Release Notes for Snare Central v8.6.0

Overview

Snare Central version 8.6.0 introduces several new capabilities including Snare Analytics Dashboards (pre-built and custom), logs collection from Azure, AWS and Oracle Cloud Infrastructure, integration with Okta, over 180 new reports and a number of other enhancements and bug fixes.

Features and Enhancements

• Snare Analytics Dashboards
  

  Licensed Feature

  This requires the Snare Advanced Analytics (SAA) or Snare Advanced Threat Intelligence (SATI) license features

  Visualise the data you collect to gain security insights and discover issues early!
  This new capability combines the power of Events Search, where you can construct, test and save log data queries, with the visual components you can use to visualise the results.
  Create pie charts, bar charts, line charts, tables and cards to build your own dashboard, or use one of the 26 pre-built Analytics Dashboards that are available out of the box.
  Dashboard components can be arranged in a grid-style pattern, and resized to highlight the importance of the information.
  Components can be linked to visualise different perspectives on the same data query.
  
  Please refer to the User Guide > Analytics Dashboards for detailed documentation. 
  
  

  26 pre-built dashboards are available under Analytics Dashboards:

   Click here to expand the list of Analytics Dashboards...

  • Analytics Dashboards/Builtin Dashboards/Cloud Dashboards/
            - Amazon AWS Cloud Trail Log Activity
            - Amazon FlowLogs Activity
            - Amazon WAF Log Activity
            - Office 365 Audit Azure Log Activity
            - Office 365 Exchange Log Activity
            - Office 365 Sharepoint Activity
            - Oracle Audit Log Activity
    
    
  • Analytics Dashboards/Builtin Dashboards/Databases Dashboard/
            - MS SQL Database Activity
    
    
  • Analytics Dashboards/Builtin Dashboards/File and Registry Activity Dashboards/
            - Linux File Activity
            - Snare File FIM Activity
            - Snare REGISTRY RIM Activity
            - Windows File Activity
            - Windows Registry Activity
    
    
  • Analytics Dashboards/Builtin Dashboards/Linux Dashboards/
            - Linux User Activity
    
    
  • Analytics Dashboards/Builtin Dashboards/Malware XDR Dashboards/
            - Trend Log Activity
    
    
  • Analytics Dashboards/Builtin Dashboards/Network Dashboards/
            - Cisco ASA Activity
            - Fortigate Firewall Activity
            - Palo Alto Firewall Log Activity
    
    
  • Analytics Dashboards/Builtin Dashboards/Web Servers Dashboards/
            - Web Server Activity
    
    
  • Analytics Dashboards/Builtin Dashboards/Windows Dashboards/
            - Windows Administrative Activity
            - Windows DNS Server Log Activity
            - Windows Event Counts
            - Windows Group Change Activity
            - Windows Insider Threat Activity
            - Windows Login Activity
            - Windows Process Monitoring
    
    

  
  
  

• Log collection from Cloud Providers
  Snare Central now allows to actively collect logs from a variety of the supported cloud providers:
   - Amazon Web Services (AWS)
   - Azure Cloud
   - Microsoft 365
   - Oracle Cloud Infrastructure
  
  A new user interface is provided for configuring and monitoring event log collection:  System > Administrative Tools > Cloud Log Collection Configuration
  
  Reports and dashboards for the new log types are available out-of-the-box. Details are provided below. 
  
  
  
  Supported cloud providers: 

  • Microsoft 365

    Licensed Feature

    This capability requires either Office 365 Logs Collection (IA_CLOUD_O365) or Cloud Logs Collection (IA_CLOUD) license features
    

    Snare Central can collect activity logs from the Office 365 Management Activity API, including user, admin, system, and policy actions and events from Office 365 (rebranded to Microsoft 365) activity logs.
    This capability was first introduced in Snare Central v8.5.0.
    In this release, scalability and stability of the collection process were significantly improved. 
    A new user interface is now available to configure log collection from the Office 365 Management Activity API.

