...
...
...
...
| Table of Contents |
|---|
Snare Management Center
| Info |
|---|
| Snare Management Center is available only with an appropriate license. |
See Snare Management Center page in this User Guide.
Antivirus Administration
Snare Central is based on a custom distribution of Linux, and is therefore potentially susceptible to (significantly) less than 1% of all viruses currently in the wild. Snare Central does not provide desktop-level functionality, and the risk profile for virus infection on Snare Central is extremely low. However, Snare Central integrates the ClamAV virus checker, which is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It includes a high performance multi-threaded scanning daemon that provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats.
...
It is the customers responsibility to ensure the antivirus software is kept up to date and is scheduled to run in accordance with your corporate security policy.
Cloud Log Collection Configuration
Configure active log collection from supported cloud providers such as AWS, Azure, Oracle Cloud, etc.
See Cloud Log Collection Configuration page in this User Guide.
Configuration Wizard
The configuration wizard is covered earlier in this User Guide.
Configure Collector/Reflector
See Configure Collector/Reflector page in this User Guide.
Configure GeoLocation for Mapping
In order to plot log data accurately on geographical maps, for example on Cyber Network Map page, it may be necessary to explicitly map internal network IP addresses and hostnames to their geographic locations.
- Use either of the following options available in the drop-down list:
- IP Address - enter a single IP address
- IP Range - enter From and To IP addresses to define a range
- IP Wildcard - enter IP address with one of the fields as a wildcard (asterisk *), for example, 10.10.10.*
- IP Netmask - enter IP Address and a Netmask
- CIDR Block - enter IP address and a CIDR
- Hostname - enter a single hostname
- Hostname Regex - enter a regular expression for hostnames to match
- Choose geographic location from auto suggestion list by entering at least first three characters of city/state/province/country in the location field.
- Click
Click
to add the mapping. The new mapping will appear in the list on the same page. - Add as many mappings as required
- Click
at the top of the page to restart the collection service and apply the changes.
Each mapping in the list can be edited or deleted using action buttons:
Display the Snare Central Log Files
This tool lets you easily access and view different Snare Central log files that are available in your system, as well as share and email a copy of the log file in situations where you request assistance from your Snare Central support team, and get asked for specific log file to aid the investigation, e.g. Snare debug log file which contains generic information on what objectives were run, what scheduled tasks are currently implemented etc. or Snare ServiceMonitor.log which shows if any of the Snare Central core services are running or if any one is down and when it was last restarted.
...
| Note | ||
|---|---|---|
| ||
|
File Integrity Check Administration
This tool allows the user to schedule, monitor and administer system files integrity checks and report on any changes on such files.
...
Please note that changes to the Snare system produced by a Snare Central upgrade will be detected and reported on, as this will include many system files as well as the Snare application components. If you see changes occurring in the operating system and application that were not the result of a patch or manual user intervention, then they should be investigated as part of your corporate incident management process.
IP Address Configuration
The Snare Central allows modification of it's IP address, netmask, default gateway and DNS server settings, these values can be adjusted individually for each Network Interface Card (NIC), providing flexibility in network management of your Snare Central.
...
| Note | ||
|---|---|---|
| ||
|
Import Objectives
Snare Central ships with a large number of default Reports and (starting from v8.6.0) Analytics Dashboards (AKA objectives) that suit a diverse range of organisations, and meet security-related regulatory requirements.
However, there may be situations where additional specialised Reports or Dashboards are made available to users of Snare Central, or need to be transferred from one server to another.
The 'Upload a previously saved Objective(s) or Analytics Dashboards archive' section allows you to select and import objectives from a file stored on your local workstation.
In situations where you have previously used the 'Objective Export' capability by right-clicking on a container, the objectives will be exported to either a local file, or via email, to a selected destination user.
Objectives will be imported into a new container, called "Imported Objectives YYMMDDHHMMSS" (where YYMMDDHHMMSS represents the date/time of import).
The 'Import from a locally stored snapshot of the InterSect Alliance Objective Store' section allows to import objectives from a local objectives store. Click the 
icon besides the desired objective package to import it.
Manage Access Control
To access this area, LDAP groups should be enabled in Configuration Wizard | Security Setup | Snare Central, or Local User groups should be defined in User Administration. This objective provides an easy and flexible interface for changing Objectives access controls at the group level for both local groups or groups defined on an identified LDAP/Active directory server.
...
Please note that most objectives under the "Administrative Tools" and "Data Management Tools" are restricted for only the Administrator user Administrators group exclusively. This is because of the security risks and potential of harm to the Snare Central server involved. This means that most of such objectives cannot be accessed by LDAP users nor by local users that do not belong to the Administrators local group. This also means that the "Manage Access Control" interface cannot be used to assign permissions to these administrative objectives either. The complete list of the Administrator Administrators only objectives is the following.
| Info | ||
|---|---|---|
| ||
Administrative Tools Change
Data Management Tools
|
...
Note that users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Server Administrators have the ability to Delete the objective and Add new users to the objective.
Manage Nightly Updates
This objective allows an administrator to manage the updates of third party data files that Snare Central uses such as:
...
The update tasks are disabled by default and scheduling for each task is fully configurable.
Manage Objective Schedules
This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.
Manage Plugins
The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements. We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."
My Account
Your Snare Central password can be changed in this objective. Last login date/time information is also available.
...
- 90 Day Rotation
- Password reuse protection
- Last password similarity checks
- Password complexity requirements
- Dictionary word exceptions
Shutdown / Reboot Snare Central
Users with administrative-level access to Snare Central will have the capability to execute various Snare Central system commands for managing and maintaining the Snare Central server and services.
