Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Snare Management Center

Snare Management Center is available only with an appropriate license. 

See Snare Management Center page in this User Guide. 

Antivirus Administration

Snare Central is based on a custom distribution of Linux, and is therefore potentially susceptible to (significantly) less than 1% of all viruses currently in the wild. Snare Central does not provide desktop-level functionality, and the risk profile for virus infection on Snare Central is extremely low. However, Snare Central integrates the ClamAV virus checker, which is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It includes a high performance multi-threaded scanning daemon that provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats.

The anti-virus scan can be run on a scheduled basis, and can be configured to perform:

  • a complete system scan,
  • exclude the Snare Data Store, and results cache from the scan (recommended), or
  • only scan the home directories of Snare Central user accounts.

The reason that it is recommended that the Data Store and results cache be excluded from the scan, is that there is a significant risk that the virus scanner will pick up false-positives in those directories, due to the nature and volume of data stored therein.

It is the customers responsibility to ensure the antivirus software is kept up to date and is scheduled to run in accordance with your corporate security policy.

Cloud Log Collection Configuration

Configure active log collection from supported cloud providers such as AWS, Azure, Oracle Cloud, etc.

See Cloud Log Collection Configuration page in this User Guide.

Configuration Wizard

The configuration wizard is covered earlier in this User Guide.

Configure Collector/Reflector

See Configure Collector/Reflector page in this User Guide. 

Configure GeoLocation for Mapping

In order to plot log data accurately on geographical maps, for example on Cyber Network Map page, it may be necessary to explicitly map internal network IP addresses and hostnames to their geographic locations.

  • Use either of the following options available in the drop-down list: 
    • IP Address  - enter a single IP address
    • IP Range - enter From and To IP addresses to define a range 
    • IP Wildcard - enter IP address with one of the fields as a wildcard (asterisk *), for example, 10.10.10.*
    • IP Netmask - enter IP Address and a Netmask
    • CIDR Block - enter IP address and a CIDR
    • Hostname - enter a single hostname
    • Hostname Regex - enter a regular expression for hostnames to match
  • Choose geographic location from auto suggestion list by entering at least first three characters of city/state/province/country in the location field.
  • Click  to add the mapping. The new mapping will appear in the list on the same page.
  • Add as many mappings as required
  • Click at the top of the page to restart the collection service and apply the changes. 

Each mapping in the list can be edited or deleted using action buttons:
 

Display the Snare Log File

In situations where you request assistance from your Snare Central support team, you may be asked to email a copy of the Snare debug log file. This file contains generic information on what objectives run, and what scheduled tasks are currently implemented. Increasing the Snare Central debug level (see the section above on "Configuration Wizard" for more information), will significantly increase the amount of data that is written to this file.

Display the Snare Service Monitor Log File

Collection is a high priority process on Snare Central, and there are backend processes that try to ensure that collection is robust and reliable. If something causes the collection subsystem to fail, it will be restarted as soon as possible, and the server will attempt to collect as many useful statistics relating to memory usage, disk usage, and process information, as it can, in order to support debugging efforts by your Snare Central support team.

File Integrity Check Administration

This tool allows the user to schedule, monitor and administer system files integrity checks and report on any changes on such files.

The File Integrity Check objective scans the current data store and the underlying operating system and calculates the SHA3-256 checksum for every file it detects. The objective stores the data in a database on a scheduled basis. It is important that the user understands that this objective needs to be scheduled in order to generate the FIM scans and databases.

This page will also allow the user to see the difference between any two selected databases in order to verify that data has not been tampered with since the selected runs.

This comparison can take several hours to finish, so the job will be queued to be executed in the background.

Please note that the Snare Central Health Checker will, by default, report the difference between current day and yesterdays databases.

It is also important to note that when running two or more checksum comparisons simultaneously, the later one will override the results of the previous one so is a good idea to only run one concurrent comparison task.

Multiple databases can be selected and a backup file can be downloaded for safe storage. Historical database results can be deleted to free disk space as required.

All tasks performed in this objective are audited by Snare Central in real time. This means that SnareServer Log type events will be generated while interacting with this objective.

