Snare Central v8.6.0 was released on 16th May 2024.
Snare Central incorporates Reflector v3.2.0, Snare Agent Manager (SAM) v2.0.0, and Snare Enterprise Agent for Linux v5.8.0.
If the threat intelligence component is active, version 6.8.7 of ElasticSearch is activated.
The following licensed components are available:
- Snare Management Center (SMC)
- Snare Management Center Client (SMC)
- Agent Management Console (AMC)
- Snare Advanced Analytics (SAA) - new
- Cloud Logs Collection:
- Office 365 Logs Collection
- Amazon Web Services Log Collection - new
- Oracle Cloud Log Collection - new
Overview
Snare Central version 8.6.0 introduces several new capabilities including Snare Analytics Dashboards (pre-built and custom), logs collection from Azure, AWS and Oracle Cloud Infrastructure, integration with Okta, over 180 new reports and a number of other enhancements and bug fixes.
Compatibility Note
Snare Agent Management v2.0.0 included in this version of Snare Central is compatible with the following versions of Snare Agent.
| SAM v2 Feature | Supported Snare Agent Versions |
|---|---|
| Agent Configuration Management (New) | 5.8.0 or newer |
| Agent License Management | 5.5.0 or newer |
| Remote Agent Upgrade | 5.5.0 or newer |
| Agents Discovery using Network Scan | 5.4.0 or newer |
Please upgrade the Snare Agents to the latest version BEFORE upgrading the Snare Central, if you are using these features of SAM.
After upgrading to Snare Central v8.6.0, please reboot the server to apply kernel changes, as advised by Ubuntu.
This version of Snare Central removes OpenVAS from the system. If you currently use this software then you will need to seek alternatives. The version we had installed has now become to hard to maintain and update. Some similar functions will be looked at in the future given the new analytics features in Snare Central.
Features and Enhancements
Snare Analytics Dashboards
Licensed Feature
This requires the Snare Advanced Analytics (SAA) or Snare Advanced Threat Intelligence (SATI) license features
Visualise the data you collect to gain security insights and discover issues early!
This new capability combines the power of Events Search, where you can construct, test and save log data queries, with the visual components you can use to visualise the results.
Create pie charts, bar charts, line charts, tables and cards to build your own dashboard, or use one of the 26 pre-built Analytics Dashboards that are available out of the box.
Dashboard components can be arranged in a grid-style pattern, and resized to highlight the importance of the information.
Components can be linked to visualise different perspectives on the same data query.
Please refer to the User Guide > Analytics Dashboards for detailed documentation.
26 pre-built dashboards are available under Analytics Dashboards:
- Log collection from Cloud Providers
Snare Central now allows to actively collect logs from a variety of the supported cloud providers:
- Amazon Web Services (AWS)
- Azure Cloud
- Microsoft 365
- Oracle Cloud Infrastructure
A new user interface is provided for configuring and monitoring event log collection: System > Administrative Tools > Cloud Log Collection Configuration
Reports and dashboards for the new log types are available out-of-the-box. Details are provided below.
Supported cloud providers:Microsoft 365
Licensed Feature
This capability requires either Office 365 Logs Collection (IA_CLOUD_O365) or Cloud Logs Collection (IA_CLOUD) license features
Snare Central can collect activity logs from the Office 365 Management Activity API, including user, admin, system, and policy actions and events from Office 365 (rebranded to Microsoft 365) activity logs.
This capability was first introduced in Snare Central v8.5.0.
In this release, scalability and stability of the collection process were significantly improved.
A new user interface is now available to configure log collection from the Office 365 Management Activity API.For instructions on how to configure log collection from Office 365 Management Activity API, please refer to the User Guide > Microsoft 365 - Cloud Log Collection Configuration
Azure Cloud
Licensed Feature
This capability requires either Office 365 Logs Collection (IA_CLOUD_O365) or Cloud Logs Collection (IA_CLOUD) license features.
Snare Central can be configured to collect activity logs from the Azure Log Analytics Workspace API.
For instructions on how to configure log collection from Azure Cloud in Snare Central, please refer to the User Guide > Microsoft Azure - Cloud Log Collection Configuration
Azure logs will be classified in Snare Central as documented here: User Guide > Log Types: Azure
There are 59 new reports available out-of-the box for Azure cloud logs.
Amazon Web Services
Licensed Feature
This capability requires either Amazon Web Services Log Collection (IA_CLOUD_AWS) or Cloud Logs Collection (IA_CLOUD) license features.
Snare Central is capable of collecting logs from the AWS Kinesis Data Streams via the Kinesis Data Streams API.
For instructions on how to configure log collection from AWS Kinesis Data Stream, please refer to the User Guide > Amazon Web Services (AWS) - Cloud Log Collection Configuration
AWS logs will be classified in Snare Central as documented here: User Guide > Log Types: AWS
There are 13 new reports available for AWS logs.
