Release Notes for Snare Windows Desktop Agent v5.2.0

Snare Windows Desktop Agent was released on 6th November 2018.

New Features

  • Introducing the Registry Integrity Monitoring (RIM) module designed to periodically scan the registry for changes. The RIM module can be used to scan the windows registry and compare against a known baseline of registry hash (sha512) details. Events are generated upon changes to registry keys, values or attributes. The new screen in the agent allows the user to select a root key, registry path and multiple sub-keys/values to include or exclude from the scan as needed. This new feature will generate a new Snare log type called FIMLog. For reporting in Snare Central the system will need to be patched to 7.3.0 to understand the new log type, prior to this version it will show up as GenericLog. As part of this new feature in the agent the Latest Events page in the agent has a new tab "Registry Integrity" to show the RIM events.
  • Windows Agent now has the functionality of Snare's Epilog application built into it negating the need to install two programs on your host operating system. The new Log Auditing module contains 100% of the functionality found in the Epilog agent with events remaining of the same format thus maintaining backwards compatibility with Snare Central and other third party SIEM systems. New menu items have been supplied in Windows Agent to allow the configuration of your log file auditing and, if required, the installation process will automatically detect and import any local configuration that may already exist due to a current Epilog installation. Note: installation will not uninstall the Epilog application so it must be done manually and will display a warning to the user until it has been done.

Security Updates

  • Update for OpenSSL to patch to OpenSSL-1.0.2p.
  • Removed non-secure ciphers usage, according to the OWASP broad compatibility list.

Enhancements

  • FIM/RIM now inserts scanned data into database in batches (or chunks) to keep memory consumption to a minimum.

Bug Fixes

  • Fixed an issue related to treating the non-English characters event log sources. Due to this issue, Snare might omit the event tracking of non-English character event logs. This issue is fixed in this release and now Snare properly handles the non-English characters event log sources.
  • This change affects the warning messages that are display when protocol for destination is set to TCP or TLS for web UI port 6161 as it can slow down the agent receiving log messages, which will be ignored on the web interface. In high volume environments the agent may appear to hang as a result. As it is not a recommended configuration this will now show as a warning if the agent is configured in this way. In general sending logs to the localhost is only used for testing and only used when its UDP protocol so the logs are discarded. Any real destination should use a real hostname or IP address and not localhost. This change does not affect any other functionality.
  • During agent uninstall process, the installer attempts to remove the FIM/RIM databases from the host filesystem. On Windows, the installer may not have access to the Snare storage directory. The data can be manually removed after uninstalling from the following location: C:\Windows\System32\config\systemprofile\AppData\Roaming\Snare