Please note that changes to the Snare system produced by a Snare Central upgrade will be detected and reported on, as this will include many system files as well as the Snare application components. If you see changes occurring in the operating system and application that were not the result of a patch or manual user intervention, then they should be investigated as part of your corporate incident management process.

IP Address Configuration

The Snare Central IP address, netmask, default gateway, and DNS servers can be modified using this objective. IP, netmask and default gateway values can be modified on a per-ethernet-card basis.

It should be noted that once the IP address has changed, the server will no longer be contactable via the old IP address, so if you were connecting to the old IP address with your web browser, your browser may become unresponsive after the address change.

Import Objectives

Snare Central ships with a large number of default Reports and (starting from v8.6.0) Analytics Dashboards (AKA objectives) that suit a diverse range of organisations, and meet security-related regulatory requirements.
However, there may be situations where additional specialised Reports or Dashboards are made available to users of Snare Central, or need to be transferred from one server to another.

The 'Upload a previously saved Objective(s) or Analytics Dashboards archive' section allows you to select and import objectives from a file stored on your local workstation.
In situations where you have previously used the 'Objective Export' capability by right-clicking on a container, the objectives will be exported to either a local file, or via email, to a selected destination user.

Objectives will be imported into a new container, called "Imported Objectives YYMMDDHHMMSS" (where YYMMDDHHMMSS represents the date/time of import).

The 'Import from a locally stored snapshot of the InterSect Alliance Objective Store' section allows to import objectives from a local objectives store. Click the icon besides the desired objective package to import it.

Manage Access Control

To access this area, LDAP groups should be enabled in Configuration Wizard | Security Setup | Snare Central, or Local User groups should be defined in User Administration.  This objective provides an easy and flexible interface for changing Objectives access controls at the group level for both local groups or groups defined on an identified LDAP/Active directory server.

Prior to Snare Central v7.2, in order to manage the access rights of a remote user (ie: A user defined on a LDAP or Active Directory server), the user needed to have a corresponding local Snare Central account. This still remains true when the option for remote 'LDAP Groups' support is disabled.

When LDAP Groups support is enabled:

  • All local Snare accounts will be disabled, with the exception of the ADMINISTRATOR account.
  • All access to Snare will be authenticated and authorised from the LDAP server regardless of whether the user has a local account on the Snare Central server.
  • Any access control modifications within this objective will ONLY apply to LDAP users and groups.
  • Regardless of whether LDAP Groups is enabled, alternative access control management tools (such as the “Access Control” (lock icon) in Snare’s top panel, and the “Folder Permissions” menu option in the “Reports” navigation tree) will have no effect on LDAP permissions for the same objectives.

Once LDAP user and group authentication has been enabled, any valid LDAP user can have access to Snare Central web interface but will not be able to see any objectives until the correct access rights are granted to each objective, via this objective.

Every objective on Snare Central can be individually secured so that only authorised staff have access to it. Access is granted at group level; therefore, an LDAP user must be attached to an LDAP group in order to view or change an objective. This also applies to local users and groups. The  Manage Access Control objective detects if Snare is in LDAP mode or not and objectives will change access rights accordingly.

Please note that most objectives under the "Administrative Tools" and "Data Management Tools" are restricted for only the Administrator user exclusively. This is because of the security risks and potential of harm to the Snare Central server involved. This means that most of such objectives cannot be accessed by LDAP users nor by local users that do not belong to the Administrators local group. This also means that the "Manage Access Control" interface cannot be used to assign permissions to these administrative objectives either. The complete list of the Administrator only objectives is the following.

Administrator Only

Administrative Tools

  • Change IP Address
  • Configuration Wizard
  • Snare Central Update
  • Snare Threat Intelligence
  • User Administration
  • Shutdown / Reboot Snare Central
  • Manage Nightly Updates
  • Manage Access Control
  • Import Objectives
  • Manage Objective Schedules
  • Manage Plugins

Data Management Tools

  • Data Backup and Restore
  • Snare Data Import


One of two access rights levels can be granted:

  • Access permissions. This provides a user with the ability to view the output of this objective, and also regenerate the objective.
  • Change permissions. This provides a user with the ability to change the configuration settings for the objective as well as view and regenerate the function. 

