Change Log

New Features

• The Snare Agent Manager (SAM) has been integrated directly into the Snare Central Server, and provides centralized license management capabilities. The SAM may be accessed via the menu: Agent Management | Snare Agent Manager. Customers no longer need to maintain a separate standalone Windows-based SAM installation in order to manage Snare agent licensing.
  In future versions of the Snare Central, this interface will take over configuration management for the Snare agents. As a transitional capability to assist customers who are running Snare Central purely for agent management, heartbeat-style events will be sent to Snare Central server from the agent manager in order to automatically populate the "non reporting agents" list in the agent management console, to aid in configuration management activities.

• A new graphical user interface and disk manager utility has been created to make it easier for customers to manage their storage resources available via menu System | Data Management Tools | Disk Manager.  Users of this interface can shift space between disk partitions (new 7.2 installs only), add new unallocated disk space to existing partitions (new 7.2 installs only), and also take advantage of the 'overlayfs' feature of 7.2, to layer other formatted disk partitions, NAS shares, or external media, over some existing Snare Central paths. The layering capability will enable, for example, backups that have been created with the Data Backup utility that are stored on optical or USB media, to be superimposed over the existing "Snare Archive" event storage location; this means there is no need to restore a data backup to have access to archived data.
  Version 7.2 of Snare Central has switched to Logical Volume Management for disk partitions on newly installed systems, which also makes it easier to increase the disk space in virtual, cloud or physical systems when extra disk is required. Servers that have been upgraded from a previous version of Snare, can use the overlay feature of the disk manager to add up to two formatted disk partitions to any supported Snare Central path. This will reduce the need for a system rebuild to increase the disk capacity of the system when more log space is required. Newly installed servers can take advantage of both layering, and logical volume management for additional disk space management flexibility. Snare Central 7.2 now complies with the Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) recommendation from the US DoD for disk layout and minimum sizing.
  To use the new Disk Manager feature, requires a side-by-side migration from an existing Snare Server v7 to a new install of Snare Server v7.2.  See Snare Server Side-by-side Migration Guide v7 for instructions.
  There is a known incompatibility between virtual machine hypervisors, and the kernel currently used by Snare Central 7.2 when attempting to take "quiesce snapshots" or VM backups with quiesce active, when an overlay filesystem is active. In order to overcome this issue, a script has been added to the Snare Central that will automatically stop all snare processes, and unmount any overlay filesystems, when a "quiesce snapshot" is requested. After the snapshot/backup has been completed, all overlay filesystems are automatically re-mounted, and all processes will be restarted. Process restart is usually quick, but may take several minutes depending on VM activity and event collection will be suspended during this period.
  
  
• In order to comply with the Security Technical Implementation Guide (STIG) recommendations for the Unix operating system (https://www.stigviewer.com/stig/unix_srg/), Snare Central now includes the Snare Linux Agent. The agent is automatically installed when the Enable STIG Compliance for Snare Central checkbox is selected from the Snare Central Configuration Wizard (under Security Setup). Events are sent via TCP to port 6161 of the local Snare Central Server with the Log Type "LinuxAudit". If Enable STIG compliance is subsequently unchecked from the Wizard, then the Snare Linux Agent is also uninstalled from the system. When active, the Snare Linux Agent Web Interface can be accessed by allowing port 6112 on the Snare Central. Navigate to Firewall Setup in the Configuration Wizard and add the port to the Active Rules if you wish to access the Agent Web Interface directly. Note that once the Agent Web Interface has been made accessible, it is recommended you enable the remote control password on the Linux Agent Access Configuration page and supply a new password. The Agent audits the following criteria as recommended by STIG (Unix):
  • V-819 all discretionary access control permission modifications.
  • V-818 login, logout, and session initiation.
  • V-816 all administrative, privileged, and security actions.
  • V-815 file deletions.
  • V-814 failed attempts to access files and programs.
  • V-22383 the loading and unloading of dynamic kernel modules.
  • V-22382 account termination.
  • V-22378 account disabling.
  • V-22377 account modification.
  • V-22376 account creation.
• The Snare Collector/Reflector has been upgraded to version 2.0 to match the standalone Windows version. The Snare Collector/Reflector Dashboard now displays the additional statistics:
• 
  
