Release Notes for Snare Linux Agent v5.1.0

Owned by Gerard Tuguigui
Last updated: May 29, 2019
6 min read

Snare Linux Agent v5.1.0 was released on 6th June 2018.

New Features

  • New Encrypted Remote Configuration Management
    • The agent now supports HTTPS using TLS for remote configuration management either on a standalone basis or via the Snare Server Agent Management Console (AMC) that provides a central point of management of agent configuration across all Snare Enterprise Agents. The agents use a self signed generated certificate for the initial install but this certificate can be replaced to use an existing one from the certificate store by the customer if required.
  • New Agent Statistics and Active Monitoring
    • Support for Agent statistics and status monitoring information. Agent availability can be reported through the SAM and from within the agent event performance can be viewed via the web user interface.  This includes a graphical representation of the last 24 hours of event activity.
    • Summary EPS statistics details are displayed on the latest events screen as other v5 agents.
  • Different log format and protocol per destination
    • The ability to specify multiple event destinations, each with their own specific format, protocol and delimiter, and simulcast events to all destinations as soon as they are received by the Agent.
    • Available formats: Snare, Syslog(RFC3164 , ALT format which is 5242 compatible and full RFC5424), CEF and LEEF.
  • Agent Heart Beat Notifications
    • New Agent Heart Beat notification system for the Linux agent, which sends custom log messages regarding the status and health of the Snare Enterprise Agent to the event collector.
    • It can send periodic health messages, as a way of keeping track of online and offline agents which can be useful for quite systems, as well as messages triggered by specific events occurring within the Enterprise Agent. Along with the improved heartbeats are additional log levels to provide more information on the agent operation, configuration and performance activity.
    • On setting heartbeats a heartbeat is sent immediately to the destination system(s).
    • Once enabled, the agent sends a heartbeat to configured server(s) after specified minutes. The default level is info for informational events such as normal heatbeat mark events and operational events such as agent logins,restarts and configuration changes. The agent internally records all debug messages if the debug setting is selected, and the debug messages are sent once per heartbeat cycle with the number of times (xx times) being added in the end of each message; showing how many times this debug message was generated since the heartbeat was sent previously. Error and critical level messages are exceptions as they are sent as soon as they are generated.  Repetitive error and critical messages are blocked for 10 minutes, and these messages are sent to the event collector.
  • Snare Agent Manager (SAM) Support
    • The Snare Linux agent now uses the same license mechanics as the v5 Windows agents and can use the SAM for centralized software license control. 
  • Event Throttling and Notifications
    • The Snare Linux agent now has the Event Per Second (EPS) ability to throttle event transmission speeds, and send notification messages based on event throughput. 
    • This is useful for busy networks and systems, to prevent excessive bandwidth from being used in some situations. Each configured destination will dynamically load balance its Events Per Second (EPS) rate and cache when one destination is slow or not available.
  • Certificate Validation Support
    • The agents have a new option to provide public key certificate validation of the destination syslog or SIEM (Security Information and Event Management) server.  Customers will be able to install their own public/private keys on the client systems to use as part of the certificate validation of the destination SIEM.
  • Disk and Memory cache support for v5 agents
    • Added disk cache support whenever the Snare agent performs a normal shutdown down, as it will write all unsent events that are still in memory to a disk file and on next start up it will read those messages and will add them to send queue. The path of disk cache can be specified on Destination Configuration page.  The agent also has improved memory cache capability with more configuration capability with how much memory the agent can use. 
  • File Integrity Monitoring
    • The Snare Linux agent includes the File Integrity Monitoring (FIM) module to provide file or directory hash details. 
    • The FIM module can be used to scan files/directories and compare against a known baseline of file details including file attributes and hash (sha512) details. Events are generated upon changes to file contents or attributes.  The new screen in the agent allows the user to select a file, directory and recursively scan multiple directories to include or exclude files or directory locations as needed. This new FIM feature is designed to complement the other FAM (file watch) file activity the Linux audit subsystem the agent current uses.
    • This feature will generate a new Snare log type called FIMLog.
    • The Latest Events page in the agent has a new tab named File Integrity to show the FIM events.
