Snare Windows Desktop Agent v5.3.0 was released on 19th June 2019.
New Features
- TLS Authentication. The Snare agents now support authentication over TLS to allow sending of logs over a secured and authenticated connection to the Snare Collector/Reflector. The Agent has some new configuration settings to set an authorization key that is set on the Snare Agent and also in the Snare Collector/Reflector. The key negotiation is over TLS using Diffie-Hellman algorithm where the full key never is sent over the network. This establishes a mutual trust between the Snare agent and the Collector so it allows for secure connections over untrusted networks like the Internet for sending and receiving log data. This new feature uses a new TCP port 6164 on the Collector configuration to use this TLS AUTH feature. The Collector will refuse connections from systems that do not authenticate the connection and drop the connection. Customers can use this option when configured to receive log data from Snare Agents for mobile users when connected to the Internet rather than having to rely on the user to VPN into the corporate network to receive the log data.
- Event Source ID. The Windows agent now supports adding additional data to the windows event. This is known as Event Source ID. The current version will pull data from a specific registry key and add the key tag pair to the end of the strings field of the syslog data. All events will be tagged when this option is selected as a method adding additional meta data to the event so its known to come from a specific system. This extra data is added to the Snare and other log formats for RFC 3164 and RFC 5424.
Enhancements
- The EPS rate shown on the latest events page has been changed to show the full integer value rather than scientific notation format for when the value is larger than 999.
Bug Fixes
- Prevent the agent from crashing on FIM scan, if the modified file identified by the scan had corrupted details (i.e. file owner).
- Resolved the issue where default protocol and log format configuration values were not properly validated, potentially causing a crash while Snare service starts or restarts.
Known Issue
This Snare Windows Desktop Agent release has a known issue when upgrading to a later release using the SAM Centralized Agent Upgrades feature. This upgrade problem has been corrected in 5.3.1 however customers that need to upgrade to a later version will have to perform a manual upgrade either directly on the server or use the MSI wrapper to package up the later version and deploy using the their standard software deployment method such as GPO, MS SCCM etc. Agent versions from 5.1.1 and less than 5.3.0 can still be upgraded using the SAM Centralized Agent Upgrades feature and are unaffected from the 5.3.0 issue.