  1. Disk Cache % Full - indicates how full the disk event cache file is as a percentage.
  2. Events on disk - indicates the number of events stored on the disk cache.
  3. Disk Reads EPS - indicates the number of events being read from the disk cache.
  4. Recent dropped EPS - indicates the number of events that have recently been discarded due to the disk cache being full. Each Destination Queue has its own disk queue file.
  5. Disk Queue % Full - indicates how full each disk queue file is as a percentage.
• Additional enhancements include:

• *  A new disk cache which defaults to 2Gb in size, and enhances the existing memory cache to facilitate a significantly higher storage capability for logs that need to be forwarded to remote servers that are currently offline due to system or network outages, or are temporarily unable to process the volume of data being sent from the reflector. The size of the disk cache can be configured both at install time and during operation, from the Web user interface. The Snare Central Health Checker now reports on the status of the disk cache and displays a warning message if the disk cache is reaching capacity. The Snare Reflector Disk Cache persists between restarts of the Reflector service. Please note though, that if a Destination queue is modified or the Disk Cache or Event Cache sizes are modified then Reflector will discard any stored events.
• *  Destination chart timestamps are displayed in system time by default, and configurable to be altered to UTC via the configuration screen.

• A historical record of Snare Central reports in PDF format are able to be saved. When PDF Output is added to your objective output components, a new configuration item, PDF Archive Days will be displayed. The number of PDF reports to archive can be configured in this area by adjusting the "Number of days" and "Number of PDF files per day" settings. PDFs are stored on the Snare Central, and are made available via a SMB share. Note that the configuration setting under Configuration Wizard | Network Services | Share PDF Archive directory must be enabled to gain access to the historical archive of PDF files.

• Snare Central now provides an updated access control management interface, which supports both user and group authentication and access control from locally defined users/groups and also users/groups from an LDAP/AD server.  An LDAP 'Test' button has also been added, to confirm configuration settings and network/service availability prior to operational use.  Customize System | Administrative Tools | Configuration Wizard | Snare Central LDAP Authentication, to access new objective System | Administrative Tools | Manage Access Controls.

• A support information gathering tool accessible from System | Administrative Tools | Snare Central Support Data Retrieval, aims to collect a range of support-related data to help the Snare Central team diagnose and solve issues that arise within your environment.

• A new agent information objective in Status | Collection Status-Agent Information, provides a simple overview of the systems that have sent event data to the Snare Central over the course of a configurable number of days.

• 17 new objectives have been added to the Snare Central server specifically to detect security incidents on Windows servers and workstations discussed in the SANS white paper at https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262. Objectives are accessible via menu Reports | Operating Systems | Windows Incidents. The new objectives cover administrative activity, file and resource access and process monitoring.
  
  
• Addition of various new objectives:
  
  1. Reports | User and Group Snapshots | Account Groups Displays users and their groups and provides visibility of which groups users they are a member of.
  2. Reports | User and Group Snapshots | Account Last Login Displays users last login details. This module collects domain/local users from all domain controllers and reports on the most recent last login age (excluding those with a value of 0) from all domains the username is collected. The intent is to find the last login age regardless of replication delays. Also includes the option to find the accounts which do not have a last login timestamp recorded and which have therefore never been used.
  3. Reports | User and Group Snapshot | Monitor Administrators Monitoring members of sensitive groups can now monitor on both group and domain.
  4. Reports | Operating Systems | Administrative Activity | Windows | Group Member Changes. This objective shows changes to the members of sensitive Windows groups. New tokens - ACTIONEDBY - GROUPNAME - MEMBERID
  5. Reports | Operating Systems | Login Activity | Windows | User Interactive Login Logoff. This objective is used to monitor interactive account login and logoff events. This includes workstation locked/unlocked events and screen saver invoked/dismissed events.
  6. Reports | Snare Central | Device Audit By System Report the last date a device sent a log to the Snare Central.
  7. Reports | Snare Central | Log Counts By System Report a summary of log counts by system or log type per day.
  8. Agent Management | Snare Agents | Query Active Directory Extract | User and Group Query UserGroupQuery now provides an option to query the AuthUserDetails table on specific Active Directory fields for Users with SOURCE belonging to 'WindowsAD'. Queries support sorting in ascending and descending but not 'GROUP BY'.
  9. System | Data Backup | Data Backup Scheduling an ISO archive now provides a greater range of configuration options including the ability to specify a date range, a backup order (most recent data first or oldest data first), and options to control what extras are included with ISO generation. Additionally it will create multiple ISOs until the backup is completed rather than stop once the first ISO is full.

