP Reports
- SNMP Error Reports
- SNMP Dropped Request Reports
- SNMP Config Error Reports
- Reports/Network/Cisco/Security/
Added 26 new out-of-the-box reports for Windows System Monitor (Sysmon) activity.
These new reports cover the 26 eventid types that are found in Sysmon log data, and can be used to assist in forensic investigations associated with user and system actions, and Mitre Att&ck related activity. For details on the sysmon event IDs refer to the Microsoft website athttps://docs.microsoft.com/en-us/sysinternals/downloads/sysmonExpand title Click here to expand the list of Reports... - Reports/Operating Systems/Windows Incidents/
- 1 Process Creation
- 10 Process Access
- 11 File Create
- 12 Registry Event - object create and delete
- 13 Registry Event - Value Set
- 14 Registry Event - key and value rename
- 15 File Create Stream Hash
- 16 Service Configuration Change
- 17 Pipe Event - pipe created
- 18 Pipe Event - pipe connected
- 19 WmiEvent - WmiEventFilter activity detected
- 2 Process Changed
- 20 WmiEvent - WmiEventConsumer activity detected
- 21 WmiEvent - WmiEventConsumerToFilter activity detected
- 22 DNSEvent - DNSquery
- 23 File Delete - a file delete was detected
- 24 ClipboardChange - new content to clipboard
- 25 Process Tampering - process image change
- 255 Error
- 3 Network Connection
- 4 Sysmon service state change
- 5 Process terminated
- 6 Driver loaded
- 7 Image loaded
- 8 Create Remote Thread
- 9 Raw Access Read
- Reports/Operating Systems/Windows Incidents/
Added 88 new out-of-the-box reports for events received from Snare Agents in snare v2 format.
Expand title Click here to expand the list of Reports... Linux snare v2 reports will be updated in the future versions
- The following pages were moved from System> Data Backup (that was removed) to System > Data Management Tools sub-menu:
- Arbitrary Data Import
- Autoremove Data
- Remove Data
- Enhanced colour coding of report criticality icons, and added character indicators to better support impaired colour vision.
- Events Search enhancements:
- Ability to export Events Search results into a CSV file
- Implemented Search History filters, enabling search by text, date range, or query status
- Implemented Saved Queries filter, enabling search by query, query name or query description
- Added highlighting the free text search string in the search results
- Improved search results pagination by allowing the user to skip to an arbitrary page
- Ability to skip to top of the search results table to avoid scrolling
- Ability to clear the selected date in the Date Picker
- Columns selection and resizing is retained when paginating through Search Results
- Added Timeout and Limit to the query details displayed on the Search History and Saved Queries tabs, when the query row is expanded
- Auto-scroll to error message if an error occurs during the pagination
- Associated query result with Saved Query if the query was saved before running search
- Improved Search Results pagination performance
...
Offline version of the User Guide related to this release
| View file | ||||
|---|---|---|---|---|
|
Installation & Side-by-side Migration Guide for Snare Central
| View file | ||||
|---|---|---|---|---|
|
User Guide to the Snare Agent Management Console (AMC) in Snare Central
| View file | ||||
|---|---|---|---|---|
|