Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

V5.1.0

New Features

  • Introducing the File Integrity Monitoring (FIM) module. The FIM module can be used to scan files/directories and compare against a known baseline. Events are generated upon changes to file contents or attributes.
  • Binary Distribution
  • Veracode

Enhancements

  • New command line switch /license is introduced for the agent setup configuration file (.INF). This switch can point to the license file to be used during installation. This license file selected through /license switch has the higher priority than the license options selected though installer UI.  For example /license="20180206-SnareAgent-Evaluation-AZP-CYT.sl"
  • Previously, when option 'Host IP As Source' was selected then first IP address of machine was used as source address with reported events. Now user is shown all the IP address of the machine through a drop-down list. User can select the specific IP address to be used to report the source IP of the events. @maria - document that if network adapter is not available, then it will default to the override hostname, and if that doesn't exist it will default to the systems hostname. User guide words need updating - please review: Host IP As Source. Enabling this setting will use the first network adaptor as listed in the network configuration as the source of the IP address. The agent will periodically (about ten minutes) check this setting and pick up any changes that occur via a manual change of IP or DHCP reassignment. The value of the IP address will be displayed in Override detected DNS Name with once selected. If the host does not have a valid IP address, i.e. DHCP has not been responded to, then the syslog message will default to the system's hostname which is the default setting for the agent.
  • Any file destination now shows the real file name along with any date appended to file name for rotation, for example C:\file_events_YYYYMMDD.txt.
  • User Interface (UI) update that affects the IP Address allowed to remote control SNARE field. This field is disabled if Restrict remote control of SNARE agent to certain hosts is selected in Access Configuration page.
  • Updated usability on the Destination Configuration page, with a Hostname Options section.
  • Trace level logging now displays the bytes and events sent per second (EPS) for each configured destination after 5 secs.  This will aid in correlating and debugging the EPS rates when sending logs.
  • The events filtering subsystem is modified to collect and audit File Event ID 4670 when the General Configuration | Allow Snare to automatically set file audit configuration? is selected and objective is created.

Security Updates

  • Maintenance update for OpenSSL to patch to OpenSSL-1.0.2n.

Bug Fixes

  • Fix issue with heartbeat license messages spamming the logs with a license heatbeat every 60 minutes (if heartbeats are disabled) or every heartbeat period. Also fixed an issue with SAM issued licenses being immediately marked as expiring in 30 days and thus warning the customer that it was about to expire.
  • Heartbeats events are added for the Information level to provide more information regarding the working of agent. These new heartbeats are sent when any setting is changed from GUI and when the agent service status is changed.
  • This change modifies Agent behavior to not log any heartbeat if there is no SAM configured to connect.  If there is a SAM configured, then to log a heartbeat if the connection is lost for every 2 hours.
  • Objective matching in Snare support wildcards. In existing release of Snare in some situations this wildcard matching can cause stack overflow crash. This issue is fixed in this release and stack overflow possibility is removed during wildcard matching.
  • The agent installer is capable of listing any license files it finds in the same directory as the agent executable.  This change updates the agent installer to include a "None" option, to not install any license file if present.
  • Fixed a bug where the Snare Agent would not import the SyslogPriority, SyslogFacility, CacheSizeSet values from an .INF (agent setup configuration file). Consequently CacheSizeEventLog was not used due to this bug.

  • An installation issue in the previous release of Snare may cause the installation to fail on some busy machines for 32-bit OS. Now installer properly checks the status of service operations and retries appropriately when needed.

  • Resolved issue where an incorrectly defined destination in Super Group Policy could prevent the agent from starting.

  • Some agent settings are machine specific i.e. Clientname, HostIP and HostGUID. There was an issue in the export settings command -x that was causing these machine specific settings to be exported into the .inf file and then can subsequently be loaded with /loadinf option during install. This issue is fixed in this release and now machine specific values are not exported into .inf file and even if .inf file is manually edited; these values are ignored during loadinf option.


V5.0.2

Enhancement

  • Changes were made to validation of 'Access Configuration', SAM IP field. Previously hostname validation was limited to accept numeric values. Changed to accept fully qualified domain names. As a result, fields depending on ip/hostname validation will accept wider range of inputs that include FQDNs in addition to IPs.
  • Alters references for Evaluation Licenses to Temporary Licenses.
  • Added text on the License page in the UI to aid users using SAM or standalone licensing.

Security Updates

  • This modifies the SHA version for certificate in Windows and Unix agents. Enable higher level of security by using SHA2 support for newer version of Windows and Linux agents.
  • Snare Agent web UI functionality has been modified to avoid cross-site scripting attack.

