Release Notes for Snare Central v8.5.0

Owned by Svetlana Sheptiy
Aug 24, 2022
8 min read

Snare Central v8.5.0 was released on 24th August 2022.

Snare Central incorporates Reflector v3.1.0, Snare Agent Manager (SAM) v1.6.0, and Snare Enterprise Agent for Linux v5.6.0.

If the threat intelligence component is active, version 6.8.7 of ElasticSearch is activated.

The following licensed components are available: 

  • Snare Management Center (SMC) - new
  • Snare Management Center Client (SMC) - new
  • Agent Management Console (AMC)
  • Cloud Logs Collection: - new
    • Office 365 Logs Collection - new


Overview

Snare Central version 8.5.0 introduces several new capabilities including Snare Management Center, Cyber Network Map, Office365 logs collection, over 100 new reports and a number of other enhancements and bug fixes.

Features and Enhancements

  • Snare Management Center

    Licensed Feature

    Requires license feature Snare Management Center (SMC) for managing server, and Snare Management Center Client (SMC) for each of the managed servers

    New capability to monitor and manage multiple remote Snare Central servers. 
    This includes: 

    • Viewing system health status of remote Snare Central servers and server groups

    • Viewing dashboard, alerts and history of a remote server

    • Remote Management Mode for modifying configuration of a remote server via local UI

    • Synchronising configuration of the primary server with other servers in the group

Please refer to the User Guide > System Menu > Administrative Tools > Snare Management Center for detailed documentation. 

  • Cyber Network Map
    Real-time map of activity based on live network-related events. An interactive 3-D globe and a world map provide the capability to visualize and explore the geo-located source and destination data associated with a range of firewall, router and web-related logs. 
    Data tables display key event component statistics such as country of origin, source and destination IP addresses, ports, and more. Only the following log types are available for this release other log types will be added over later releases. Supports Cisco ASA(PIX), Cisco FTDLog (IPS), IIS/Apache Web Log, PanFirewall (PaloAlto), and IPtablesFirewallLog from Unix logs.
    Click on the statistic metric to review relevant events on Event Search page in a new browser tab. 


    As some events may include local internal (RFC1918 addresses such as 10.1.1.1) network IP addresses or hostnames which wont have a native geolocation address to plot, so in order to correctly place them on the map user can configure their geo-location mapping on System > Administrative Tools > Configure GeoLocation for Mapping page for their correct physical location.

  • Office 365 Log Collection module

    Licensed Feature

    Requires license feature Office 365 Logs Collection or Cloud Logs Collection bundle feature.

    For instructions on how to configure log collection from Office 365 Management Activity API in Snare Central, please refer to the /wiki/spaces/SCV8/pages/1888354321

    • there are 41 new cloud reports for Office 365 and Azure cloud logs.

       Click here to expand the list of Reports...
      • Reports/Cloud/Azure/Office365 Audit/General/
                - Admin Related Operations
                - Application Related Operations
                - Failed Operations
                - Generic Logs
                - Regular User Related Operations
                - Successful Operations
                - System Account Related Operations

      • Reports/Cloud/Azure/Office365 Audit/Azure Active Directory/
                - Account Logon Events
                - Added Users
                - Application Audit Events
                - Azure AD Events
                - Deleted Users
                - Failed Azure AD Events
                - Successful Azure AD Events
                - Updated Users
      • Reports/Cloud/Azure/Office365 Audit/Azure Active Directory/STS Logon/
                - Failed User Logins
                - STS Logon Events
                - Successful User Logins

      • Reports/Cloud/Azure/Office365 Audit/Exchange/Mailbox Admin/
                - Admin Audit Events
                - General Configurations
                - Setting OWA Policies
                - Setting Permissions

      • Reports/Cloud/Azure/Office365 Audit/Exchange/Mailbox Item/
                - Deleted Items
                - Externally Accessed Items
                - Group Items Audit Events
                - Single Item Audit Events
      • Reports/Cloud/Azure/Office365 Audit/Exchange/Advance Mailbox Audit Items/
                - Advance Audit Events
                - Bind Events
                - Sync Events

      • Reports/Cloud/Azure/Office365 Audit/SharePoint/Files And Folders Management/
                - Accessed Items
                - All Operations
                - Deleted Items
                - Uploaded Items

      • Reports/Cloud/Azure/Office365 Audit/SharePoint/List And List Items/
                - All Operations
                - Created Items
                - Deleted Items
                - DocumentLibrary List Items
                - Generic List Items

      • Reports/Cloud/Azure/Office365 Audit/SharePoint/Web Site And Pages/
                - All Activities
                - Page Activities
                - Site Activities

