Release Notes for Snare macOS Agent v5.6.0

Owned by Svetlana Sheptiy
Last updated: May 25, 2022 by Andrew Madge
3 min read

Snare macOS Agent v5.6.0 was released on 25th May 2022.

Security Updates

  • Removed MD5 and SHA1 hashes from the release metafiles. Only SHA512 of SHA-2 family is now used for verifying integrity of binary files.
  • 3rd party libraries upgraded: 
    • OpenSSL upgraded to version 1.1.1m
    • curl upgraded to version 7.79.1

New Features and Enhancements

  • Improved the support for CEF format for macOS audit events
  • A new checkbox setting was added on the Agent's Access Configuration page allowing to disable TLS 1.2 and use TLS 1.3 as a minimum for web UI connections
  • The name of the self-signed certificate generated by the Agent by default was changed from the host name to "Snare Agent"
  • File Integrity Monitoring (FIM) now supports file paths containing non-English characters such as Arabic, Chinese etc.
  • File Integrity Monitoring (FIM):  status message for each monitor is now shown in a new column "Status", next scheduled scan time is shown in "Next Scan" column
  • Snare Agent installer will preserve existing configuration if snare.config file already exists
  • The Snare debug log (sometimes required for troubleshooting by Snare Support) can now be generated from Web UI without stopping the Agent.
    Navigate to Snare Log page in Agent's Web UI, configure the output directory and the duration of debug log capturing, and click Start Debug Log.
    Stop Debug Log button allows to stop logging before the configured time has elapsed.

  • Memory usage optimisation for Heartbeat logs handling when 'Agent Logging Options' is set to Trace level and 'Agent Heartbeat Frequency' is set to a longer period

  • A warning will be displayed on the Destination Configuration page when sending to Snare destination using TLS_AUTH protocol, but without changing the default TLS_AUTH Authentication Key

Bug Fixes

  • The Agent will now attempt to reuse existing self-signed certificate instead of creating a new one every time remote configuration is pushed from Snare Central AMC
  • Cached Events will now be sent as correct event types, and not as generic CachedEvent type
  • Resolved an issue where File Integrity Monitoring (FIM) Policy could remain not scheduled
  • Updated file path traversal to be more robust on a variety of platforms
  • Enhanced robustness in using the IP address in events by multiple retries when the system is yet to get a valid IP address
  • Cache Path and Heartbeat Output Path are set to the installation folder by default
  • Agent now properly handles paths containing \n inside the event content
  • Heartbeat event checksum option now written to heartbeat export file if enabled
  • Removed duplicated warning messages on the Destination Configuration page, improved message format consistency
  • Removed irrelevant warning that was shown when destination was configured with port 514 and SYSLOG JSON format
  • Fixed the issue of getting an error when users accidentally enter space(s) in the Destination and/or SAM IP address
  • Improved logging of SQLite error messages, logging them at an appropriate log level
  • Corrected the misleading message for expired license support
  • Removed the erroneous error message logged every time the collection from text file reached end of file
  • Reduced severity of erroneous error "CN is not found for certificate" to informational message
  • Resolved issue where logs displayed on Snare Log page might be filtered incorrectly

User Guide

The following is an offline version of the User Guide related to this release.

For an up-to-date version refer to the online version here.