Bug Fixes

  • Notification and warning on Snare agents has been changed to to allow syslog_5424 format on port 514. As a result of this change, notification and warning will no longer appear for valid syslog format's when using port 514.
  • Fix a potential for memory corruption of event data being sent via TCP, TLS or UDP when under very heavy loads.
  • There was an issue in previous release of the snare agent where it was not properly handling the objectives during upgrade to latest release. Due to this issue, objectives may not be available after upgrade. This issue is fixed in this release and now snare properly handles the objectives during upgrade and all objectives are available after upgrade.
  • Snare agent warning and notification messages has been changed to issue warning for selecting non-TAB delimiter for SNARE format(Snare Server destination). As a result of this change, new warning's will be issued when non-TAB delimited for SNARE format (for Snare Server destination) is selected.
  • There was a debug logging issue in previous release of SnareMSSQL agent. Due to this issue, SnareMSSQL was not able to properly show the log messages on console if run from console. The fix ensures SnareMSSQL logs all the messages to console window as per input parameter -d when run from console. (e.g. snaremssql -c -d SAM:trace > mysnare.log 2>&1 )
  • There was an issue with the uninstaller of the SnareMSSQL agent. Due to this issue uninstaller was not properly cleaning the registry of the SnareMSSQL agent. This issue is fixed in this release and now uninstaller properly cleans the registry during uninstall.
  • There was in issue the way SnareMSSQL was saving/updating the objective. Due to this issue, an objective would not save correctly when 'Including SELECT' check box was checked on objective page. This issue is fixed in this release and now SnareMSSQL properly save the value of 'Including SELECT' checkbox.
  • There was an installing issue in previous release of SnareMSSQL where installation was made using .inf file on machines that are part of Windows Cluster or machines running with Windows Server 2016. Due to these installation issues, SnareMSSQL installation might fail or objectives might fail to load from .inf file. These issues are fixed in this release. Now SnareMSSQL handles cluster installation as well as properly supports Windows Server 2016.
  • There was an issue in previous release of SnareMSSQL where setting 'Use plain text objective data' under General Configuration was not working. Due to this issue objectives were not stored in plain text even when this option is checked. This issue is fixed in this release and now SnareMSSQL properly honors the setting 'Use plain text objective data' .
  • Updated the validation of event types in objectives. An objective cannot be saved if at least one event type is not selected. This is to ensure that only a valid objective is saved.

V5.0.1

Enhancement

  • To improve the error reporting when SnareMSSQL cannot access trace file directory, now an error message is shown below each objective when SnareMSSQL cannot access the trace file directory or if it cannot create the trace file in the configured location.
  • Key IDs on the Agent /license pages is now styled to show alpha characters in black and numeric characters in a red tone. This is to make it easier for those that have problems seeing the different shades of grey.
  • Licenses may now list a KeyID of 0 (zero).
  • As there can be multiple instances of SnareMSSQL agents that may be running on a cluster machine so sometimes it is confusing in SAM network scan results when these multiple instances of SnareMSSQL agents are reported from the same machine. With SAM v1.0.1, additional meta information is added for SnareMSSQL agents. Now in SAM network scan results, when a SnareMSSQL agent is expanded it shows two new fields i.e. DB Cluster (only for SnareMSSQL cluster installations) and DB Instance.

Security Updates

  • Maintenance update for OpenSSL to patch to OpenSSL-1.0.2j.

Bug Fixes

  • In previous versions, SnareMSSQL service(s) can be started for all cluster SQL server instances of an MS SQL cluster node. This version fixes this issue and SnareMSSQL service is started only for SQL server instances that are currently active on a cluster node.
  • There was an issue with SnareMSSQL installer, causing the SnareMSSQL service to be 'automatic' instead of 'manual' if SnareMSSQL is installed on cluster machines. This issue is fixed in this release and now SnareMSSQL service type is set to 'manual' during fresh installation. This release also fixes the issue in existing installation and updates the service type to 'manual' even when SnareMSSQL installer is run using 'Keep Settings' option.
  • The Statistics page will no longer reset when the agent syncs with the SAM without any settings change. It will correctly display 24 hours worth of data in the graph.
  • The AccessKeySet registry setting will no longer contain a valid hash if not set during the install.
  • Fixed the handling of the conversion of logging levels in Group Policy when upgrading from v4 to v5.
  • There was an issue that if a Snare agent and SAM are running on the same machine then Snare agent can be licensed even without configuring the SAM details in them. This issue is fixed in this release and now the SAM details should be included in the Snare agent to get it licensed from SAM.
  • Host validation updated for Restrict IP when comma separated list of hosts is used
  • Fix a bug where the SAM and Certificate Section of an inf file were not imported correctly by the installer
  • There was an issue the way agent handles the missing registry keys due to a corrupt configuration or a user manually removing registry keys. Due to this issue, if an agent cannot open a registry key then it just ignores it; causing snare get an error. This issue is fixed in this release. Now if snare cannot open a registry key then it creates the key with default values so that registry values can be written in newly created key. Snare logs an error if it cannot create the registry key if there is a permission problem.


  • No labels