  • Extended collection subsystem to support more Cisco Firepower Threat Defence (IPS) log types:
       - WebVPN and AnyConnect Client logs
       - SSL VPN Client logs
       - Command Interface logs
       - VPN Load Balancing logs
       - EIGRP Routing logs
       - Failover logs
       - IP Stack logs 
       - OSPF Routing logs
       - IKE and IP Sec logs
       - other Cisco FTD logs (generic CiscoFTDLog type)

    For details on the Cisco FTD log types and sub-types please refer to the User Guide: Log Types: Cisco FTD
    50 new out-of-the-box reports were added for Cisco Firepower Threat Defence Logs

     Click here to expand the list of Reports...
    • Reports/Network/Cisco/VPN/
              - SSL VPN Client Reports
              - SSL VPN Client Error Reports
              - SSL VPN Client User Details Reports
              - IKE IPSec Reports
              - IKE IPSec Error Reports
              - IKE IPSec User Details Reports
              - IKE IPSec - Crypto Related Reports
              - IKE IPSec - IKE Related Reports
              - IKE IPSec - IPSec Related Reports
              - IKE IPSec - Mode Configuration Reports

    • Reports/Network/Cisco/WebVPN/
              - WebVPN AnyConnect Client Reports
              - WebVPN AnyConnect Client Critical Reports
              - WebVPN AnyConnect Client Alert Reports
              - WebVPN AnyConnect Client Error Reports
              - WebVPN AnyConnect Client User Details Reports
              - WebVPN AnyConnect Client User Action Reports

    • Reports/Network/Cisco/VPN/Client/
              - VPN Load Balancing Reports
              - VPN Load Balancing Error Reports
              - VPN Load Balancing Message Processing Reports

    • Reports/Network/Cisco/Routing/
              - EIGRP Routing Reports
              - EIGRP Routing Error Reports
              - OSPF Routing Reports
              - OSPF Routing Error Reports
              - OSPF Routing - Router LSA Reports
              - OSPF Routing - Network LSA Reports
              - OSPF Routing - AS-External LSA Reports
              - OSPF Routing Invalid LSA Reports

    • Reports/Network/Cisco/IP Stack/
              - IP Stack Reports
              - IP Stack Critical Reports
              - IP Stack Error Reports
              - IP Stack Newly Added Routes Reports
              - IP Stack Updated Routes Reports

    • Reports/Network/Cisco/SSL Stack/
              - SSL Stack Reports
              - SSL Stack Error Reports
              - SSL Stack Client Peers Reports
              - SSL Stack Server Peers Reports

    • Reports/Network/Cisco/Command Interface/
              - Command Interface Reports
              - Command Interface Alert Reports
              - Command Interface Critical Reports
              - Command Interface Error Reports

    • Reports/Network/Cisco/Failover/
              - Failover Reports
              - Failover - Command Reports
              - Failover - Primary Unit Reports
              - Failover - Secondary Unit Reports
              - Failover Alert Reports
              - Failover Critical Reports
              - Failover Error Reports

    • Reports/Network/Cisco/Password Encryption/
              - Password Encryption Reports
              - Password Encryption - Decryption Related Reports
              - Password Encryption - Encryption Related Reports

  • Added 9 new out-of-the-box reports for Linux Logs received in Snare v2 format

     Click here to expand the list of Reports...
    • Reports/Operating Systems/Administrative Activity/Linux Snare v2/
           - User Management
           - Group Management

    • Reports/Operating Systems/File and Resource Access/Linux Snare v2/
           - Sensitive Files

    • Reports/Operating Systems/Login Activity/Linux Snare v2/
           - Out of Hours Login
           - Unknown Users
           - User Login Activity
           - User Login Failures
           - User Login With Authentication

    • Reports/Operating Systems/Process Monitoring/Linux Snare v2/
           - Sensitive Applications

  • Updated 7 and added 2 new out-of-the-box reports for Linux Logs received in Snare format

     Click here to expand the list of Reports...
    • Reports/Operating Systems/Administrative Activity/Linux/
              - Group Management
              - User Management

    • Reports/Operating Systems/File and Resource Access/Linux/
              - Sensitive Files

    • Reports/Operating Systems/Login Activity/Linux/
              - Login Failures
              - Out of Hours Login
              - User Login Activity
              - Unknown Users   (NEW)
              - User Login With Authentication  (NEW)

    • Reports/Operating Systems/Process Monitoring/Linux/
              - Sensitive Applications
  • Added handling for Centripetal logs
  • Added Enable Realtime Alerts global control under System > Administrative Tools > Configuration Wizard > Performance and Hardware.

NOTE: By default real time alerts will be disabled with this patch.
If a customer is using real time alerts then they will need to enable this check box and select the NEXT button to save for real time alerts to continue to alert as expected. 