    For instructions on how to configure log collection from Office 365 Management Activity API, please refer to the User Guide > Microsoft 365 - Cloud Log Collection Configuration
    
    

  • Azure Cloud

    Licensed Feature

    This capability requires either Office 365 Logs Collection (IA_CLOUD_O365) or Cloud Logs Collection (IA_CLOUD) license features.
    

    Snare Central can be configured to collect activity logs from the Azure Log Analytics Workspace API. 

    For instructions on how to configure log collection from Azure Cloud in Snare Central, please refer to the User Guide > Microsoft Azure - Cloud Log Collection Configuration

    Azure logs will be classified in Snare Central as documented here: User Guide > Log Types: Azure

    There are 59 new reports available out-of-the box for Azure cloud logs.

     Click here to expand the list of Reports...

    • Reports/Cloud/Azure/SignIn Activities:
              - All SignIn Activities
              - External User SignIns
              - Guest SignIns
              - SignIns with Multi-Factor Authentication
              - SignIns with Single-Factor Authentication
              - Successful SignIn Activities
              - Unsuccessful SignIn Activities
      
      
    • Reports/Cloud/Azure/Azure Active Directory Audit:
              - All Azure AD Operations
              - Application Management Operations
              - Authorization Related Operations
              - Group Management Related Operations
              - Policy Related Operations
              - User Management Related Operations
              - Successful Operations
              - Unsuccessful Operations
      
      
    • Reports/Cloud/Azure/Platform Logs/Activity Logs:
              - Administrative Activities
              - All Activities with Errors
              - All Activities with Warnings
              - All Activity Logs
              - All Critical Activities
              - Network Resource Related Activities
              - Policy Related Activities
              - Security Related Activities
              - Successful Activities
              - Unsuccessful Activities
          
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/NSG Logs/NSG Event logs:
              - All Event Logs
              - Event Logs from Default Rules
              - Event Logs from User-define Rules
              - Incoming Event Logs
              - Incoming Event Logs
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/NSG Logs/NSG Rule Counter Logs:
              - All Rule Counter Logs
              - Incoming Rule Counter Logs
              - Outgoing Rule Counter Logs
              - Rule Counter Logs from Default Rules
              - Rule Counter Logs from User-define Rules
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Application Gateway logs/Access Logs:
              - All Access Requests
              - HTTP GET Requests
              - HTTP POST Requests
              - Successful Requests
              - Unsuccessful Requests
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Application Gateway logs/Firewall Logs:
              - All Requests Processed by WAF
              - Requests Allowed by WAF
              - Requests Blocked by WAF
              - Requests Matched WAF Rules
              - Requests Captured by WAF Custom Rules
              - Requests Captured by WAF Pre-defined Rules
              - Requests under Global Policy
              - Requests under Listener Policy
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Application Gateway logs/Performance Logs:
              - All Performance Logs
              - Logs with Unhealthy Host Count
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Firewall logs/Application Rule logs:
              - All Application Rule logs
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Firewall logs/DNAT Rule logs:
              - All DNAT Rule logs
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Firewall logs/DNS Proxy logs:
              - All DNS Proxy logs
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Firewall logs/Network Rule logs:
              - All Network Rule logs
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Firewall logs/Legacy logs/Application Rule logs:
              - All Application Rule logs
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Firewall logs/Legacy logs/DNS Proxy logs:
              - All DNS Proxy logs
      
      
    • Reports/Cloud/Azure/Platform Logs/Resource Logs/Firewall logs/Legacy logs/Network Rule logs
              - All logs
              - DNA Rule logs
              - Network Rule log
      
      

    
    

  • Amazon Web Services
    

    Licensed Feature

    This capability requires either Amazon Web Services Log Collection (IA_CLOUD_AWS) or Cloud Logs Collection (IA_CLOUD) license features.
    