Manage Access Control allows to select one, many, or all existing objectives, and add or delete “Access” permissions (Read access) and/or “Change” permissions (Write access) to those objectives for a group or set of groups.

Clicking the Objective name (or Objective directory) at the tree representation on the left (see image below) will select or deselect the objective(s). Once selected, one or more groups are required to be highlighted from the list on the right and at least one access level to be selected from Permissions list in order to apply to selected objectives.


Note that users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Server Administrators have the ability to Delete the objective and Add new users to the objective.

Manage Nightly Updates

This objective allows an administrator to manage the updates of third party data files that Snare Central uses such as:

MaxMind License Key

In order for Snare Central to download the latest GeoIP2 database from MaxMind, you must first configure a MaxMind license key. Click "Configure" in the "Manage Nightly Updates" page, enter your MaxMind license key in the dialog box then click set.

The update tasks are disabled by default and scheduling for each task is fully configurable.

Manage Objective Schedules

This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.

Manage Plugins

The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements.  We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."

My Account

Your Snare Central password can be changed in this objective. Last login date/time information is also available. Note that Snare Central implements several password security policies, including:

  • 90 Day Rotation
  • Password reuse protection
  • Last password similarity checks
  • Password complexity requirements
  • Dictionary word exceptions

Shutdown / Reboot Snare Central

Users with administrative-level access to Snare Central will be able to shut down, or reboot Snare Central from this objective.

Snare Central Update

Updates will be released to:

  • Add features to Snare Central
  • Fix issues that have been reported
  • Update operating system components in response to security issues that specifically affect Snare, or tangentially affect the operating system on which Snare relies.
  • Update virus checker signatures.

The updates and patches, for example FullUpdate and PatchUpdate are available for download from the customer portal, SLDM for customers with a current support and maintenance agreement.

A Full update will include all updates since the last major version (eg: patching version 8.0.0 to version 8.7.0)

A Patch update will include all update since the last minor version (eg: patching 8.1.0 to 8.1.7)

Specific hotfix updates may also be available.

The update will be made available in the form of a GPG signed compressed archive, for example SnareServer-FullUpdate-v8.0.1-41-g0e0d242.tar.gz.gpg. This objective will provide you with information on previously installed upgrades, and provide a link to a page that accepts such an update file, and allows you to apply the update to your Snare Central installation, after verifying that the cryptographic signature is valid.

Large files can also be uploaded to the Snare Server via the secure-shell 'scp' application. Instructions are available from the Snare Central Update main page.

Full Update files are likely to grow to a significant size over time, as security and functionality updates to the operating system are included within the update.



To apply an update:

  1. Select System | Administrative Tools | Snare Central Update | Upload. This invokes the Snare Central Update process.
  2. Select Choose Update to select the patch update.  This will check the file. If it doesn't start automatically, then select Upload.

  3. When progress reaches 100% select Next to start the update.

  4. The update may take up to 15 minutes.  When completed, select Return to Snare Central.

Troubleshooting Updates

Troubleshooting Updates

Blank navigation/screen after upgrade process.

It is unlikely, but possible, that after an upgrade the navigation section, or the entire page, may end up on a blank white screen. This is caused by your web browser caching some of the old page components and preventing the server from using the upgraded components. While we have put checks in place within Snare to try and prevent this, it is possible that some browsers may bypass these checks. To resolve the issue, you can (in most browsers) hold down the Shift key while pressing Refresh on the browser. If this doesn't work, try clearing the browser cache and restarting the browser. If this still does not work, try using a different browser.

Snare Threat Intelligence

The Snare Threat Intelligence product is designed to provide real-time insight into your log data, using the proven technology found in the eMite real-time analytics dashboards. Threat Intelligence can give you actionable insights in minutes.  By breaking down traditional information silos, the Threat Intelligence tool gives you a competitive advantage: more transparency, process, and productivity improvements, more rewarding customer engagement, and faster innovation cycles.  Please visit https://www.snaresolutions.com for further information.

Note

This functionality is being retired and is superseded by Analytics Dashboards available from version 8.6.0 of Snare Central. Please refer to the Analytics Dashboards page in this User Guide.

