Release Notes for Snare Central v8.4.1

Overview

Snare Central version 8.4.1 is a patch release that includes updated system packages, security patches, minor enhancements and bug fixes.

Features and Enhancements

• Checkpoint Firewall 1 logs in logexporter syslog CEF format are now supported as Log Type Firewall1Log

• Disk I/O has been significantly reduced for slower destinations that consistently utilise reflector cache.
  Memory has been reduced for customers that have large numbers of frequently disconnecting/reconnecting agents.
• Default client timeout for TCP and TLS listeners has been changed from 60 seconds to 5 minutes.

• Client data connection timeout can be configured on a per-listener basis. By default, Snare Central will close the listener TCP connection after 5 minutes of inactivity (was 60 seconds in versions earlier than v8.4.1). This timeout can be changed via the Collector.conf configuration file, by adding "clientTimeout": 600 (desired timeout in seconds) in the relevant Listener section. Services need to be stopped before modifying the configuration file, and restarted after.

• A new option has been added to the realtime delivery capabilities - the realtime results table can be specifically excluded from outgoing email messages

• Improved status messages displayed on the Backup and Restore page during mounting and unmounting of external storage

• Improved AMC logging to prevent /var/log from filling too quickly

• Added periodic cleanup of /var/log to prevent it from filling up
  

Bug Fixes

• Fixed the defect that prevented the Samba share capability to continue working after a reboot
• Improved loading time of Log Types and Fields filters on the Events Search page for large volumes of log data
  
• Fixed the issue that caused Health Checker to never finish loading if the list of discarded events was too long
• Fixed an upgrade problem that prevented the collection of the destinations' statistics resulting in empty destinations graphs on the dashboard
• Fixed a defect in the LDAP form in the Configuration Wizard that prevented the correct use of the samaccountname functionality
• Reflector now appropriately handles the $$IPADDRESS$$ alias for injecting source IP addresses into events when using the event search/replace functionality
  Note:  this feature was present in Reflector v2 (Snare Central v8 up to v8.3.1), but was omitted from Reflector v3 (SC v8.4.0)
• Fixed Desktop and Server filters for Windows agents inside AMC configuration that were not filtering correctly
• Delivery to remote TLS-enabled password-protected Elastic destinations is now available
• Realtime alerts fixed for the following Log Types: AgentHeartBeat2, FIMLog, MSSQLLog2, MSWinEventLog2, CiscoFTDLog*
• Resolved an issue where real time alerts with thresholds could cause high memory usage for large log volumes
• Fixed Monitor Live Data events table columns that were misaligned for some events in Snare v2 format. This occurred for events that contained carriage returns and embedded newlines (e.g.  Windows EventID 4627). Inline newlines/tabs/carriage returns are now sanitised where appropriate.
• Fixed the display of the Configure Objective dialog on top of the Snare Health Checker page
• Fixed an issue where Password Reset page didn't allow passwords with comma, full stop, and other special characters
• Fixed the issue preventing SAM webpage from opening in a new tab if the Reflector page was already open
• Fixed a problem with the support data pack that caused it to be very large
• Fixed an error that could block AMC from detecting Snare Agents that need to be managed, but do not directly report to the Snare Central server