Enhancements

• The Snare Central ISO image can now be written to a USB stick in order to install physical or virtual hardware, rather than generating a physical DVD. It is recommended that customers use a tool such as "Rufus" on Windows, or the "USB Image Writer" on Linux to migrate the ISO image to USB media.
• The format, and time-zone definition for dates and times recorded in the Snare Central debug log (as seen in System | Display the Snare Log File) have been harmonized.
• Configurable setting available in Status | Snare Health Checker 'Email only on exception basis' to report only when problems are detected in the system.
• For every database that is stored in the Snare Central archive, a checksum is generated daily to provide assurance that the logs have not been tampered with. This functionality has been security improved by providing 256 bit Secure Hash Algorithm 3 (sha3) instead of the old MD5 from previous versions. Snare Central also alerts in the "Snare Health Checker" if any files has been tampered with.
• The apache web server self-signed certificate can be regenerated from the Snare Central 'snare' console administration menu if required. A new "Certificate Administration" menu, offers an administrator the option to "Regenerate Self Signed Web Server Certificate". Please note that this will overwrite any customised server certificates that have been installed on Snare Central.
• Fix to Snare Central to preserve certificate configuration after an Snare Central update.
• The Snare Central upgrade wizard has been updated significantly to provide better feedback, to add an extra level of backup, and to allow critical changes that affect the actual update wizard, to be integrated earlier in the update process.
• The maximum file size limit when uploading a Snare Central Update via the Web Upload form has been increased from 500M to 1.5G.
• Added a new close button (x button) to Pattern Map at dialog's right-top corner as you need to scroll down to end to click Close if you have lots of information.
• Previously the snare log that is captured contains the support@intersectalliance email alias. The email field now allows the sending of the snare log to any email address. Any logs that require review by Intersect Alliance should be forwarded via Snare Support, or your Snare partner representative.
• The colors for KeyIDs in the License Page have been changed to provide a higher contrast between alpha and numeric characters.
• The Reports | User and Group Snapshots | Account Groups objective now supports queries on the Windows Active Directory table.
• Additional screen real estate has been allocated to large login banner messages, on the login screen, configurable in the Configuration Wizard.
• The Reports | Operating Systems | Administrative Activity | Windows | Audit Log Cleared objective now includes EventID 104 which is raised when system or application logs are cleared.
• Snare Central is installed under a new disk layout for better performance, STIG security compliance and flexible disk administration.
• The Microsoft DNS Malware detection objective (Reports | Application Audit | Windows Log Data | MSDNS Server | Malware Domains) has been updated to cater for situations where multiple domain names are provided per event.
• The IIS Weblog collection module can cope with additional fields appended to an event, after the normal range of w3c fields. The extra information will appear in the 'strings' section of the event.
• Windows does not always include the Object Name (filename) in the data that accompanies file-related events. Instead, it may include a Handle-ID, which needs to be correlated with past events. A new objective has been added to the File-events area of the Windows Security log objective section, that tracks HandleIDs and associated Object Names, for events that provide both. If a Handle ID is provided by a future event in the same result set, the previously saved Object Name is injected into the token "HandleFilename", and is available to use in the objective match settings, or as part of an output component.
• Objectives can now send a customised message via email, when they have 'no data to report' but the email configuration still specifies that email should be sent regardless.
• The User Interface for the configuration component of sensitive group membership objectives, has been redesigned. Domain restrictions have been removed, to make way for enhanced recursive enumeration of groups.
• Windows sensitive groups objective now supports the enumeration of standard Windows groups, when they are included in a Windows Active Directory group.
• Windows active directory user name information is now grabbed from the displayName field exclusively.
• The Snare Central configuration database now uses a journaling mode that allows faster responses in multi-threaded applications. Although the change will not generally be noticeable in interactive use, the Snare Central log file will have fewer "data access retry" notifications.