Threat Intelligence Configuration

Snare Server 8.0+ includes an updated collection infrastructure, which is capable of interfacing with the new Snare Advanced Threat Intelligence (SATI) module. Enabling the threat intelligence capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.

Delivery of data to a non-local elasticsearch instance is also supported. Currently all log types that Snare Central receives will be forwarded to the destination server.the list of log types are as follows:


  • Windows Failed Login
  • Windows Interactive Login and Logoffs
  • Windows Login
  • Solaris Log Data
  • Linux Log Data
  • Apple Log Data
  • Windows Account Change
  • Windows Group Change
  • Windows File Access
  • Windows Process
  • Windows User Rights
  • Windows Incidents
  • Windows Incidents Apps
  • Windows Incidents Sys
  • Windows Password Change
  • NCR ATM Data
  • FIM Log Data
  • Generic SysLog Data
  • Trend Log Data
  • ASA Firewall Denied
  • ASA Firewall Accept
  • Cisco Device Data
  • PaloAlto Firewall
  • SonicWall Firewall
  • SonicWall SSL VPN
  • Sidewinder Firewall
  • F5 Violations
  • Gauntlet Firewall
  • IIS Web Firewall
  • CyberGuard Firewall
  • Checkpoint Firewall 1
  • Gauntlet Firewall
  • IP Tables Firewall
  • ISA Web Log Firewall
  • Netgear Firewall
  • Netgear Router
  • Netscaler Router
  • Netscreen Firewall
  • SNORT Intrusion Detection Events
  • SNMP Trap Log Data
  • WebLogs
  • Snare MSSQL Logs
  • Windows Security Logs
  • Windows System Logs
  • Windows Application Logs
  • Windows Custom Event Logs
  • Carbon Black
  • ACF2 Logs
  • Agent Heart Beat Logs
  • AIXAudit Logs
  • Apache Logs
  • Snare Browser Logs
  • Content Keeper Logs
  • CKEPos Logs
  • Content Keeper Syslog
  • DHCP Server Logs
  • Exchange 2008 Logs
  • Exchange 2013 Logs
  • Exchange Logs
  • Snare Central Server Logs
  • RACF Logs
  • Sophos Data Control Logs
  • Sophos Web Logs
  • Windows DHCP Logs
  • Generic Log Data
  • Malware Domains
  • MSDNSServer Logs
  • All other Logs that are classed as generic logs


Threat Intelligence Delivery disabled


Enabling SATI delivery will display an overview of the currently enabled forwarding filters.

Threat Intelligence Delivery enabled


Snare Central Elasticsearch Forwarding

The Snare Central Server Integration to Elasticsearch is designed to forward your Snare eventlog data directly into an Elasticsearch index.

Snare Central Server 8.0+ includes an updated collection infrastructure, which is capable of interfacing with your Elasticsearch index. Enabling the forwarding capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.

Delivery of data to a non-local elasticsearch instance is also supported. The Snare Server can be configured to log to a local elastic instance (which is installed and available as part of version 8.0 of the Snare Central server), or can be configured to log to a remote elastic instance. If the remote elastic instance is protected by either X-Pack or ElasticShield from InterSect Alliance, HTTPS/TLS and authentication can be activated.

For a fresh install of elastic the index name will be called active-snare-snare. Where the index is used in SAA/SATI then the index name is called snare-snare-000001. The application will manage the index and rotate it around and increment the index name with -000002 etc based on the system index rotate settings. For external indexes the index will have to be managed by the admins managing the external elasticsearch index as it will keep growing until its rotated out. Below is an example of a managed index environment.


More Details

The events that are forwarded to the Threat Intelligence instance, or a remote elastic server, are governed by the configuration file /data/Snare/ConfigSettings/RealTime.config on the Snare server. This file is not intended to be user-editable at this stage, since it ties directly in with the available dashboard capabilities of the Threat Intelligence server.

Event collection rates may be significantly impacted, when this feature is active. ElasticSearch ingest rates are significantly lower than those supported by the Snare Central Server, on similar hardware. When this feature is activated, the potential Snare Server collection rates, will be governed by the elasticsearch bulk upload capabilities. In general terms, there may be one or two orders of magnitude difference between Snare Central Server collection rates, and elasticsearch ingest capabilities.

