Snare Management Center
See Snare Management Center page in this User Guide.
Antivirus Administration
Snare Central is based on a custom distribution of Linux, and is therefore potentially susceptible to (significantly) less than 1% of all viruses currently in the wild. Snare Central does not provide desktop-level functionality, and the risk profile for virus infection on Snare Central is extremely low. However, Snare Central integrates the ClamAV virus checker, which is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It includes a high performance multi-threaded scanning daemon that provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats.
The anti-virus scan can be run on a scheduled basis, and can be configured to perform:
- a complete system scan,
- exclude the Snare Data Store, and results cache from the scan (recommended), or
- only scan the home directories of Snare Central user accounts.
The reason that it is recommended that the Data Store and results cache be excluded from the scan, is that there is a significant risk that the virus scanner will pick up false-positives in those directories, due to the nature and volume of data stored therein.
It is the customers responsibility to ensure the antivirus software is kept up to date and is scheduled to run in accordance with your corporate security policy.
Cloud Log Collection Configuration
Configure active log collection from supported cloud providers such as AWS, Azure, Oracle Cloud, etc.
See Cloud Log Collection Configuration page in this User Guide.
Configuration Wizard
The configuration wizard is covered earlier in this User Guide.
Configure Collector/Reflector
See Configure Collector/Reflector page in this User Guide.
Configure GeoLocation for Mapping
In order to plot log data accurately on geographical maps, for example on Cyber Network Map page, it may be necessary to explicitly map internal network IP addresses and hostnames to their geographic locations.
- Use either of the following options available in the drop-down list:
- IP Address - enter a single IP address
- IP Range - enter From and To IP addresses to define a range
- IP Wildcard - enter IP address with one of the fields as a wildcard (asterisk *), for example, 10.10.10.*
- IP Netmask - enter IP Address and a Netmask
- CIDR Block - enter IP address and a CIDR
- Hostname - enter a single hostname
- Hostname Regex - enter a regular expression for hostnames to match
- Choose geographic location from auto suggestion list by entering at least first three characters of city/state/province/country in the location field.
- Click to add the mapping. The new mapping will appear in the list on the same page.
- Add as many mappings as required
- Click at the top of the page to restart the collection service and apply the changes.
Each mapping in the list can be edited or deleted using action buttons:
Display the Snare Central Log Files
This tool lets you easily access and view different Snare Central log files that are available in your system, as well as share and email a copy of the log file in situations where you request assistance from your Snare Central support team, and get asked for specific log file to aid the investigation, e.g. Snare debug log file which contains generic information on what objectives were run, what scheduled tasks are currently implemented etc. or Snare ServiceMonitor.log which shows if any of the Snare Central core services are running or if any one is down and when it was last restarted.
- View Log File
- Accessing and viewing Snare Central log files can now be easily done via clicking the drop-down menu and select from the list of log files available in your Snare Central.
- Share or Email a Copy of Log File
- To share or email a copy of log file, first select the target log file from the drop-down menu.
- Then input the email address of the recipient in the provided input box.
- After that, Click the "SEND EMAIL" button to email the log file directly.
Note:
- Increasing the Snare Central debug level (see the section above on "Configuration Wizard" for more information), will significantly increase the amount of data that is written to log files.
- To use the email feature, make sure that the "Email Setup" in Configuration Wizard are properly set (see the section above on "Configuration Wizard" for more information).
File Integrity Check Administration
This tool allows the user to schedule, monitor and administer system files integrity checks and report on any changes on such files.
The File Integrity Check objective scans the current data store and the underlying operating system and calculates the SHA3-256 checksum for every file it detects. The objective stores the data in a database on a scheduled basis. It is important that the user understands that this objective needs to be scheduled in order to generate the FIM scans and databases.
This page will also allow the user to see the difference between any two selected databases in order to verify that data has not been tampered with since the selected runs.
This comparison can take several hours to finish, so the job will be queued to be executed in the background.
Please note that the Snare Central Health Checker will, by default, report the difference between current day and yesterdays databases.
It is also important to note that when running two or more checksum comparisons simultaneously, the later one will override the results of the previous one so is a good idea to only run one concurrent comparison task.
Multiple databases can be selected and a backup file can be downloaded for safe storage. Historical database results can be deleted to free disk space as required.
All tasks performed in this objective are audited by Snare Central in real time. This means that SnareServer Log type events will be generated while interacting with this objective.