Oracle Cloud Infrastructure
Licensed Feature
This capability requires the Oracle Cloud Log Collection(IA_CLOUD_ORACLE) or Cloud Logs Collection (IA_CLOUD) license features.
Snare Central can be configured to collect audit logs from the Oracle Cloud Infrastructure (OCI).
For instructions on how to configure log collection from Oracle Cloud Infrastructure, please refer to the User Guide > Oracle - Cloud Log Collection Configuration
Oracle Cloud logs will be classified in Snare Central as documented here: User Guide > Log Types: Oracle Cloud Infrastructure
There are 25 new reports available for Oracle Cloud logs.
Cyber Network Map now displays additional AWS, Azure, Snort, SonicWall, CiscoRouterLog and Fortigate Log Types, enriched with geolocation data:
- Executive Dashboard
- Main Dashboard was renamed to Executive Dashboard
- Historical Collection graph now displays additional column for Compressed Bytes, and shows summary of received data volume vs stored compressed data volume, highlighting data storage saving.
- Live Events chart now shows EPS (events per second) instead of BPS (bytes per second).
- Monitor Live Data page was redesign for faster performance.
Please refer to the User Guide > Status > Monitor Live Data for details. - Integration with Okta: Single Sign-on (SSO) and Multi-Factor Authentication (MFA) is now available in Snare Central for customers using Okta, and can be enabled by the Administrator via Configuration Wizard > Identity and Access Management Setup
When enabled, users will be able to log in to Snare Central with their Okta account.
Local Administrator account can log in directly to manage Okta integration settings.
Please refer to the User Guide Appendix C - Creating a SSO and MFA OpenID Connect Integration with Okta for details.
- Snare Agents Configuration Management via SAM
Snare Central v8.6.0 includes Snare Agent Manager (SAM) v2.0.0, introducing capability to remotely manage Snare Agents configuration and policies.
The new capabilities of SAM will replace the legacy AMC (Agent Management Console) component. AMC will be removed in future releases.
SAM, in combination with Agents v5.8.0 or newer, has the capability to use a firewall friendly 'pull style' configuration management capability, rather than AMC's push-style capability.
Please refer to SAM documentation for details: - Improved performance and functionality of the Real-time alert components. Migrated to a new Real-time subsystem, deprecating reliance on a legacy IPDB data access layer.
- Improved Real-time alerts to report on every match and not only on a highest priority one.
- Additional options are available for Email, SMS and SMTP notifications, configurable via Configuration Wizard > Alert Manager Setup
Please refer to the User Guide > Configuration Wizard > Alert Manager Setup for details. - Events Search enhancements:
- Event Search now returns the exact number of returned events, rather than an indicative "at least this number" of events.
- Event Search results now display accurate number of extracted events, rather than an estimated number.
- Case-insensitive Basic Event Search queries with search in specific fields will now be using exact match (INCLUDES) rather than partial match (REGEXI). This will significantly speed up the queries.
- Improved speed of pagination and sorting for event search results.
- Improved display of error messages to be more descriptive.
- Reflector improvements:
- Improved Reflector collection performance, by introducing geolocation caching and other performance optimisations.
- Improved the CiscoFTDLogSecurityEvent log processing speed.
- Added event truncation for very large incoming events. Events arriving at the Snare Central server will be truncated at 5 megabytes in size per event (configurable, and can be disabled). This provides increased protection against potential massive-event denial of service attacks against the audit collection infrastructure in situations where untrusted third parties can potentially generate event data.
- Batch destinations like the Elastic bulk upload facility, will report a 'connected' state to the health checker once the first connect attempt succeeds, until a failed connection attempt occurs.
- Updated "Snare Server 7.1+" format description on Help page to reduce confusion.
- AMC performance improvements
- Added a warning on the AMC page to recommend managing Agents v5.8.0 configurations via SAM
- Added Email Alerts/Reports customisation options:
a new "Override Email Subject" option was added to the Email Setup section of the Configuration Wizard.
a new "Customise Email Header" section was added to the Dynamic Query configuration section to tailor the header of emails for reports. - Introduced a new Data Migration Manager tool, replacing the Side by Side Migration menu.
Please refer to the User Guide > Appendix D - Data Migration Guide for Snare Server for details. - Improved support for LDAP nested groups.
Please refer to the User Guide > Appendix A - LDAP and LDAP Groups for Snare Central - User Information for details. - SNMP can now be configured in the Snare Central user interface. A new snmpd subsection added to Configuration Wizard > SNMP Setup section.
Please refer to the User Guide > Configuration Wizard > SNMP Setup for details. - Unused "Enable Date-Based Event Discard" checkbox was removed from the Configuration Wizard > Performance and Hardware section.
- Unused systemd-timesyncd service is now disabled by default.
- In the "System Software Check" section of the Health Checker, removed mentioning of md5sum. MD5 is deprecated and newer hashing algorithms are now used.
- Improvements to Support Data Retrieval:
- Allow the same file(s) to be downloaded multiple times.
