Release Notes for Snare Central v8.6.1

Overview

Snare Central version 8.6.1 is a patch release that includes updated system packages, security patches, enhancements and bug fixes.

Please refer also to Release Notes for Snare Agent Manager (SAM) v2.0.1,  v2.0.2 and v2.0.3 included in this release.

Features and Enhancements

• Cloud Log Collection
  • Snare Central is now able to collect AzureFirewallThreatIntelLog and AzureAZFWThreatIntel logs from Azure Firewall using Azure Monitor API.
    This can be configured on the Cloud Log Collection Configuration page, by selecting these log types under Supported Logs in Azure Cloud collector configuration interface
• User Interface Modernisation 
  The following pages were redesigned and have a new look-and-feel:
  
  • Administrative Tools > My Account
  • Administrative Tools > User Administration
  • Administrative Tools > Shutdown/Reboot Snare Central. Added ability to restart snare services from User Interface.
  • Administrative Tools > IP Address Configuration
  • Administrative Tools > Display Snare Log File
  • Administrative Tools > Manage Nightly Updates
  • Administrative Tools > Import Objectives
  • Data Management Tools > Autoremove Data. Remove Data and Autoremove Data pages were consolidated into one.

• Snare Analytics Dashboards

  • Legend on charts now lists the data ordered by highest count of logs received by the group
• Snare Management Center
  • Added notification in the managing server if the managed server does not have a valid license for this feature
• Reflector
  • Search and replace filters can be applied on either incoming OR outgoing format
    
  • Log delivery using Elastic Bulk Delivery format is now compatible with newer OpenSearch and ElasticSearch versions. Added option for Elastic v5 Compatibility Mode in SATI Configuration
  • Removed legacy Reflector destination formats that are no longer in use: Snare Server Historical and Snare Legacy Delivery
• Health Checker
  • Improved Agent Reporting section. User can adjust non-reporting period to see Agents that did not send events within a period of time.
    
• Reports Configuration
  • New attachment type selector added to the Collection Status - Agent Information report configuration
  • Device Audit By System report configuration now allows to enter longer list of systems to include and exclude
  • Operating Systems > Login Activity > MacOS Snare V2 > Login Failures report was updated to capture wider range of login-related events, such as AUE_auth_user
• Events Search
  • Improved loading of the Event Search Systems drop-down when there are tens of thousands of reporting systems
• Other 
  • Reinstated "Discard old events" functionality in the Configuration Wizard > Performance and Hardware tab. This functionality was removed in v8.6.0
  • Support data improvements
  • Upgrade process improvements: clean up of backup files from previous upgrade; consistent time stamping and SnareUpdate labelling of log written during the upgrade
  • Removed snareAM.conf.BASELINE from Snare Central as it is out of date and is not in use anymore
  • Disable nmbd when smbd is disabled
  • Improved reports storage for easier maintenance

Security

• System packages updated to mitigate security vulnerabilities.

  After upgrading to Snare Central v8.6.1, please reboot the server to apply kernel changes, as advised by Ubuntu.

• Angular upgraded to version 16
• STIG Compliance control of “Enforce account blocking after only 3 login failures” is now applied to all accounts including Administrator.
  Account lockout after consecutive failed password attempts, is enhanced to meet the following criteria:
  1. Lock after exactly 3 consecutive failed login attempts, with STIG enabled.
  2. Lock after exactly N consecutive failed login attempts, with STIG disabled, where N is the "Max Login Consecutive Fails" configuration under "Enhanced Password Security". N=5 by default.
  3. Notify about account lock-out state on subsequent login attempt within lock-out period, only when input credential passes authentication.

Bug Fixes

• Services limits optimisation to prevent running out of maximum open file handles on machines with a high number of clients
• Fixed possible Reflector crash if invalid destination format was configured
• Fixed Real Time Alerts functionality
• Fixed Email Test in Email Setup section in Config Wizard
• Regularly restart vmtoolsd to prevent memory leak in open-vm-tools on certain configurations
• Fixed an issue with new license not being applied to the Snare Agent on Snare Central, when STIG is enabled
• Fixed Agent Count in Health Checker > Snare Central License section
  
• Updated Snare Central Upgrade process to disable Snare Cron job schedule during upgrade that could cause database corruption
• Updated Snare Central Upgrade process to update databases earlier, to prevent database corruption
• Improved LDAP Groups Distinguished Names field validation
• Fixed an issue where Autoremove attempted to write a non-existent file which caused an error to be logged
• Fixed AMC that was causing warnings in the log file
  
• Improved handling of SnareTransition files under high load that could cause SnareStore crash due to exceeding maximum number of open files
• Fixed the issue where configuring Data Backup using custom picks of snare archive date range took too long to save
• Fixed filtering in Criticality column of the 'Events details' table, when drilling down from the Executive Dashboard heatmap
• Fixed alignment of long Query names in the Saved Queries tab on the Events Search page
• Fixed text alignment in the Report Export pop-up dialog
• Prevent some warnings from being sent as emails