Please note that changes to the Snare system produced by a Snare Central upgrade will be detected and reported on, as this will include many system files as well as the Snare application components. If you see changes occurring in the operating system and application that were not the result of a patch or manual user intervention, then they should be investigated as part of your corporate incident management process.
IP Address Configuration
The Snare Central allows modification of it's IP address, netmask, default gateway and DNS server settings, these values can be adjusted individually for each Network Interface Card (NIC), providing flexibility in network management of your Snare Central.
- To change the settings value, click the "Edit" icon located in the upper right corner of the Ethernet card you want to modify.
- Then in the pop-up Update Interface, you can modify the values then click "EDIT" button to save the changes made or "CLOSE" button to exit the Update Interface without saving/applying the changes.
Note:
- IP Address Change : Once the IP address is modified, the server will no longer be reachable via the old IP address.
- Impact on Connectivity : If your browser was connected to the old IP address, it may become unresponsive after the IP address change.
Import Objectives
Snare Central ships with a large number of default Reports and (starting from v8.6.0) Analytics Dashboards (AKA objectives) that suit a diverse range of organisations, and meet security-related regulatory requirements.
However, there may be situations where additional specialised Reports or Dashboards are made available to users of Snare Central, or need to be transferred from one server to another.
The 'Upload a previously saved Objective(s) or Analytics Dashboards archive' section allows you to select and import objectives from a file stored on your local workstation.
In situations where you have previously used the 'Objective Export' capability by right-clicking on a container, the objectives will be exported to either a local file, or via email, to a selected destination user.
Objectives will be imported into a new container, called "Imported Objectives YYMMDDHHMMSS" (where YYMMDDHHMMSS represents the date/time of import).
The 'Import from a locally stored snapshot of the InterSect Alliance Objective Store' section allows to import objectives from a local objectives store. Click the icon besides the desired objective package to import it.
Manage Access Control
To access this area, LDAP groups should be enabled in Configuration Wizard | Security Setup | Snare Central, or Local User groups should be defined in User Administration. This objective provides an easy and flexible interface for changing Objectives access controls at the group level for both local groups or groups defined on an identified LDAP/Active directory server.
Prior to Snare Central v7.2, in order to manage the access rights of a remote user (ie: A user defined on a LDAP or Active Directory server), the user needed to have a corresponding local Snare Central account. This still remains true when the option for remote 'LDAP Groups' support is disabled.
When LDAP Groups support is enabled:
- All local Snare accounts will be disabled, with the exception of the ADMINISTRATOR account.
- All access to Snare will be authenticated and authorised from the LDAP server regardless of whether the user has a local account on the Snare Central server.
- Any access control modifications within this objective will ONLY apply to LDAP users and groups.
- Regardless of whether LDAP Groups is enabled, alternative access control management tools (such as the “Access Control” (lock icon) in Snare’s top panel, and the “Folder Permissions” menu option in the “Reports” navigation tree) will have no effect on LDAP permissions for the same objectives.
Once LDAP user and group authentication has been enabled, any valid LDAP user can have access to Snare Central web interface but will not be able to see any objectives until the correct access rights are granted to each objective, via this objective.
Every objective on Snare Central can be individually secured so that only authorised staff have access to it. Access is granted at group level; therefore, an LDAP user must be attached to an LDAP group in order to view or change an objective. This also applies to local users and groups. The Manage Access Control objective detects if Snare is in LDAP mode or not and objectives will change access rights accordingly.
Please note that most objectives under the "Administrative Tools" and "Data Management Tools" are restricted for only the Administrator user exclusively. This is because of the security risks and potential of harm to the Snare Central server involved. This means that most of such objectives cannot be accessed by LDAP users nor by local users that do not belong to the Administrators local group. This also means that the "Manage Access Control" interface cannot be used to assign permissions to these administrative objectives either. The complete list of the Administrator only objectives is the following.
Administrator Only
Administrative Tools
- Change IP Address
- Configuration Wizard
- Snare Central Update
- Snare Threat Intelligence
- User Administration
- Shutdown / Reboot Snare Central
- Manage Nightly Updates
- Manage Access Control
- Import Objectives
- Manage Objective Schedules
- Manage Plugins
Data Management Tools
- Data Backup and Restore
- Snare Data Import
One of two access rights levels can be granted:
- Access permissions. This provides a user with the ability to view the output of this objective, and also regenerate the objective.
- Change permissions. This provides a user with the ability to change the configuration settings for the objective as well as view and regenerate the function.