Warning: Activating the Threat Intelligence configuration, without installing the corresponding Threat Intelligence module to manage the generated data, will mean that your Snare Central Server will store significantly more data per received event, without being able to remove the associated data from the file-system via the Snare Central Server user interface.


Support Data Retrieval

To aid the Snare Support team in diagnosing any issues, the information may be gathered with this tool.  Selecting Generate will create a compressed-encrypted tar file with the output of some diagnose commands and a few Snare and system configuration files ready for download. After several minutes the tar file will generate, where you have the ability to select the file and download it from the server to be forwarded to support when required.

If the resulting tar file is bigger than 10MB, the file will be separated into 10MB chunks for sending purposes (via email, FTP, etc.) to be reassembled by the support team.

Once a file has been downloaded, the support file will be deleted from the server. No original data will be deleted.

Only when all files are downloaded will there be the ability to generate another support data file. This means that if you require to run Support Data again; you need to download all existing files including any 10MB files first.

For most calls the additional options will not be required. However the support team may request to select one or more of the checkbox's depending on the nature of the support call.


User Administration

It is recommended that a number of users be created after Snare Central has been installed, so that:

  • The Administrator username and password do not have to be shared and
  • It will be possible to identify which user is accessing and configuring Snare.


This objective allows you to create users and groups.

The groups built into Snare Central are: Administrators, SuperUsers, PowerUsers and Default.

All users are automatically included in the 'Default' group. The 'Administrators' group has the same access as the 'administrator' userid with the exception of a number of functions that are restricted to the 'administrator' (eg: Changing the password of the Administrator account). The 'PowerUsers' group may access all reports and all objectives in status, and to their own account. The 'SuperUser' group has no particular privileges, but can be used to group accounts with significant privileges to objectives, if you wish to take advantage of it.

You may define as many additional Groups, and assign to each one one of three access right profiles:

Default. With access to the following objectives:
  • System/Admin Tools/My Snare Central Account
PowerUsers. With access to the following objectives:
  • System/Admin Tools/My Snare Central Account
  • Everything under Reports
  • Everything under Status
SuperUsers. With access to the following objectives:
  • Everything under Reports
  • Everything under Status
  • Everything under Agent Management
  • System/Admin Tools/Antivirus Administration
  • System/Admin Tools/Snare Central Collector/Reflector
  • System/Admin Tools/Snare Log File
  • System/Admin Tools/Snare Service Monitor Log File
  • System/Admin Tools/My Snare Central Account
  • System/User Administration
  • System/Data Backup
  • System/Data Management Tools
  • System/Data Restore

After the group has been created, you may fine tune access rights for each particular group via System | Administrative Tools | Manage Access Control.

Snare Central implements several password security policies, including:

  • 90 Day Rotation
  • Password reuse protection
  • Last password similarity checks
  • Password complexity requirements
  • Account locking on multiple failed login attempts
  • Dictionary word exceptions


If a password does not meet the requirements identified above, an error message will be displayed during password definition.


In situations where an account is locked due to several failed login attempts, an additional configuration setting on the user management screen will offer the administrator the capability to unlock a Snare Central user account. If an account is not unlocked, the account will automatically unlock after 30 minutes.

If a users account exceeds the 90 day password validity limit, Snare Central will request a password update.

Operating System Password Controls

The operating system password controls are managed by the Pluggable Authentication Modules (PAM) in Linux. The configuration files are located in /etc/pam.d directory. The password controls for Snare Central are detailed in the /etc/pam.d/common-password file. The file can be updated to reflect your corporations security policy.

The default settings are as follows and enforces a password retry of 3 attempts before failure, length of 10 characters, a difference of three characters from previous password, one uppercase letter, one numeric, one special character, and one lowercase letter:

  • password requisite pam_cracklib.so retry=3 minlen=10 difok=4 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1

The configuration will enforce the password policy rules for the following operating system accounts root, snare and snarexfer. For additional information on the values of each setting refer to the manual pages for pam.d and pam_cracklib.






  • No labels