    Snare Central is capable of collecting logs from the AWS Kinesis Data Streams via the Kinesis Data Streams API. 

    For instructions on how to configure log collection from AWS Kinesis Data Stream, please refer to the User Guide > Amazon Web Services (AWS) - Cloud Log Collection Configuration

    AWS logs will be classified in Snare Central as documented here: User Guide > Log Types: AWS
    

    There are 13 new reports available for AWS logs.
    

     Click here to expand the list of Reports...

    
    

    • Reports/Cloud/AWS/Cloud Trail/Console Sign:
              - Console Login
              - Failed Console Login
              - Successful Console Login
      
      
    • Reports/Cloud/AWS/Cloud Trail/Detecting Stolen AWS Lambda Credentials:
              - AWS Lambda Cold Start Event
              - Customer Allocated IP Address
              - Events Using Stolen Lambda Credentials
      
      
    • Reports/Cloud/AWS/VPC Flow Log/Action:
              - Accept Traffic
              - Reject Traffic
      
      
    • Reports/Cloud/AWS/WAF/WAF Action:
              - WAF Allow Web Request
              - WAF Block Web Request
              - WAF CAPTCHA Web Request
              - WAF Challenge Web Request
              - WAF Count Web Request
      
      

    
    

  • Oracle Cloud Infrastructure
    

    Licensed Feature

    This capability requires the Oracle Cloud Log Collection(IA_CLOUD_ORACLE) or Cloud Logs Collection (IA_CLOUD) license features.
    

    Snare Central can be configured to collect audit logs from the Oracle Cloud Infrastructure (OCI).

    For instructions on how to configure log collection from Oracle Cloud Infrastructure, please refer to the User Guide > Oracle - Cloud Log Collection Configuration

    Oracle Cloud logs will be classified in Snare Central as documented here: User Guide > Log Types: Oracle Cloud Infrastructure

    There are 25 new reports available for Oracle Cloud logs.
    

     Click here to expand the list of Reports...

    • Reports/Cloud/Oracle Cloud Infrastructure/Admin Events/Admin Account Events:
           - Admin Account Create Events
           - Admin Account Delete Events
      
      
    • Reports/Cloud/Oracle Cloud Infrastructure/Admin Events/Admin Application Events:
           - Admin Application Create Events
           - Admin Application Delete Events
           - Admin Application Update Events
      
      
    • Reports/Cloud/Oracle Cloud Infrastructure/Admin Events/Admin Group Events:
           - Admin Group Add Member Events
           - Admin Group Create Events
           - Admin Group Delete Events
           - Admin Group Remove Member Events
           - Admin Group Update Events
      
      

    • Reports/Cloud/Oracle Cloud Infrastructure/Admin Events/Admin User Events:
           - Admin User Activated Events
           - Admin User Create Events
           - Admin User Delete Events
           - Admin User Password Reset Events
           - Admin User Update Events
      
      

    • Reports/Cloud/Oracle Cloud Infrastructure/Admin Events/Admin Me Events:
           - Admin Me Password Change Events
           - Admin Me Password Reset Events
      
      
    • Reports/Cloud/Oracle Cloud Infrastructure/Admin Events/Other Admin Events:
           - Admin Device Update Events
           - Admin Notification Settings Update Events
      
      
    • Reports/Cloud/Oracle Cloud Infrastructure/Admin Events/SSO Bypasscode Events:
           - SSO Bypasscode Create Events
           - SSO Bypasscode Delete Events
      
      
    • Reports/Cloud/Oracle Cloud Infrastructure/SSO Events:
           - SSO App Access Events
           - SSO Authentication Factor Initiated Events
           - SSO Authentication Failure Events
           - SSO Session Create Events
      
      

    
    

• Cyber Network Map now displays additional AWS, Azure, Snort, SonicWall, CiscoRouterLog and Fortigate Log Types, enriched with geolocation data:
  
  

   Click here to expand the list of Log Types added to Cyber Network Map...