Manage Access Control allows to select one, many, or all existing objectives, and add or delete “Access” permissions (Read access) and/or “Change” permissions (Write access) to those objectives for a group or set of groups.
Clicking the Objective name (or Objective directory) at the tree representation on the left (see image below) will select or deselect the objective(s). Once selected, one or more groups are required to be highlighted from the list on the right and at least one access level to be selected from Permissions list in order to apply to selected objectives.
Note that users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Server Administrators have the ability to Delete the objective and Add new users to the objective.
Manage Nightly Updates
This objective allows an administrator to manage the updates of third party data files that Snare Central uses such as:
- The GeoIP2 database from MaxMind
- The MAC address database from standards.ieee.org
- The Malware database from malwaredomainlist.com
MaxMind License Key
In order for Snare Central to download the latest GeoIP2 database from MaxMind, you must first configure a MaxMind license key. Click "Configure" in the "Manage Nightly Updates" page, enter your MaxMind license key in the dialog box then click set.
The update tasks are disabled by default and scheduling for each task is fully configurable.
Manage Objective Schedules
This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.
Manage Plugins
The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements. We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."
My Account
Your Snare Central password can be changed in this objective. Last login date/time information is also available.
Note that Snare Central implements several password security policies, including:
- 90 Day Rotation
- Password reuse protection
- Last password similarity checks
- Password complexity requirements
- Dictionary word exceptions
Shutdown / Reboot Snare Central
Users with administrative-level access to Snare Central will have the capability to execute various Snare Central system commands for managing and maintaining the Snare Central server and services.
- Server Commands
- REBOOT SERVER : Administrators can use this to restart the Snare Central server. This process may take several minutes, during which time the Snare web interface will be unavailable.
- SHUTDOWN SERVER : Administrators can use this to safely shut down the Snare Central server. This process may take several minutes after which the Snare Central will turn itself off.
- Service Commands
- RESTART SNARE SERVICES : Administrators can use this to restart snare services to refresh it's operation or apply some configuration changes.
- STOP SNARE SERVICES : Administrators can use this to stop snare services for troubleshooting or maintenance.
- START SNARE SERVICES : Administrators can use this to start the stopped snare services and resume it's operation.
Snare Central Update
Updates will be released to:
- Add features to Snare Central
- Fix issues that have been reported
- Update operating system components in response to security issues that specifically affect Snare, or tangentially affect the operating system on which Snare relies.
- Update virus checker signatures.
The updates and patches, for example FullUpdate and PatchUpdate are available for download from the customer portal, SLDM for customers with a current support and maintenance agreement.
A Full update will include all updates since the last major version (eg: patching version 8.0.0 to version 8.7.0)
A Patch update will include all update since the last minor version (eg: patching 8.1.0 to 8.1.7)
Specific hotfix updates may also be available.
The update will be made available in the form of a GPG signed compressed archive, for example SnareServer-FullUpdate-v8.0.1-41-g0e0d242.tar.gz.gpg. This objective will provide you with information on previously installed upgrades, and provide a link to a page that accepts such an update file, and allows you to apply the update to your Snare Central installation, after verifying that the cryptographic signature is valid.
Large files can also be uploaded to the Snare Server via the secure-shell 'scp' application. Instructions are available from the Snare Central Update main page.
Full Update files are likely to grow to a significant size over time, as security and functionality updates to the operating system are included within the update.
To apply an update:
- Select System | Administrative Tools | Snare Central Update | Upload. This invokes the Snare Central Update process.
Select Choose Update to select the patch update. This will check the file. If it doesn't start automatically, then select Upload.
When progress reaches 100% select Next to start the update.
The update may take up to 15 minutes. When completed, select Return to Snare Central.
Troubleshooting Updates
Troubleshooting Updates
Blank navigation/screen after upgrade process.
It is unlikely, but possible, that after an upgrade the navigation section, or the entire page, may end up on a blank white screen. This is caused by your web browser caching some of the old page components and preventing the server from using the upgraded components. While we have put checks in place within Snare to try and prevent this, it is possible that some browsers may bypass these checks. To resolve the issue, you can (in most browsers) hold down the Shift key while pressing Refresh on the browser. If this doesn't work, try clearing the browser cache and restarting the browser. If this still does not work, try using a different browser.
Snare Threat Intelligence
The Snare Threat Intelligence product is designed to provide real-time insight into your log data, using the proven technology found in the eMite real-time analytics dashboards. Threat Intelligence can give you actionable insights in minutes. By breaking down traditional information silos, the Threat Intelligence tool gives you a competitive advantage: more transparency, process, and productivity improvements, more rewarding customer engagement, and faster innovation cycles. Please visit https://www.snaresolutions.com for further information.
