Release Notes for Snare Central v8.4.0
- Svetlana Sheptiy
- Andrew Madge
Snare Central v8.4.0 was released on 25th August 2021.
Snare Central incorporates the Agent Management Console (AMC), Reflector v3.0.0, Snare Agent Manager (SAM) v1.5.0, and Snare Enterprise Agent for Linux v5.5.0.
If the threat intelligence component is active, version 6.8.7 of ElasticSearch is activated.
Customers that use Snare Central for licensing Snare Agents v5.5.0 or above need to upgrade to Snare Central v8.4.0
Overview
Snare Central version 8.4.0 introduces several new capabilities including Snare Central configuration backup and restore, consuming events in Snare v2 format, forwarding events in JSON and Syslog RFC5424 JSON formats, ingesting FortiGate and Cisco FTD logs, linking multiple Snare Central servers in a high availability cluster, over 200 additional reports and a number of other enhancements and bug fixes.
Features and Enhancements
- Ability to configure Snare Central servers to run in a high availability cluster to achieve collection and reflection redundancy.
For details please refer to the User Guide > Appendix B - Configuring High Availability in Snare Central. - The backup and restore has a new revamped UI for more granular backup and restore control. Ability to perform full or partial backup and restore of the Snare Central configuration and archive with easier selection box for components and process flow.
The supported media includes network storage (NAS), ISO images and USB devices.
For details please refer to the User Guide > Data Backup and Restore.
This functionality replaces the previous Data Backup and Snare Data Import pages with all components now under Data Management Tools. - Updated SAM 1.5.0. This version contains SAM 1.5.0 to allow the usage of Snare Agents 5.5.0+ where Snare Central is used for Agent licensing and binary updates.
- Ingest events sent by Snare Agents for Windows, MS SQL, Linux and macOS in the new Snare v2 format from 5.5.0+ agents. Snare v2 format allows sending more detailed events from Snare Enterprise Agents to Snare Central. The events will include time zone context, event time to the millisecond, and a number of additional fields for more granular audit event details.
- Integrated next generation Snare Collector/Reflector v3.0.0 offering better flexibility and scalability of the Snare Central events collection and processing.
The updated collector/reflector includes the following capabilities:Integrated full Snare Reflector User Interface (UI) in Snare Central, allowing more granular control over the Reflector configuration.
Navigating to System > Administrative Tools > Configure Collector/Reflector in the menu, will result in Reflector UI opening in a new browser tab. This replaces old Reflector configuration page.
For details, please refer to the User Guide > /wiki/spaces/SCV8/pages/1596719105Starting from Snare Central 8.4.0, Destination regular expressions are using RE2 syntax. Earlier versions used PCRE syntax.
Customers who use regular expressions for Destination filtering or search-and-replace functionality may need to update the regular expressions syntax to RE2.
Incompatible features include usage of back-references, look ahead and look behind statements.Ability to ingest events sent by Snare Agents for Windows, MS SQL, Linux and macOS in the new Snare v2 format.
Snare v2 format allows sending more detailed events from Snare Enterprise Agents to Snare Central.
The events will include time zone context, event time to the millisecond, and more granular audit event details.
- Ability to forward events in Generic JSON format.
Events that are received by Snare Central can be forwarded to an external destination in Generic JSON format(ie JSON raw format). For those formats that can be recognized by the ingest module, and broken up into key/value pairs, JSON key/values will be enhanced accordingly.
Example:Generic JSON Format Example{​​​​​​​"DATE":"2021-01-02","EVENT":"sudo: myuser1 : TTY=unknown ; PWD=/home/myuser1 ; USER=root ; COMMAND=/bin/ls","SYSLOGROUTING":"23","SYSTEM":"MYSYSTEM","TIME":"13:14:15","SOURCEUSERTOKEN":"myuser1","DESTUSERTOKEN":"root","COMMAND":"/bin/ls"} - Ability to forward logs to batch-mode HTTP post destinations; in particular, OpenSearch(Amazon fork of ElasticSearch) and ElasticSearch bulk upload destinations.
- Ability to forward events in Syslog RFC5424 JSON format.
Events that are received by Snare Central in any of the Snare, Snare v2, Syslog RFC 5424 formats, can be forwarded to an external destination in Syslog RFC5424 JSON format.