  • AWSVPCFlowLog
  • AzureAZFWNatRule
  • AzureAZFWNetworkRule
  • AzureFirewallNetworkRule
  • Snort
  • SonicWall
  • CiscoRouterLog
  • Fortigate
    • FortiGateEventWAD
    • FortiGateIPS
    • FortiGateEventHA
    • FortiGateAnomaly
    • FortiGateICAP
    • FortiGateGTP
    • FortiGateEventSystem
    • FortiGate
    • FortiGateDLP
    • FortiGateEventUser
    • FortiGateAppCtrl
    • FortiGateEventSecurityRating
    • FortiGateDNS
    • FortiGateWAF
    • FortiGateWebFilter
    • FortiGateEventSDWAN
    • FortiGateTraffic
    • FortiGateCIFS
    • FortiGateEventRouter
    • FortiGateEmailFilter
    • FortiGateEventFortiExtender
    • FortiGateEventWireless
    • FortiGateFileFilter
    • FortiGateSSL
    • FortiGateEventConnector
    • FortiGateEventEndpoint
    • FortiGateAntivirus
    • FortiGateSSH
    • FortiGateVoIP
• Executive Dashboard
  • Main Dashboard was renamed to Executive Dashboard
  • Historical Collection graph now displays additional column for Compressed Bytes, and shows summary of received data volume vs stored compressed data volume, highlighting data storage saving.
    
    
  • Live Events chart now shows EPS (events per second) instead of BPS (bytes per second).
    
    
• Monitor Live Data page was redesign for faster performance.
  Please refer to the User Guide > Status > Monitor Live Data for details. 
  
  
• Integration with Okta: Single Sign-on (SSO) and Multi-Factor Authentication (MFA) is now available in Snare Central for customers using Okta, and can be enabled by the Administrator via Configuration Wizard > Identity and Access Management Setup
  When enabled, users will be able to log in to Snare Central with their Okta account.
  Local Administrator account can log in directly to manage Okta integration settings. 
  Please refer to the User Guide Appendix C - Creating a SSO and MFA OpenID Connect Integration with Okta for details. 
  
  
  
• Snare Agents Configuration Management via SAM
  Snare Central v8.6.0 includes Snare Agent Manager (SAM) v2.0.0, introducing capability to remotely manage Snare Agents configuration and policies.
  The new capabilities of SAM will replace the legacy AMC (Agent Management Console) component. AMC will be removed in future releases.
  SAM, in combination with Agents v5.8.0 or newer, has the capability to use a firewall friendly 'pull style' configuration management capability, rather than AMC's push-style capability.
  Please refer to SAM documentation for details: 
  • Release Notes for Snare Agent Manager v2.0.0
  • /wiki/spaces/SAM/pages/2172977159
  • AMC to SAM Migration Guide for Remote Agents Configuration Management
    
    
• Improved performance and functionality of the Real-time alert components. Migrated to a new Real-time subsystem, deprecating reliance on a legacy IPDB data access layer.
  
  
• Improved Real-time alerts to report on every match and not only on a highest priority one.
  
  
• Additional options are available for Email, SMS and SMTP notifications, configurable via Configuration Wizard > Alert Manager Setup
  Please refer to the User Guide > Configuration Wizard > Alert Manager Setup for details. 
  
  
• Events Search enhancements: 
  • Event Search now returns the exact number of returned events, rather than an indicative "at least this number" of events.
  • Event Search results now display accurate number of extracted events, rather than an estimated number.
  • Case-insensitive Basic Event Search queries with search in specific fields will now be using exact match (INCLUDES) rather than partial match (REGEXI). This will significantly speed up the queries.
  • Improved speed of pagination and sorting for event search results.
  • Improved display of error messages to be more descriptive.
    