  • Added Disable TLSv1.2 option under Configuration Wizard > Security Setup > TLS Controls so only TLS 1.3 will be used. 
  • Added outgoing CEF format support to reflector for Windows events received in Snare v2 format, and for Cisco ASA firewall logs. For other log sources, generic CEF field population is available
  • Enhancement to Backup and Restore functionality to support persistent NAS mounts"Mount Permanently" checkbox was added on the Select Storage Device screen
  • The Manage Objective Schedules objective in System Administrative tools, now includes a CSV export capability
  • Syslog RFC 5424 logs that use milliseconds and hour-based delta time-zone offsets are now supported
  • Increased the size of the regular expression field in the Autoremove objective from 20 to 40
  • Added a warning in the Health Checker when license is about to expire
  • Access to the Dashboard can be limited via access controls. Users who have no permissions to access the dashboard will be presented with a generic page after logging in
  • Dashboard heatmap table look and feel has been updated to match other tables for consistency
  • Clicking on a heatmap table row opens a pop-up with all event content
  • Event Search accessibility improvement: In the drop down selectors, Select All checkbox can be selected/deselected by pressing ALT+ENTER. Pressing ENTER selects/deselects the active item in the dropdown. There is also a temporary change in functionality on Event Search that will not show highlighting due to a potential security vulnerability in parsing the data. This highlighting option will be reinstated in a later update. 
  • Reflector UI was restyled to match the Snare Central look and feel
  • When disk space is below user-defined thresholds for the SnareArchive or SnareTransition partitions, the query subsystem will remain functional, and will no longer be turned off along with collection

Security

  • Security improvements to mount options
  • Removed unused lxd and lxd-client packages
  • PhpMailer library upgraded to 6.6.0 to mitigate CVE-2016-10033
  • Made login error messages generic
  • Removed "Welcome" from the login page title, and made the title text customizable via Configuration Wizard > Organization
  • Minimal fixes to CIS compliance to recommendations 1.4.1, 2.3.4, 5.3.3, 5.4.1.4 and 6.2.9. Changed permission for boot loader to 400 to satisfy CIS 1.4.1 and STIG v-4250
  • Adjusted enabling and disabling of Elasticsearch for customers that have SATI enabled on their machines due to end of life of Elasticsearch version 6.8.7. If SATI is not enabled, Elasticsearch will not be installed. 
  • Metafiles used for binary verification on SLDM were updated to use SHA512 of SHA2 family

After upgrading to Snare Central v8.5.0, please reboot your computer to apply kernel changes, as advised by Ubuntu: 
https://ubuntu.com/security/notices/USN-5466-1 
https://ubuntu.com/security/notices/USN-5515-1

Bug Fixes

  • Resolved a problem in the Data Backup and Restore tool that misleadingly reported a failed backup when in fact the backup was performed correctly
  • Extended MS SQL events received from Snare Agent v5.6.0+ in Snare format will now be correctly categorised as MSSQLLog type
  • Added validation in Snare Reflector destination configuration to prevent adding duplicate destinations
  • Fixed an issue where EPS graph in main dashboard only shows 0s
  • Added custom field support (EventSourceId and EventChecksum) for DHCP Logs for SNARE and SNARE v2 formats

  • AMC Agent password field now supports spaces

  • Updated AMC to ignore difference in WebCertID setting when calculating configuration differences between agents
  • Fixed an issue in AMC where "Listening Port" in "Manage Agents" does not update automatically when "Snare Agent Type" is changed
  • Fixed path verification to prevent upgrade failure if OpenVAS directory was explicitly removed
  • After upgrading Snare Central, on boot the 'Snare Central <version>' loading screen will now show the correct version
  • Corrected a problem that prevented Auto-remove tool to correctly deleting old events
  • Report query builder was fixed to properly support backslash character usage in CONTAINS and LIKE operators
  • LDAP users who have permissions to change an objective or a report, will now be able to schedule them as well
  • Disk Manager enhanced to use volume group identifiers instead of names to improve block device detection
  • Improved support of logs received from Kiwi Syslog server. In previous versions these logs could cause archive corruption
  • Fixed Event Search to return all relevant columns for sorted multi-table search
  • Improved Event Search to pick up Log Types that are only currently available in the Transition partition
  • Fixed Log Type 'Select All' selector when PIX (ASA) Log is present in the drop down on Event Search page
  • Fixed an issue causing “Multi-Table Search” to return no data
  • Improved the maximum allowed fields per Report - Table Configuration
  • Corrected a problem where elastic defaults were not backwards compatible
  • Fixed issue where dialog box could remain on the screen after auto-logout
  • Fixed Reports "Create Container" button being clickable when disabled
  • Fixed misalignment of the raw data view of the Historical Collection graph on the Dashboard
  • Fixed typos in Snare Wizard
  • Fixed typo in default login screen message
  • Fixed typos in license upload error message, and a few other messages

User Guides

Offline version of the User Guide related to this release



Installation & Side-by-side Migration Guide for Snare Central

User Guide to the Snare Agent Management Console (AMC) in Snare Central