Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

Version 1 Next »

Snare MSSQL Agent v5.6.0 was released on Xth May 2022.

Security Updates

  • Removed MD5 and SHA1 hashes from the release metafiles. Only SHA512 of SHA-2 family is now used for verifying integrity of binary files.
  • 3rd party libraries upgraded: 
    • OpenSSL upgraded to version 1.1.1m
    • curl upgraded to version 7.79.1

New Features and Enhancements

  • Snare Agent for Microsoft SQL Server can now be configured to collect Extended Events, and not only Trace events. 
    This adds ability to have granular control over the logs collected from the MS SQL server, with over 1,800 event types available for collection (depending on the version of MS SQL server).
    • Use the new View Extended Events page to explore the tree of categories and events available on the current server. Use Filter to find events of interest by name.
    • On the Audit Policies Configuration page use the new Add Extended Event button to add a new Extended Event Policy. 
    • Adding Trace policy is still supported, but is not recommended, as this auditing method was deprecated by Microsoft. 

           For details please refer to the User Guide for Snare MSSQL Agent.

  • A new checkbox setting was added on the Agent's Access Configuration page allowing to disable TLS 1.2 and use TLS 1.3 as a minimum for web UI connections
  • The name of the self-signed certificate generated by the Agent by default was changed from the host name to "Snare Agent"
  • The Snare debug log (sometimes required for troubleshooting by Snare Support) can now be generated from Web UI without stopping the Agent.
    Navigate to Snare Log page in Agent's Web UI, configure the output directory and the duration of debug log capturing, and click Start Debug Log.
    Stop Debug Log button allows to stop logging before the configured time has elapsed.

  • Memory usage optimisation for Heartbeat logs handling when 'Agent Logging Options' is set to Trace level and 'Agent Heartbeat Frequency' is set to a longer period

  • A warning will be displayed on the Destination Configuration page when sending to Snare destination using TLS_AUTH protocol, but without changing the default TLS_AUTH Authentication Key

Bug Fixes

  • Fixed the defect of Snare Agent for MSSQL fails to re-start after an empty or incorrectly formatted audit policy (aka objective) is set manually by editing registry
  • The Agent will now attempt to reuse existing self-signed certificate instead of creating a new one every time remote configuration is pushed from Snare Central AMC
  • Cached Events will now be sent as correct event types, and not as generic CachedEvent type
  • Updated file path traversal to be more robust on a variety of platforms
  • Enhanced robustness in using the IP address in events by multiple retries when the system is yet to get a valid IP address
  • Cache Path and Heartbeat Output Path are set to the installation folder by default
  • Agent now properly handles paths containing \n inside the event content
  • Fixed the issue where HeartBeat events had empty JSON content, when sent to a destination in SNARE V2 or SYSLOG JSON format
  • Heartbeat event checksum option now written to heartbeat export file if enabled
  • Replaced deprecated conversion methods between string and wide string
  • Fixed an issue in cluster installation that caused "Internal Server Error" on the Destination Configuration page in some cluster environments
  • Fixed handling of the comma separated user search terms filtering. A warning will be displayed when the given input search term reaches the maximum acceptable length
  • Removed duplicated warning messages on the Destination Configuration page, improved message format consistency
  • Removed irrelevant warning that was shown when destination was configured with port 514 and SYSLOG JSON format
  • Fixed the issue of getting an error when users accidentally enter space(s) in the Destination and/or SAM IP address
  • Corrected the misleading message for expired license support
  • Reduced severity of erroneous error "CN is not found for certificate" to informational message
  • Resolved issue where logs displayed on Snare Log page might be filtered incorrectly

User Guide

The following is an offline version of the User Guide related to this release.


For an up-to-date version refer to the online version here.

  • No labels