    
• Reflector improvements:
  • Improved Reflector collection performance, by introducing geolocation caching and other performance optimisations.
  • Improved the CiscoFTDLogSecurityEvent log processing speed.
  • Added event truncation for very large incoming events. Events arriving at the Snare Central server will be truncated at 5 megabytes in size per event (configurable, and can be disabled). This provides increased protection against potential massive-event denial of service attacks against the audit collection infrastructure in situations where untrusted third parties can potentially generate event data.
    
  • Batch destinations like the Elastic bulk upload facility, will report a 'connected' state to the health checker once the first connect attempt succeeds, until a failed connection attempt occurs.
    
  • Updated "Snare Server 7.1+" format description on Help page to reduce confusion.
    
    
• AMC performance improvements
  
  
• Added a warning on the AMC page to recommend managing Agents v5.8.0 configurations via SAM
  
  
• Added Email Alerts/Reports customisation options:
  a new "Override Email Subject" option was added to the Email Setup section of the Configuration Wizard. 
  a new "Customise Email Header" section was added to the Dynamic Query configuration section to tailor the header of emails for reports.
  
  
• Introduced a new Data Migration Manager tool, replacing the Side by Side Migration menu.
  Please refer to the User Guide > Appendix D - Data Migration Guide for Snare Server for details. 
  
  
• Improved support for LDAP nested groups.
  Please refer to the User Guide > Appendix A - LDAP and LDAP Groups for Snare Central - User Information for details. 
  
  
• SNMP can now be configured in the Snare Central user interface. A new snmpd subsection added to Configuration Wizard > SNMP Setup section.
  Please refer to the User Guide > Configuration Wizard > SNMP Setup for details. 
  
  
• Unused "Enable Date-Based Event Discard"  checkbox was removed from the Configuration Wizard > Performance and Hardware section.
  
  
• Unused systemd-timesyncd service is now disabled by default.
  
  
• In the "System Software Check" section of the Health Checker, removed mentioning of md5sum. MD5 is deprecated and newer hashing algorithms are now used.
  
  
• Improvements to Support Data Retrieval:
  • Allow the same file(s) to be downloaded multiple times.
  • Allow generation of support data after previous execution was interrupted by reboot.
  • Improved TLS issues logging
    
    
• Added support for CISCO ISE logs
  
  
• PIX/ASA CEF output will now use dhost rather than dst, if the ASA source reports a hostname rather than an IP address. Extraneous details will also be stripped from that field.
  
  
• Added 84 new reports available out-of-the box:

  • 10 new reports for Windows Certificate changes on systems, and also changes from a Windows Certificate authority

     Click here to expand the list of Reports...

    • Reports/Operating Systems/Administrative Activity/Microsoft Certificates:
           - Certificate is expiring
           - Certificate Security Events
           - Certificate was Deleted
           - Certification Authority High Risk Events
           - Microsoft Certificate Activity
      
      
    • Reports/Operating Systems/Administrative Activity/Microsoft Certificates Snare V2:
           - Certificate is expiring
           - Certificate Security Events
           - Certificate was Deleted
           - Certification Authority High Risk Events
           - Microsoft Certificate Activity

  • 30 new reports for logs collected via Windows Advanced Auditing policies in snare V2 format
    

     Click here to expand the list of Reports...

