Release Notes for Snare Linux Agent v5.4.0

Owned by Andrew Madge
Dec 16, 2020
2 min read

Snare Linux Agent v5.4.0 was released on 16th September 2020.

Security Updates

  • OpenSSL upgraded to version 1.1.1g.
  • SQLite upgraded
  • Hashing the password for Agent Web access using FIPS compliant hashing algorithm (PBKDF2 with HMAC SHA3 512).
  • Replaced the pop up Login form with a Login page for authentication to access Agent Web GUI.
  • To improve the security, only HTTPS protocol is used to access Agent Web GUI.
    The following steps might be needed to access Web GUI in Firefox browser:  https://support.mozilla.org/en-US/kb/Certificate-contains-the-same-serial-number-as-another-certificate.
  • Web Server Protocol setting (HTTP/HTTPS selector) was removed from Access Configuration.  WebHttps key was removed from snare configuration file.
  • Updated the Agent to support TLS1.2 as a minimum, added support of TLS 1.3 as per recommendations in the OWASP Broad compatibility list. CHACHA20_POLY1305 cipher is not supported at this stage.

Enhancements 

  • For each Objective, user will now be able to set a criticality level for each event format: Snare, Syslog (incl. SYSLOG (RFC3164), SYSLOG Alt (RFC5424 Compatible), SYSLOG (RFC5424) ), CEF, LEEF. 
    This applies to Audit , FIM, and Log Filter objectives.
  • SYSLOG (RFC3164) IEFT standard allows all alphanumeric characters considered the part of TAG. Previously, a fixed TAB was used as TAG terminator. Now to fully comply with SYSLOG (RFC3164) IEFT standard, any non-alphanumeric character can be specified as TAG terminator. To enable this functionality define a custom delimiter, and uncheck "Use TAB as SYSLOG (RFC3164) TAG Terminator" checkbox in the Destination Configuration.
  • Updated snare logo in the installer and in the Agent Web GUI.
  • Updated links in the readme files to point to snaresolutions.com website. Updated links to Knowledge Base.
  • Port 6514 can now be used to send events in Syslog format using TLS protocol to Snare Central 8.3+ or Snare Reflector 2.4+. Warning messages were updated accordingly.
  • Agent inside Snare Central imports auditd settings from per-specified baseline files, better supporting STIG/CIS compliance.

Bug Fixes

  • In an Objective, allowing the Audit Filter Term 'path' to be specified.
  • Fixed an issue where audit rules are not configured according to the modified objectives.
  • Increased default audit event buffer and altered restart process to prevent freezing on startup.
  • Fixed functionality of filters in Objectives and File Watches.
  • Various bug fixes

User Guide

The following is an offline version of the User Guide related to this release.


For an up-to-date version refer to the online version here.