Release Notes for Snare Windows Agent v5.1.0
Snare Windows Agent v5.1.0 was released on 11th April 2018.
New Features
- Introducing the File Integrity Monitoring (FIM) module to provide file or directory hash details . The FIM module can be used to scan files/directories and compare against a known baseline of file details including file attributes and hash (sha512) details. Events are generated upon changes to file contents or attributes. The new screen in the agent allows the user to select a file, directory and recursively scan multiple directories to include or exclude files or directory locations as needed. This new feature will generate a new Snare log type called FIMLog. For reporting in Snare Central the system will need to be patched to 7.3.0 to understand the new log type, prior to this version it will show up as GenericLog. As part of this new feature in the agent the Latest Events page in the agent has a new tab " File Integrity" to show the FIM events. This new FIM feature is designed to complement the other FIM/FAM file activity event log reporting the agent current has.Â
- As of 5th May 2018 the Snare windows agent has achieved Veracode VerAfied security compliance to VL4 status. The 5.1.0 version of the Snare Windows agent now meets the Veracode VL4 certification policy criteria. By using Veracode independent source code static analysis methods there are no very high, high, or medium security rated vulnerabilities present based on OWASP top 10 and SANS top 25 coding vulnerabilities. See the following for more information https://www.veracode.com/get-verafied-and-listed
Enhancements
- New command line switch /license is introduced for the agent setup configuration file (.INF). This switch can point to the license file to be used during installation. This license file selected through /license switch has the higher priority than the license options selected though installer UI. For example /license="20180206-SnareAgent-Evaluation-AZP-CYT.sl"
- Previously, when option 'Host IP As Source' was selected the first IP address of machine network adapters was used as the source address with reported events to the syslog destination. Now the user is shown all the IP addresses of the machine through a drop-down list. User can now select the specific IP address to be used to report the source IP of the events. If the network adapter is not available, then it will default the override hostname to that of the server name. The Host IP As Source, enabling this setting will use the first network adaptor as listed in the network configuration as the source of the IP address. The agent will periodically (approximately ten minutes) check this setting and pick up any changes that occur on the host via a manual change of IP or DHCP reassignment. The value of the IP address will be displayed in the Override detected DNS Name with once selected. If the host does not have a valid IP address, i.e. DHCP has not been responded to, then the syslog message will default to the system's hostname which is the default setting for the agent. If the host does not have a valid network IP address then it can not send events regardless of any network override setting. At least one network interface must be operational for the agent to send events.Â
- The Latest Events page has been changed to show the file opened on disk for a file destination .Â
As a result of this change, the file name set on file destination configuration is not shown as it is the wrong file opened on disk but will show the real file on disk with the name appended with date. For example. C:\file_destination.txt will be shown as C:\file_destination_YYYYMMDD.txt - User Interface (UI) update that affects the IP Address allowed to remote control SNARE field. This field is disabled if Restrict remote control of SNARE agent to certain hosts is selected in Access Configuration page.
- Updated usability on the Destination Configuration page, with a Hostname Options section.
- Trace level logging now displays the bytes and events sent per second (EPS) for each configured destination after 5 secs. This will aid in correlating and debugging the EPS rates when sending logs.
- The events filtering subsystem is modified to collect and audit File Event ID 4670 when the General Configuration | Allow Snare to automatically set file audit configuration? is selected and objective is created.
Security Updates
- Maintenance update for OpenSSL to patch to OpenSSL-1.0.2n.
Bug Fixes
- Fix issue with heartbeat license messages spamming the logs with a license heatbeat every 60 minutes (if heartbeats are disabled) or every heartbeat period. Also fixed an issue with SAM issued licenses being immediately marked as expiring in 30 days and thus warning the customer that it was about to expire.
- Heartbeats events are added for the Information level to provide more information regarding the working of agent. These new heartbeats are sent when any setting is changed from GUI and when the agent service status is changed.
- This change modifies Agent behavior to not log any heartbeat if there is no SAM configured to connect. If there is a SAM configured, then to log a heartbeat if the connection is lost for every 2 hours.
- Objective matching in Snare now supports wildcards properly. In existing release of Snare in some situations this wildcard matching can cause stack overflow crash. This issue is fixed in this release and stack overflow possibility is removed during wildcard matching.
- The agent installer is capable of listing any license files it finds in the same directory as the agent executable. This change updates the agent installer to include a "None" option, to not install any license file if present.
- Fixed a bug where the Snare Agent would not import the SyslogPriority, SyslogFacility, CacheSizeSet values from an .INF (agent setup configuration file). Consequently CacheSizeEventLog was not used due to this bug.
An installation issue in the previous release of Snare may cause the installation to fail on some busy machines for 32-bit OS. Now installer properly checks the status of service operations and retries appropriately when needed.
Resolved issue where an incorrectly defined destination in Super Group Policy could prevent the agent from starting.
Some agent settings are machine specific i.e. Clientname, HostIP and HostGUID. There was an issue in the export settings command -x that was causing these machine specific settings to be exported into the .inf file and then can subsequently be loaded with /loadinf option during install. This issue is fixed in this release and now machine specific values are not exported into .inf file and even if .inf file is manually edited; these values are ignored during loadinf option.
- Fixed an issue whereby the Snare Server (via AMC) could not retrieve the master configuration from an agent using digest authentication.
Other
Version v5.1.0 is the final version to officially support operating system Windows XP for 32-bit and 64-bit.