    • Reports/Operating Systems/Windows Incidents Snare V2/Windows Advanced Auditing Snare V2:
           - Windows ADV Audit Pattern events
           - Windows ADV Audit Replay Attack
           - Windows ADV Audit SID History
           - Windows ADV Audit Directory Services Restore
           - Windows ADV Audit Role Separation
           - Windows ADV Audit Special Groups Assigned new logon
           - Windows ADV Audit Security Updated on the OCSP Responder
           - Windows ADV Audit Administrator Crash on Audit Fail
           - Windows ADV Audit SIDs Filtered
           - Windows ADV Audit Backup and Recovery of Data protection master key
           - Windows ADV Audit New Trust created on domain or changed
           - Windows ADV Audit Kerberos Policy was changed
           - Windows ADV Audit Encrypted data recovery policy was changed
           - Windows ADV Audit policy on object was changed
           - Windows ADV Audit Password reset attempt
           - Windows ADV Audit Local and global group changes
           - Windows ADV Audit Domain Policy Changed
           - Windows ADV Audit ACL on account members of administrators group
           - Windows ADV Audit RPC Detected Integrity violation
           - Windows ADV Audit Trusted forest information
           - Windows ADV Audit Certificate Change activity
           - Windows ADV Audit Crash on audit fail
           - Windows ADV Audit Settings on object changed or Policy changed
           - Windows ADV Audit Special groups login table modified
           - Windows ADV Audit IPSec Changes
           - Windows ADV Audit Windows Firewall changes
           - Windows ADV Audit File hash is not valid or corrupt
           - Windows ADV Audit OCSP Responder changes
           - Windows ADV Audit Credential Manager backup or restore
           - Windows ADV Audit Network Policy changes

    
    

  • 5 new Reports to cover MSSQL Server admin activity for events in snare V2 format
    

     Click here to expand the list of Reports...

    • Reports/Application Audit/MSSQL Server Snare v2:
           - MS SQL Account Admin
           - MS SQL EventID Summary
           - MS SQL Logins
           - MS SQL Logouts
           - MS SQL Privilege Usage

  • 8 new Reports to cover Sysmon new events 26,27,28,29
    

     Click here to expand the list of Reports...

    • Reports/Operating Systems/Windows Incidents/Sysmon Activity:
           - 26 File Delete Detected
           - 27 File Block Executable
           - 28 File Block Shredding
           - 29 File Executable Detected
      
      
    • Reports/Operating Systems/Windows Incidents Snare v2/Sysmon Activity Snare v2:
           - 26 File Delete Detected
           - 27 File Block Executable
           - 28 File Block Shredding
           - 29 File Executable Detected

    
    

  • 3 new Reports for Trend Micro events for malware activity
    

     Click here to expand the list of Reports...

    • Reports/Application Audit/Malware Tools/Trend Micro:
           - Trend Log Activity by System
           - Trend Log Activity by Eventtype
           - Trend Reports

  • 2 new Reports for Windows Registry and RIM events
    

     Click here to expand the list of Reports...

    • Reports/Operating Systems/File And Resource Access/Windows Registry And RAM/Windows Registry Snare V2:
           - Windows RAM Activity
           - Windows RIM Activity

    
    

  • 24 new reports for ApacheLog, IISWebLog, ISAWebLog and MSProxySvr logs received in snare v2 format
    

     Click here to expand the list of Reports...

    • Reports/Application Audit/Apache Web Server Logs v2:
           - Error Codes
           - Protocols
           - Suspicious URLs
           - Top Sources
           - URL Scanner
           - Web Server Return Code Exceptions
      
      
    • Reports/Application Audit/IIS Web Server Logs v2:
           - Error Codes
           - Protocols
           - Suspicious URLs
           - Top Sources
           - URL Scanner
           - Web Server Return Code Exceptions
      
      
    • Reports/Application Audit/ISA Web Server Logs v2:
           - Error Codes
           - Protocols
           - Suspicious URLs
           - Top Sources
           - URL Scanner
           - Web Server Return Code Exceptions
      
      
    • Reports/Application Audit/MS Proxy Server Logs v2:
           - Error Codes
           - Protocols
           - Suspicious URLs
           - Top Sources
           - URL Scanner
           - Web Server Return Code Exceptions

    
    

  • 2 new AppleBSM (macOS) reports for events in snare v2 format

     Click here to expand the list of Reports...

    • Reports/Operating Systems/File and Resource Access/MacOS Snare v2:
           - File Access
      
      
    • Reports/Operating Systems/Process Monitoring/MacOS Snare v2:
           - Sensitive Applications

    
    

• For events arriving in Syslog RFC5424 format, syslog MSGID, PROCID and APPNAME are preserved for GenericLog events, if supplied.
  
