Release Notes for Snare Linux Agent v5.5.0

Owned by Svetlana Sheptiy
Apr 13, 2021
3 min read

Snare Linux Agent v5.5.0 was released on 13th April 2021.

Security Updates

  • Security hardening of Agent to SAM communication: Digest Authentication was replaced with Basic Auth over HTTPS

    After this change, the v5.5.0 agent will only be able to communicate with SAM v1.5.0 or newer. 
    SAM v1.5.0 is backward compatible, and supports communication with pre-v5.5.0 agents.

  • Security hardening of encryption keys storage, usage, export, and import
  • 3rd party libraries upgraded:
    • OpenSSL upgraded to version 1.1.1i
    • Curl upgraded to version 7.72.0
    • Boost upgraded to version 1.74

New Features and Enhancements

  • Snare Enterprise Agent now supports the following additional Linux platforms: 
    • Ubuntu 20.04
    • Oracle 8
    • Debian 10

Debian 10 Only: Due to a known bug in audit sub-system of Debian 10 (auditd version 2.8.4-3), users may notice a SEG fault in auditd when the Snare Agent is restarted, uninstalled, or when auditd is restarted or stopped from the command line. 
On Snare Agent restart, auditd will be started automatically, and the Agent will continue functioning as normal. 

  • Added two new event output formats:

    • SNARE v2 
      This format allows sending more detailed events to Snare Central. 
      The events will include time zone context, event time up to milliseconds, additional fields for Linux Audit, and other event types. 
      The format is JSON-based and can be ingested by Snare Central v8.4.0 or newer. 
      All the events, including Linux Audit, FIM, Log Audit and Heart Beat, can be sent in SNARE v2 format. 
      A new Format selector option was added under the Destination Configuration.
    • SYSLOG JSON
      This format allows sending more detailed events to 3rd party SIEMS or event collectors. 
      The format consists of a SYSLOG RFC 5424 header, followed by the data payload in JSON format
      All the events, including Linux Audit, FIM, Log Audit, and Heart Beat, can be sent in SYSLOG JSON format. 
      A new Format selector option was added under the Destination Configuration.
  • In the Agents Web UI the term "Objective" was replaced with "Audit Policy," i.e. the "Objective Configuration" page used for configuring Linux audit policies, is renamed to "Audit Policy Configuration"
  • Performance optimizations to the way the agent reads and processes events on Linux
  • Agent will show a warning to remove default network loopback destination when a valid network destination is present

Bug Fixes

  • Resolved issue where FIM scan did not recover from "Paused - maximum scan limit reached" status
  • Agent Web UI now prunes log messages on the Snare Log page appropriately
  • Syslog 5424 header now conformant with RFC, as APP-NAME does not contain spaces
  • Fixed port/protocol/format mismatch warnings on the Network Destination configuration page
  • Fixed an issue where "Apply Configuration and Restart" message was not shown after moving or deleting an Audit Policy (formerly known as Objective) in Linux Agent

Known Issues

  • On RHEL 6 and 7 only Snare Agent does not start automatically after upgrade from v5.4.0. 
    When upgrading Snare Enterprise Agent for RHEL 6 or RHEL 7 from version v5.4.0 to v5.5.0 or newer, please use one of the following work arounds:
    • upgrade Snare Agent to v5.4.1 and then to v5.5.0. This would ensure that the agent is automatically started after the upgrade to v5.5.0

    • alternatively, manually start the auditd service after the upgrade which would start the Snare Agent

      sudo service auditd start


User Guide

The following is an offline version of the User Guide related to this release.


For an up-to-date version refer to the online version here.