This format is comprised of Syslog RFC 5424 header and single-line JSON payload. For events that arrive in the original Snare v2 Syslog JSON format, the underlying keys/values will remain unchanged. Tokens and other enhancements will be injected into the SnareDataMap key. This format is useful for Splunk. There is KB article for how some Splunk parser config files need to be created. (https://prophecyinternational.atlassian.net/wiki/x/AYBoZg) - The Snare Central collection subsystem includes corrections for syslog data sources that do not follow RFC3164 or RFC5424 formats. Snare Central will correct these events to syslog RFC-compliant versions when the events are reflected out to their ultimate destination.
- An optimised internal JSON-like communications protocol between reflector and collector components has been included ("SnareJSON"). This format can also be used to communicate data between Snare Reflectors without information loss. Other internal communications protocols are also available, but not recommended for customer use: SNAREOLD, SnareLegacyRealtime.
- Ability to forward events in Generic JSON format.
- Added support for separate LDAP Distinguished Names for users and groups. Added support for logins using sAMAccountName LDAP attribute.
Added support for FortiGate logs, including out-of-the-box reports.
For details on FortiGate log types and sub-types please refer to the User Guide: Log Types: FortiGate
33 new out-of-the-box reports were added for various Fortigate log sub-types:Added support for Cisco Firepower Threat Defence (FTD) log types, including 54 new out-of-the-box reports:
Added 26 new out-of-the-box reports for Windows System Monitor (Sysmon) activity.
These new reports cover the 26 eventid types that are found in Sysmon log data, and can be used to assist in forensic investigations associated with user and system actions, and Mitre Att&ck related activity. For details on the sysmon event IDs refer to the Microsoft website at https://docs.microsoft.com/en-us/sysinternals/downloads/sysmonAdded 88 new out-of-the-box reports for events received from Snare Agents in snare v2 format.
Linux snare v2 reports will be updated in the future versions
- The following pages were moved from System> Data Backup (that was removed) to System > Data Management Tools sub-menu:
- Arbitrary Data Import
- Autoremove Data
- Remove Data
- Enhanced colour coding of report criticality icons, and added character indicators to better support impaired colour vision.
- Events Search enhancements:
- Ability to export Events Search results into a CSV file
- Implemented Search History filters, enabling search by text, date range, or query status
- Implemented Saved Queries filter, enabling search by query, query name or query description
- Added highlighting the free text search string in the search results
- Improved search results pagination by allowing the user to skip to an arbitrary page
- Ability to skip to top of the search results table to avoid scrolling
- Ability to clear the selected date in the Date Picker
- Columns selection and resizing is retained when paginating through Search Results
- Added Timeout and Limit to the query details displayed on the Search History and Saved Queries tabs, when the query row is expanded
- Auto-scroll to error message if an error occurs during the pagination
- Associated query result with Saved Query if the query was saved before running search
- Improved Search Results pagination performance
Security
- Security hardening of NAS credentials storage
- Disabled Apache2 status module that was flagged as a security risk
- When Snare Central debug level is increased, a supplied LDAP password is now masked in Snare logs
- Ubuntu 18.04 latest patch updates
Bug Fixes
- Fixed the layout of the System > Administrative Tools > Antivirus Administration page
- Allowed user to upload virus signature files of up to 200MB in Antivirus Administration without errors
- Resolved an issue that prevented a full systems antivirus scan from running
- Resolved an error in real time alerts generation for some event types
- Fixed System > Launch OpenVAS page that was displaying an error
- The 'Systems' drop-down for the Snare Events Search, will now more accurately reflect the full range of systems that are reporting data to the Snare Central server
- Fixed functionality of Agent Management > Snare Agents > Retrieve User and Group Information from Windows Servers
- Historical collection dashboard graph now shows data in UTC time
- Dashboard is now using a browser default scroll bar style instead of a narrow style
- Improved handling of missing or corrupt dates in Exchange 2008/2013 events.
This issue could cause the collection module to terminate and restart, leading to a temporary slow down in event collection. - Fixed an issue with Snare Agent Heartbeat events storage, that led to Heartbeat events not being found when searching by dates
- Fixed an issue that prevented mounting a NAS as primary data store via a Disk Manager
- Resolved an issue with usage of second password field in AMC config page when retrieving Snare Agent master configuration
- Fixed the criticality value not showing in the Generic Log reports
- Syslog application names are now correctly showing in the SOURCE field in the Generic Log reports
User Guides
Offline version of the User Guide related to this release
Installation & Side-by-side Migration Guide for Snare Central
User Guide to the Snare Agent Management Console (AMC) in Snare Central