Release Notes for Snare Linux Agent v5.5.1

Snare Linux Agent v5.5.1 was released on 28th September 2021.

Snare Linux Agent v5.5.1 is the last version that supports RHEL 6. Future releases will not include support for this platform.

Security Updates

  • OpenSSL upgraded to version 1.1.1l 

Bug Fixes

  • Fixed the issue where Snare Agent was showing 'cache is full' warning even when network destination is not down and not very slow. Due to this issue, the overall EPS of the Snare starts dropping and in some cases EPS becomes 0.
    Snare Agent might still show this message for very slow network destination or when there is network congestion.
  • Heartbeat events sent in Syslog JSON format now have criticality (severity) in the syslog header
  • Syslog 5424 headers of events sent in Syslog (RFC 5424) and Syslog JSON formats no longer contain erroneous tab character in MSGID field
  • Fixed inconsistent Auth Keys' length validation, allowing TLS Auth Key and SAM Auth Key length to be within [8, 4096] range
  • Removed erroneous error message when the destination is configured with a combination of Snare v2 format and TLS_AUTH protocol
  • Fixed rare error that could occur during Snare Agent upgrade on Debian or Ubuntu platforms if certain path existed
  • Updated Knowledge Base link that was broken
  • Fixed the issue where cache loading for audit log events was causing the loading of incomplete events

Known Issues

  • On RHEL 6 and 7 only Snare Agent does not start automatically after upgrade from v5.4.0. 
    When upgrading Snare Enterprise Agent for RHEL 6 or RHEL 7 from version v5.4.0 to v5.5.0 or newer, please use one of the following work arounds:

    • upgrade Snare Agent to v5.4.1 and then to v5.5.1. This would ensure that the agent is automatically started after the upgrade to v5.5.1
    • alternatively, manually start the auditd service after the upgrade which would start the Snare Agent

      sudo service auditd start


User Guide

For an up-to-date version refer to the online version here.