Note
This functionality is being retired and is superseded by Analytics Dashboards available from version 8.6.0 of Snare Central. Please refer to the Analytics Dashboards page in this User Guide.
Threat Intelligence Configuration
Snare Server 8.0+ includes an updated collection infrastructure, which is capable of interfacing with the new Snare Advanced Threat Intelligence (SATI) module. Enabling the threat intelligence capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.
Delivery of data to a non-local elasticsearch instance is also supported. Currently all log types that Snare Central receives will be forwarded to the destination server.the list of log types are as follows:
- Windows Failed Login
- Windows Interactive Login and Logoffs
- Windows Login
- Solaris Log Data
- Linux Log Data
- Apple Log Data
- Windows Account Change
- Windows Group Change
- Windows File Access
- Windows Process
- Windows User Rights
- Windows Incidents
- Windows Incidents Apps
- Windows Incidents Sys
- Windows Password Change
- NCR ATM Data
- FIM Log Data
- Generic SysLog Data
- Trend Log Data
- ASA Firewall Denied
- ASA Firewall Accept
- Cisco Device Data
- PaloAlto Firewall
- SonicWall Firewall
- SonicWall SSL VPN
- Sidewinder Firewall
- F5 Violations
- Gauntlet Firewall
- IIS Web Firewall
- CyberGuard Firewall
- Checkpoint Firewall 1
- Gauntlet Firewall
- IP Tables Firewall
- ISA Web Log Firewall
- Netgear Firewall
- Netgear Router
- Netscaler Router
- Netscreen Firewall
- SNORT Intrusion Detection Events
- SNMP Trap Log Data
- WebLogs
- Snare MSSQL Logs
- Windows Security Logs
- Windows System Logs
- Windows Application Logs
- Windows Custom Event Logs
- Carbon Black
- ACF2 Logs
- Agent Heart Beat Logs
- AIXAudit Logs
- Apache Logs
- Snare Browser Logs
- Content Keeper Logs
- CKEPos Logs
- Content Keeper Syslog
- DHCP Server Logs
- Exchange 2008 Logs
- Exchange 2013 Logs
- Exchange Logs
- Snare Central Server Logs
- RACF Logs
- Sophos Data Control Logs
- Sophos Web Logs
- Windows DHCP Logs
- Generic Log Data
- Malware Domains
- MSDNSServer Logs
- All other Logs that are classed as generic logs
Enabling SATI delivery will display an overview of the currently enabled forwarding filters.
Snare Central Elasticsearch Forwarding
The Snare Central Server Integration to Elasticsearch is designed to forward your Snare eventlog data directly into an Elasticsearch index.
Snare Central Server 8.0+ includes an updated collection infrastructure, which is capable of interfacing with your Elasticsearch index. Enabling the forwarding capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.
Delivery of data to a non-local elasticsearch instance is also supported. The Snare Server can be configured to log to a local elastic instance (which is installed and available as part of version 8.0 of the Snare Central server), or can be configured to log to a remote elastic instance. If the remote elastic instance is protected by either X-Pack or ElasticShield from InterSect Alliance, HTTPS/TLS and authentication can be activated.
For a fresh install of elastic the index name will be called active-snare-snare. Where the index is used in SAA/SATI then the index name is called snare-snare-000001. The application will manage the index and rotate it around and increment the index name with -000002 etc based on the system index rotate settings. For external indexes the index will have to be managed by the admins managing the external elasticsearch index as it will keep growing until its rotated out. Below is an example of a managed index environment.
More Details
The events that are forwarded to the Threat Intelligence instance, or a remote elastic server, are governed by the configuration file /data/Snare/ConfigSettings/RealTime.config on the Snare server. This file is not intended to be user-editable at this stage, since it ties directly in with the available dashboard capabilities of the Threat Intelligence server.
Event collection rates may be significantly impacted, when this feature is active. ElasticSearch ingest rates are significantly lower than those supported by the Snare Central Server, on similar hardware. When this feature is activated, the potential Snare Server collection rates, will be governed by the elasticsearch bulk upload capabilities. In general terms, there may be one or two orders of magnitude difference between Snare Central Server collection rates, and elasticsearch ingest capabilities.
If the destination elastic instance version is v5.x you need to enable/checked the "Enable Elastic v5 Compatibility Mode" otherwise leave it unchecked.