    • For reporting in Snare Central the system will need to be patched to 7.3.0 or later to understand the new log type, prior to this version it will show up as GenericLog. 
  • New look and feel for the Web User Interface
    • Gone are the reds and yellows from the agent, replaced with greys
    • Product consistency across Snare agents and the new SAM interface
    • Audit Service Status page includes extra system information
    • Latest Events page changes include:
      • displays details, status and the events per second of events sent to your destination(s)
      • an alarm bell notation signifies when new events are displayed
      • events are colour coded based on the criticality level set on your objective
    • Network Configuration page now referred to as Destination Configuration and changes include:
      • ability to set multiple server destinations per protocol (UDP,TCP,TLS) per format (Snare,Syslog,Syslog Alt,CEF,LEEF)
      • new setting for Event Cache Size which is event number based
    • New General Configuration page with general settings from Network Configuration page in legacy has moved here.
    • Remote Control Configuration page in legacy updated to Access Configuration page.  Includes Web Server Protocol and configuration for SAM
    • Each objective on the Objectives Configuration page reflects the criticality level given to the objective. The Latest Events page will highlight the event in the selected colour assigned to your objective so it's easier to identify the important events.
    • Heartbeat & Agent Log page updated to set a number of agent logging options, heartbeat frequency (including custom format) and ability to export the heartbeats file.
    • New Audit Service Statistics page displays the statistics for each destination server including any file output logs defined in Destination Configuration including a daily bytes graph which is a graphical representation of the bytes transmitted from 5 minute intervals and up to 24 hours.
    • New Security Certificates page allows the generation of self signed certificates or selection of the certificate you would like to use to secure the events you are sending to the destination SIEM.
    • New sub menu for Users and Members page to link to local users, Linux users and group users.
    • New License page displaying the KeyIDs for the host, the license token from the Snare Agent Manager and the ability to add stand alone licenses to your version 5 agent.
    • The old Apply Latest Audit Configuration button has been replaced with a dynamic button that will show if settings have not yet been applied and have a tick icon, this will now be called Apply Configuration & Restart Service.  If the agent is does not have any outstanding changes this will just display Restart Service with a recycle icon. The UI also displays some additional information near the headings if the agent configuration needs to be saved and if the agent needs a restart to use the configuration changes. 
  • Configuration file changes
    • The audit configuration file is significantly altered in this version and upgrades from legacy Linux agents are not permitted.
  • Changes to agent operation
    • The agent no longer saves the settings to the file when the change configuration button is selected. The changes are only saved in memory.  The changes will only be written out to the snare.conf file once the Apply Configuration button is selected or the agent is shut down.
  • Other Operational Changes
    • One click to apply configuration. After saving your individual settings per page, just click Apply Audit Configuration & Restart Service button to apply the new configuration to the agent.  
    • Implemented PCRE Regular Expression filtering for Event Objectives.
    • Uses the same mechanics for Dynamic DNS Checking for destination lookups.
    • Improved error checking in the UI.
    • Improved session handling along with the new HTTPS features
    • Enhanced debug log options when run in command line debug mode (/usr/sbin/SnareDispatchHelper -c -d9) and when using the Heartbeat option. 
    • The agent validates its configuration fully, and revert to defaults if invalid settings are found in the snare.conf file.
    • Improved multi threading and UI speed improvements so the agent can operate faster on large highly loaded systems.
    • Various security improvements and hardening including: Address Space Layout Randomization (ASLR), Stack buffer overrun detection and Heap Corruption detection
    • Added functionality to the RPM package and the agent on initial load to detect instances where SELinux is set to enforcing and warn the user that the agent may not behave correctly.
    • Objective filters can now support negative values. This is useful when you are only interested in events from system calls with specific return values. For example, an objective to collect unauthorised file accesses for all users and root could set the Audit Filter term to "exit=-EPERM,auid>=500,auid!=4294967295".
    • Support added for RedHat's Kickstart system to allow installation before the audit.rules file is generated.

Known Issues

  • If SAM is used for centralized license management, the Snare Enterprise Agent for Linux RedHat version 7 will display as 'Unknown' in the Agents list in the SAM UI.  This will be resolved in SAM v1.1.1. 
  • The agent report sent date/time rather than event date/time in the Latest Events page.  This will be resolved in the next release of the Linux agent.