Release Notes for Snare Windows Agent v5.5.0

Snare Windows Agent v5.5.0 was released on 13th April 2021.


Security Updates

  • Security hardening of Agent to SAM communication: Digest Authentication was replaced with Basic Auth over HTTPS

    After this change, the v5.5.0 agent will only be able to communicate with SAM v1.5.0 or newer. 
    SAM v1.5.0 is backward compatible, and supports communication with pre-v5.5.0 agents.

  • Security hardening of encryption keys storage, usage, export, and import
  • 3rd party libraries upgraded:
    • OpenSSL upgraded to version 1.1.1i
    • Curl upgraded to version 7.72.0
    • Boost upgraded to version 1.74

New Features and Enhancements

  • Added two new event output formats:

    • SNARE v2 
      This format allows sending more detailed events to Snare Central. 
      The events will include time zone context, event time up to milliseconds, additional fields for Windows Audit and other event types.

      Using truncation feature will not be required, as Windows events in this format do not contain verbose event descriptions.
      The format is JSON-based and can be ingested by Snare Central v8.4.0 or newer. 
      All the events, including Windows Audit, FIM, RIM, Log Audit, and Heart Beat, can be sent in SNARE v2 format. 
      A new Format option was added under the Destination Configuration.
    • SYSLOG JSON
      This format allows sending more detailed events to 3rd party SIEMS or event collectors. 
      The format consists of a SYSLOG RFC 5424 header, followed by the data payload in JSON format
      Using truncation feature will not be required, as Windows events in this format do not contain verbose event descriptions.
      All the events, including Windows Audit, FIM, RIM, Log Audit, and Heart Beat can be sent in SYSLOG JSON format. 
      A new Format option was added under the Destination Configuration.
  • In the Agents Web UI the term "Objective" was replaced with "Audit Policy," i.e. the "Objective Configuration" page used for configuring Windows audit policies, is renamed to "Audit Policy Configuration."
  • A new default Audit Policy has been added, for monitoring user rights usage. 
  • Agent will show a warning to remove default network loopback destination when a valid network destination is present.

Bug Fixes

  • Improved Snare directory cleanup on agent uninstallation
  • Resolved issue where FIM scan did not recover from "Paused - maximum scan limit reached" status
  • Agent Web UI now prunes log messages on the Snare Log page appropriately
  • Syslog 5424 header now conformant with RFC, as APP-NAME does not contain spaces
  • Improved browser compatibility when updating custom delimiter on the Destination Configuration page
  • Fixed port/protocol/format mismatch warnings on the Network Destination configuration page

User Guide

The following is an offline version of the User Guide related to this release.

For an up-to-date version refer to the online version here.