  
• Set default SSH LogLevel value to VERBOSE instead of INFO for improved auditing.
  
  
• Adjusted the firewall rules save/restore process to align with UFW state. In situations where a firewall rule has been removed in the Snare Configuration wizard, but the Snare collection service has been terminated, there was a risk that a 'ghost' version of the firewall rule would be resurrected when the Snare collection service restarts. This update will force the saved firewall rules to correctly map to the rules specified in the wizard.
  
  
• Added clean-up of a temporary folder after successful upgrade.
  
  
• Improvements to the daily log vacuum task to also include mail drop directory.
  
  
• Improvements to the services monitor to restart only required services.
  
  
• Change made to the Networking and IP Configuration options of the Snare Central Administration Menu to support DHCP.
  
  
• Added "6-monthly" scheduling option for Reports.
  
  
• Modified some report names to use consistent capitalisation for new installations.
  
  
• New packages added:
  • Added rclone package to the base install for interaction with cloud storage
    
    
• Other code refactoring and minor enhancements.

Security

• System packages updated to mitigate security vulnerabilities
• Added LDAP/TLS support for the Agent Management > Snare Agents > Retrieve User and Group information from Windows Servers functionality
• Included Canonical FIPS-certified libraries in Snare Central
• Removed deprecated OpenVAS packages and functionality
• Upgraded JQuery version from 1.11.3 to the latest version 3.6.1
• Upgraded Bootstrap css framework from 3.2.0 to the latest version 5.3.0
• Upgraded Angular.js in Reflector UI to version 1.8.2
• Restricted permissions on a sensitive file

• User with read only access will now be restricted from cloning reports owned by other users

• Improved permissions handling for cloning, creating container and creating reports and objectives
• Fixed potential information leak in Ubuntu’s default MOTD (Message of the Day) command
• Improved fresh installation and upgrade processes to ensure that ElasticSearch is not installed if SATI is not enabled
• Improved secure handling of encryption keys in Snare Central
• Removed interactive, password-protected access to generated PDF files via the web interface
• Security hardening of the internal listeners

Bug Fixes

• Fixed a problem in backup and restore tool that blocked the restore functionality when invalid filename or path was present in the backup
• Fixed an issue in Event Search results that include events from disparate log types, where field names and data could sometimes be missing
  
• Fixed an issue in Event Search results where clicking on the last results page in pagination bar results in error
• Fixed issue where adding a new destination in primary server does not get updated in secondary in High Availability (HA) cluster
• Removing data using 'Any Log Type' now works correctly
• Fixed an issue where Snare Reflector could stop collecting events if very large events were received, and the disk is very slow. Timeout adjusted to better accommodate slow disks
• Updated Documentation External link and Configuration Wizard Documentation link to the latest User Guide for Snare Central
• Updated minimum disk space required warning to 400GB during installation
• Self-signed certificates generated by the Snare Central server can now include fully qualified domain names
• Japanese characters now work in real-time alerts
• Resolved issue with the console administration menu not disabling a network interface as expected
• Resolved a login problem when LDAP is enabled and configured to use SAMAccountName
• Non-standard mount points can now have warning and problem thresholds configured in the Snare Central Health Checker
• Missing Bytes per Second graph is now displayed correctly on the Reflector Dashboard
• Fixed Expand functionality of the Reflector Dashboard graphs to respond immediately
• Fixed issues with display and colouration of the Event Data pop-up window of the Pattern Map
• Fixed parsing of Windows Apache Logs. The XAMPP default log format is now supported for Apache
• Fixed broken layout of schedule data backup dialog
• Fixed browser errors in Configuration Wizard > Alert Manager Setup > IAM Setup section
• Fixed issue with proxy password handling when updating proxy details
  
• Fixed automatic Wizard walkthrough using "Next" button
• Other minor internal fixes
  

User Guides

Offline version of the User Guide related to this release

Installation Guide for Snare Central