- Allow generation of support data after previous execution was interrupted by reboot.
- Improved TLS issues logging
- Added support for CISCO ISE logs
- PIX/ASA CEF output will now use dhost rather than dst, if the ASA source reports a hostname rather than an IP address. Extraneous details will also be stripped from that field.
- Added 84 new reports available out-of-the box:
10 new reports for Windows Certificate changes on systems, and also changes from a Windows Certificate authority
30 new reports for logs collected via Windows Advanced Auditing policies in snare V2 format
5 new Reports to cover MSSQL Server admin activity for events in snare V2 format
8 new Reports to cover Sysmon new events 26,27,28,29
3 new Reports for Trend Micro events for malware activity
2 new Reports for Windows Registry and RIM events
24 new reports for ApacheLog, IISWebLog, ISAWebLog and MSProxySvr logs received in snare v2 format
2 new AppleBSM (macOS) reports for events in snare v2 format
- For events arriving in Syslog RFC5424 format, syslog MSGID, PROCID and APPNAME are preserved for GenericLog events, if supplied.
- Set default SSH LogLevel value to VERBOSE instead of INFO for improved auditing.
- Adjusted the firewall rules save/restore process to align with UFW state. In situations where a firewall rule has been removed in the Snare Configuration wizard, but the Snare collection service has been terminated, there was a risk that a 'ghost' version of the firewall rule would be resurrected when the Snare collection service restarts. This update will force the saved firewall rules to correctly map to the rules specified in the wizard.
- Added clean-up of a temporary folder after successful upgrade.
- Improvements to the daily log vacuum task to also include mail drop directory.
- Improvements to the services monitor to restart only required services.
- Change made to the Networking and IP Configuration options of the Snare Central Administration Menu to support DHCP.
- Added "6-monthly" scheduling option for Reports.
- Modified some report names to use consistent capitalisation for new installations.
- New packages added:
- Added rclone package to the base install for interaction with cloud storage
- Added rclone package to the base install for interaction with cloud storage
- Other code refactoring and minor enhancements.
Security
- System packages updated to mitigate security vulnerabilities
- Added LDAP/TLS support for the Agent Management > Snare Agents > Retrieve User and Group information from Windows Servers functionality
- Included Canonical FIPS-certified libraries in Snare Central
- Removed deprecated OpenVAS packages and functionality
- Upgraded JQuery version from 1.11.3 to the latest version 3.6.1
- Upgraded Bootstrap css framework from 3.2.0 to the latest version 5.3.0
- Upgraded Angular.js in Reflector UI to version 1.8.2
- Restricted permissions on a sensitive file
User with read only access will now be restricted from cloning reports owned by other users
- Improved permissions handling for cloning, creating container and creating reports and objectives
- Fixed potential information leak in Ubuntu’s default MOTD (Message of the Day) command
- Improved fresh installation and upgrade processes to ensure that ElasticSearch is not installed if SATI is not enabled
- Improved secure handling of encryption keys in Snare Central
- Removed interactive, password-protected access to generated PDF files via the web interface
- Security hardening of the internal listeners
After upgrading to Snare Central v8.6.0, please reboot the server to apply kernel changes, as advised by Ubuntu.
Bug Fixes
- Fixed a problem in backup and restore tool that blocked the restore functionality when invalid filename or path was present in the backup
- Fixed an issue in Event Search results that include events from disparate log types, where field names and data could sometimes be missing
- Fixed an issue in Event Search results where clicking on the last results page in pagination bar results in error
- Fixed issue where adding a new destination in primary server does not get updated in secondary in High Availability (HA) cluster
- Removing data using 'Any Log Type' now works correctly
- Fixed an issue where Snare Reflector could stop collecting events if very large events were received, and the disk is very slow. Timeout adjusted to better accommodate slow disks
- Updated Documentation External link and Configuration Wizard Documentation link to the latest User Guide for Snare Central
- Updated minimum disk space required warning to 400GB during installation
- Self-signed certificates generated by the Snare Central server can now include fully qualified domain names
- Japanese characters now work in real-time alerts
- Resolved issue with the console administration menu not disabling a network interface as expected
- Resolved a login problem when LDAP is enabled and configured to use SAMAccountName
- Non-standard mount points can now have warning and problem thresholds configured in the Snare Central Health Checker
- Missing Bytes per Second graph is now displayed correctly on the Reflector Dashboard
- Fixed Expand functionality of the Reflector Dashboard graphs to respond immediately
- Fixed issues with display and colouration of the Event Data pop-up window of the Pattern Map
- Fixed parsing of Windows Apache Logs. The XAMPP default log format is now supported for Apache
- Fixed broken layout of schedule data backup dialog
- Fixed browser errors in Configuration Wizard > Alert Manager Setup > IAM Setup section
- Fixed issue with proxy password handling when updating proxy details
- Fixed automatic Wizard walkthrough using "Next" button
- Other minor internal fixes