Release Notes for Snare Windows Agent v5.4.0

Snare Windows Agent v5.4.0 was released on 16th September 2020.

Security Updates

  • OpenSSL upgraded to version 1.1.1g
  • SQLite upgraded
  • Hashing the password for Agent Web access using FIPS compliant hashing algorithm (PBKDF2 with HMAC SHA3 512).
  • Replaced the pop up Login form with a Login page for authentication to access Agent Web GUI
  • To improve the security, only HTTPS protocol is used to access Agent Web GUI.
    The following steps might be needed to access Web GUI in Firefox browser:  https://support.mozilla.org/en-US/kb/Certificate-contains-the-same-serial-number-as-another-certificate.
  • Web Server Protocol setting (HTTP/HTTPS selector) was removed from Access Configuration.  WebHttps key was removed from Windows registry.
  • Updated the Agent to support TLS1.2 as a minimum, added support of TLS 1.3 as per recommendations in the OWASP Broad compatibility list. CHACHA20_POLY1305 cipher is not supported at this stage.

Enhancements

  • For each Objective, user will now be able to set a criticality level for each event format: Snare, Syslog (incl. SYSLOG (RFC3164), SYSLOG Alt (RFC5424 Compatible), SYSLOG (RFC5424) ), CEF, LEEF. 
    This applies to Audit , FIM, RIM, and Log Filter objectives.

  • Agent installer, uninstaller and binaries are now digitally signed with EV code signing certificate, eliminating unknown publisher warnings.
  • Improved the support for CEF format for Snare for Windows. Now Audit event reports the following CEF extensions: cat, start, act, deviceProcessName, dvchost, suser, outcome, duid, msg.
  • SYSLOG (RFC3164) IETF standard allows all alphanumeric characters considered the part of TAG. Previously, a fixed TAB was used as TAG terminator. Now to fully comply with SYSLOG (RFC3164) IETF standard, any non-alphanumeric character can be specified as TAG terminator. To enable this functionality define a custom delimiter, and uncheck "Use TAB as SYSLOG (RFC3164) TAG Terminator" checkbox in the Destination Configuration.
  • Updated snare logo in the installer and in the Agent Web GUI.
  • Updated links in the readme files to point to snaresolutions.com website. Updated links to Knowledge Base.
  • Added a default Objective to collect logs related to scheduled tasks and other object access events: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events.
  • Port 6514 can now be used to send events in Syslog format using TLS protocol to Snare Central 8.3+ or Snare Reflector 2.4+. Warning messages were updated accordingly.

Bug Fixes

  • Fixed Users and Members > Domain Group Members page to correctly handle users that belong to a single group. This issue was causing the page to crash on some domains.
  • Various bug fixes

User Guide

The following is an offline version of the User Guide related to this release.


For an up-to-date version refer to the online version here.