Warning: Activating the Threat Intelligence configuration, without installing the corresponding Threat Intelligence module to manage the generated data, will mean that your Snare Central Server will store significantly more data per received event, without being able to remove the associated data from the file-system via the Snare Central Server user interface.
Support Data Retrieval
To aid the Snare Support team in diagnosing any issues, the information may be gathered with this tool. Selecting Generate will create a compressed-encrypted tar file with the output of some diagnose commands and a few Snare and system configuration files ready for download. After several minutes the tar file will generate, where you have the ability to select the file and download it from the server to be forwarded to support when required.
If the resulting tar file is bigger than 10MB, the file will be separated into 10MB chunks for sending purposes (via email, FTP, etc.) to be reassembled by the support team.
Once a file has been downloaded, the support file will be deleted from the server. No original data will be deleted.
Only when all files are downloaded will there be the ability to generate another support data file. This means that if you require to run Support Data again; you need to download all existing files including any 10MB files first.
For most calls the additional options will not be required. However the support team may request to select one or more of the checkbox's depending on the nature of the support call.
User Administration
It is recommended that a number of users be created after Snare Central has been installed, so that:
- The Administrator username and password do not have to be shared and
- It will be possible to identify which user is accessing and configuring Snare.
This objective allows you to create users and groups.
Group Management
The groups built into Snare Central are Administrators, SuperUsers, PowerUsers and Default.
- The 'Administrators' group has the same access as the 'administrator' userid with the exception of a number of functions that are restricted to the 'administrator' (eg: Changing the password of the Administrator account).
- The 'SuperUser' group has no particular privileges but can be used to group accounts with significant privileges to objectives, if you wish to take advantage of it.
- The 'PowerUsers' group may access all reports and all objectives in status, and to their own account.
- After the group has been created, you may fine tune access rights for each particular group via System | Administrative Tools | Manage Access Control.
You may define as many additional Groups as possible, and assign to each one of three access right profiles:
- Default. With access to the following objectives:
- System/Administrative Tools/My Account
- PowerUsers. With access to the following objectives:
- Executive Dashboard
- Cyber Network Map
- Event Search
- Everything under Reports
- Everything under Status
- System/Administrative Tools/My Account
- SuperUsers. With access to the following objectives:
- Executive Dashboard
- Cyber Network Map
- Event Search
- Everything under Analytics Dashboards
- Everything under Reports
- Everything under Agent Management
- Everything under Status
- Under System/Administrative Tools/
- Cloud Log Collection Configuration
- Configure Collection/Reflector
- IP Address Configuration
- Import Objectives
- Manage Nightly Updates
- My Account
- Shutdown / Reboot Snare Central
- User Administration
- Under System/Data Management Tools/
- Arbitrary Data Import
- Autoremove Data
User Management
Administrator can create, modify and delete a user.
Creating new Snare Central user
Create New User Form
- User Name should be unique.
- Password should follow Snare Central's password security policies, as indicated below:
- 90 Day Rotation
- Password reuse protection
- Last password similarity checks
- Password complexity requirements
- Account locking on multiple failed login attempts
- Dictionary word exceptions
- If a password does not meet the requirements identified above, an error message will be displayed during password definition.
- A user can be assigned into one group or multiple groups(including custom groups) depending on the desired access rights.
- All users are automatically included in the 'Default' group.
Updating an existing Snare Central user
Update User form
- Once a user is created, the created user will use the global Auto LogOut settings, or the Administrator can configure a customized settings per each user.
- In situations where an account was locked due to several failed login attempts, like below:
- An additional configuration setting on the Update User screen will offer the Administrator the capability to unlock a Snare Central user account.
- If an account is not unlocked, it will automatically unlock after 30 minutes.
Operating System Password Controls
The operating system password controls are managed by the Pluggable Authentication Modules (PAM) in Linux. The configuration files are located in /etc/pam.d directory. The password controls for Snare Central are detailed in the /etc/pam.d/common-password file. The file can be updated to reflect your corporations security policy.
The default settings are as follows and enforces a password retry of 3 attempts before failure, length of 10 characters, a difference of three characters from previous password, one uppercase letter, one numeric, one special character, and one lowercase letter:
password requisite pam_cracklib.so retry=3 minlen=10 difok=4 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
The configuration will enforce the password policy rules for the following operating system accounts root, snare and snarexfer. For additional information on the values of each setting refer to the manual pages for pam.d and pam_cracklib.