Snare Windows Agent with Event Collection v5.6.0 was released on Xth May 2021.
Security Updates
- Removed MD5 and SHA1 hashes from the release metafiles. Only SHA512 of SHA-2 family is now used for verifying integrity of binary files.
- 3rd party libraries upgraded:
- OpenSSL upgraded to version 1.1.1m
- curl upgraded to version 7.79.1
New Features and Enhancements
Ability to control File/Folder and Registry access auditing on Windows via Snare Agent's new FAM and RAM Policies
In the previous versions customers could configure File and Registry auditing via Windows interfaces (File Properties > Security > Advanced > Auditing), or via a Group Policy.
Starting from this version, File/Folder and Registry access auditing can be controlled from Snare Agent as well, with an option to apply additional event filters by user and text.
See Audit Policies Configuration User Guide for more details.- A new checkbox setting was added on the Agent's Access Configuration page allowing to disable TLS 1.2 and use TLS 1.3 as a minimum for web UI connections
- The name of the self-signed certificate generated by the Agent by default was changed from the host name to "Snare Agent"
- File Integrity Monitoring (FIM) now supports file paths containing non-English characters such as Arabic, Chinese etc
- File Integrity Monitoring (FIM): status message for each monitor is now shown in a new column "Status", next scheduled scan time is shown in "Next Scan" column
- Registry Integrity Monitoring (RIM): status message for each monitor is now shown in a new column "Status", next scheduled scan time is shown in "Next Scan" column
- Status and State sections of registry no longer included in periodic settings change checks which caused unresponsiveness on citrix systems
- The default Audit Policies now include Windows events of type Critical
- The Snare debug log (sometimes required for troubleshooting by Snare Support) can now be generated from Web UI without stopping the Agent
Navigate to Snare Log page in Agent's Web UI, configure the output directory and the duration of debug log capturing, and click Start Debug Log.
Stop Debug Log button allows to stop logging before the configured time has elapsed Memory usage optimisation for Heartbeat logs handling when 'Agent Logging Options' is set to Trace level and 'Agent Heartbeat Frequency' is set to a longer period
- A warning will be displayed on the Destination Configuration page when sending to Snare destination using TLS_AUTH protocol, but without changing the default TLS_AUTH Authentication Key
Bug Fixes
- Fixed the bug of agent crashing when a wrong formatted audit policy/objective is set manually by editing registry
- The Agent will now attempt to reuse existing self-signed certificate instead of creating a new one every time remote configuration is pushed from Snare Central AMC
- Cached Events will now be sent as correct event types, and not as generic CachedEvent type
- Resolved an issue where File Integrity Monitoring (FIM) Policy could remain not scheduled
- Updated file path traversal to be more robust on a variety of platforms
- Fixed the issue where Registry Integrity Monitor (RIM) was incorrectly handling Binary values of size 0, and was generated NEW or DELETE events instead of CHANGE when the value was edited
- Fixed the issue where Registry Integrity Monitor (RIM) was creating change events only for changes in the first string of multi-string registry values, and was missing changes in consecutive strings
- Enhanced robustness in using the IP address in events by multiple retries when the system is yet to get a valid IP address
- Cache Path and Heartbeat Output Path are set to the installation folder by default
- Agent now properly handles paths containing \n inside the event content
- Replaced deprecated conversion methods between string and wide string
- Heartbeat event checksum option now written to heartbeat export file if enabled
- Removed duplicated warning messages on the Destination Configuration page, improved message format consistency
- Removed irrelevant warning that was shown when destination was configured with port 514 and SYSLOG JSON format
- Fixed the issue of getting an error when users accidentally enter space(s) in the Destination and/or SAM IP address
- Improved logging of SQLite error messages, logging them at an appropriate log level
- Corrected the misleading message for expired license support
- Removed misleading logging of EvtFormatMessageEvent errors, such as 15029. Snare Agent will log an appropriate warning message when event detail is not provided by a provider/publisher
- Removed the erroneous error message logged every time the collection from text file reached end of file
- Reduced severity of erroneous error "CN is not found for certfificate" to informational message
- Resolved issue where logs displayed on Snare Log page might be filtered incorrectly