Bug Fixes

• Corrected issue with being able to download the checksum file listing when the Snare Central was configured to use HTTPS.
• If a server is reporting to the Snare Central using both its IP address, and a hostname, the Snare Central health checker will attempt to consolidate both, when counting reporting agents. Snare Central Log sources are ignored, and systems that report as both AgentHeartBeat and another category of logs, will not be counted twice.
• The Snare Collector will allow collection of events even if Snare Central is unlicensed. However no new destinations can be added for reflection until a valid Snare Central license is loaded.
• The CA-ACF2 Log import script can now import multi-line RPTEL logs, and will also cope with changes to the positions of column data.
• The CA-ACF2 log interpreter is now less sensitive to blank lines included within the file.
• The Windows User Flags objective can now display users who have an account expiry set.
• Fixed issue with WindowsAD user queries that return no results.
• User queries via the "User and Group Query" tool, can provide extra details on a per-user basis, including a recursive list of group memberships.
• A bug in the Windows User/Group membership code incorrectly indicated that user accounts were also valid groups. This did not result in any false positives within actual objectives, but it did mean that some objectives took significantly longer to run.
• An additional Bandwidth-By-Host output component has been added to Proxy Log objectives.
• Email messages from objectives that contain accented characters such as umlauts, are now displayed correctly in tabular output.
• A bug that prevented Agent Remote Management Objectives from displaying "Agents with a configuration that is different to the master configuration" and "Agents matching the master configuration" sections under the "Snare Agents" tab is now fixed.  This occurred when the field in Configuration Wizard | Agents Default | The Port on which to contact Snare Agents, was set to the same port in Manage Agents | Configure Objective | Alternate listening port. This bug only happened when the Manage Agents | Snare Agent Type | Snare Enterprise Agent for Windows (5.0.x < 6.x.x) was selected.
• The Snare Configuration Wizard could not be used from the Internet Explorer 11 and Microsoft Edge browsers. This has now been fixed and the Snare Configuration Wizard can be accessed from Chrome, Firefox, IE11 and Edge browsers.
• Events in the "WebLog" table with a destination site name that includes an ISO country code, will now enumerate the country name and flag when displayed.
• The Snare Central "Objective Store" was not correctly displaying the list of valid downloadable objectives. Updates to both the Snare Central, and to the support.intersectalliance.com site have re-enabled this functionality.
• The 'flags' section of the Windows file access objective configuration panel has been updated to work with windows 2003+ file events. A new Windows Security permission-changes objective is available under the Windows Security | Windows File Objectives category. This objective will provide interpreted information for Original / New Security Descriptors associated with each event.
• AMC can filter IP information from agents with more than 10 IP addresses.
• Threshold capabilities within Dynamic Query would return inconsistent results. This fix solves that error.
• The GUI interface for the Snare Central that allows the left pane to be expanded now remembers the expanded settings between logins.
• A bug in the "Account Flags" objective associated with the "AccountDisable" flag has been fixed.

Security

• Snare Central 7.2 uses STIG compliant settings by default. Some settings still require the user to enable or perform manual actions to fully cover all STIG requirements. This includes making changes to the system manually for the STIG requirements for V-4249 V-4247 V-1013 V-24624
• As part of Security Technical Implementation Guide (STIG) V-22506, Snare Central now performs a nightly verification using the system package management tool to determine that system software has not been tampered with. The nightly results are reported in the Health Checker.
• Please note that even though Snare Central use ext4 file systems; it does not make use of file extended attributes nor file Access Control Lists at all. And because of this and the fact that V-22507 and V-22508 STIG recommendations are both marked as LOW Severity, the sha3 hash integrity database is generated without taking into account any changes on xattrs (including ACLs). This means that any change in any file ACL will not be detected by this tool and won't be reported either.
• NT PIPE support has been disabled in the Snare Central Samba configuration. Although the Snare Central is not vulnerable to CVE-2017-7494 due to the lack of writeable shares, the removal of NT pipe support does not negatively impact the functionality of Samba, and has therefore been actioned.

Operating System Updates