...
- Service Commands
- RESTART SNARE SERVICES : Administrators can use this to restart snare services to refresh it's operation or apply some configuration changes.
- STOP SNARE SERVICES : Administrators can use this to stop snare services for troubleshooting or maintenance.
- START SNARE SERVICES : Administrators can use this to start the stopped snare services and resume it's operation.
Snare Central Update
Updates will be released to:
...
- Select System | Administrative Tools | Snare Central Update | Upload. This invokes the Snare Central Update process.
Select Choose Update to select the patch update. This will check the file. If it doesn't start automatically, then select Upload.
Info When progress reaches 100% select Next to start the update.
Info The update may take up to 15 minutes. When completed, select Return to Snare Central.
Info
Troubleshooting Updates
| Note | ||
|---|---|---|
| ||
Blank navigation/screen after upgrade process. It is unlikely, but possible, that after an upgrade the navigation section, or the entire page, may end up on a blank white screen. This is caused by your web browser caching some of the old page components and preventing the server from using the upgraded components. While we have put checks in place within Snare to try and prevent this, it is possible that some browsers may bypass these checks. To resolve the issue, you can (in most browsers) hold down the Shift key while pressing Refresh on the browser. If this doesn't work, try clearing the browser cache and restarting the browser. If this still does not work, try using a different browser. |
Snare Threat Intelligence
The Snare Threat Intelligence product is designed to provide real-time insight into your log data, using the proven technology found in the eMite real-time analytics dashboards. Threat Intelligence can give you actionable insights in minutes. By breaking down traditional information silos, the Threat Intelligence tool gives you a competitive advantage: more transparency, process, and productivity improvements, more rewarding customer engagement, and faster innovation cycles. Please visit https://www.snaresolutions.com for further information.
| Info | ||
|---|---|---|
| ||
This functionality is being retired and is superseded by Analytics Dashboards available from version 8.6.0 of Snare Central. Please refer to the Analytics Dashboards page in this User Guide. |
Threat Intelligence Configuration
Snare Server 8.0+ includes an updated collection infrastructure, which is capable of interfacing with the new Snare Advanced Threat Intelligence (SATI) module. Enabling the threat intelligence capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.
Delivery of data to a non-local elasticsearch instance is also supported. Currently all log types that Snare Central receives will be forwarded to the destination server.the list of log types are as follows:
...
Enabling SATI delivery will display an overview of the currently enabled forwarding filters.
| Info |
|---|
Snare Central Elasticsearch Forwarding
The Snare Central Server Integration to Elasticsearch is designed to forward your Snare eventlog data directly into an Elasticsearch index.
...
Delivery of data to a non-local elasticsearch instance is also supported. The Snare Server can be configured to log to a local elastic instance (which is installed and available as part of version 8.0 of the Snare Central server), or can be configured to log to a remote elastic instance. If the remote elastic instance is protected by either X-Pack or ElasticShield from InterSect Alliance, HTTPS/TLS and authentication can be activated.
...
| Note | ||
|---|---|---|
| ||
The events that are forwarded to the Threat Intelligence instance, or a remote elastic server, are governed by the configuration file /data/Snare/ConfigSettings/RealTime.config on the Snare server. This file is not intended to be user-editable at this stage, since it ties directly in with the available dashboard capabilities of the Threat Intelligence server. Event collection rates may be significantly impacted, when this feature is active. ElasticSearch ingest rates are significantly lower than those supported by the Snare Central Server, on similar hardware. When this feature is activated, the potential Snare Server collection rates, will be governed by the elasticsearch bulk upload capabilities. In general terms, there may be one or two orders of magnitude difference between Snare Central Server collection rates, and elasticsearch ingest capabilities. If the destination elastic instance version is v5.x you need to enable/checked the "Enable Elastic v5 Compatibility Mode" otherwise leave it unchecked. Warning: Activating the Threat Intelligence configuration, without installing the corresponding Threat Intelligence module to manage the generated data, will mean that your Snare Central Server will store significantly more data per received event, without being able to remove the associated data from the file-system via the Snare Central Server user interface. |
Support Data Retrieval
To aid the Snare Support team in diagnosing any issues, the information may be gathered with this tool. Selecting Generate will create a compressed-encrypted tar file with the output of some diagnose commands and a few Snare and system configuration files ready for download. After several minutes the tar file will generate, where you have the ability to select the file and download it from the server to be forwarded to support when required.
...
For most calls the additional options will not be required. However the support team may request to select one or more of the checkbox's depending on the nature of the support call.
| Info |
|---|
User Administration
It is recommended that a number of users be created after Snare Central has been installed, so that:
...
- Once a user is created, the created user will use the global Auto LogOut settings, or the Administrator can configure a customized settings per each user.
- In situations where an account was locked due to several failed login attempts, like below:
- An additional configuration setting on the Update User screen will offer the Administrator the capability to unlock a Snare Central user account.
- If an account is not unlocked, it will automatically unlock after 30 minutes.
Operating System Password Controls
The operating system password controls are managed by the Pluggable Authentication Modules (PAM) in Linux. The configuration files are located in /etc/pam.d directory. The password controls for Snare Central are detailed in the /etc/pam.d/common-password file. The file can be updated to reflect your corporations security policy.
...
The configuration will enforce the password policy rules for the following operating system accounts root, snare and snarexfer. For additional information on the values of each setting refer to the manual pages for pam.d and pam_cracklib.
