Administrative Tools

Antivirus Administration

Snare Central is based on a custom distribution of Linux, and is therefore potentially susceptible to (significantly) less than 1% of all viruses currently in the wild. Snare Central does not provide desktop-level functionality, and the risk profile for virus infection on Snare Central is extremely low. However, Snare Central integrates the ClamAV virus checker, which is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It includes a high performance mutli-threaded scanning daemon that provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats.

The anti-virus scan can be run on a scheduled basis, and can be configured to perform:

• a complete system scan,
• exclude the Snare Data Store, and results cache from the scan (recommended), or
• only scan the home directories of Snare Central user accounts.

The reason that it is recommended that the Data Store and results cache be excluded from the scan, is that there is a significant risk that the virus scanner will pick up false-positives in those directories, due to the nature and volume of data stored therein.

It is the customers responsibility to ensure the antivirus software is kept up to date and is scheduled to run in accordance with your corporate security policy.

Change IP address

Snare Central IP address, netmask, default gateway, and DNS servers can be modified using this objective. IP, netmask and default gateway values can be modified on a per-ethernet-card basis.

It should be noted that once the IP address has changed, the server will no longer be contactable via the old IP address, so if you were connecting to the old IP address with your web browser, your browser may become unresponsive after the address change.

Configuration Wizard

The configuration wizard is covered earlier in this documentation.

Configure Collector/Reflector

The Snare Central reflector is capable of 'reflecting' events that arrive at the server, to another Snare Central, or to a third party SIEM server or collector. The reflector supports a range of target server formats, including, but not limited to, "Snare", "Syslog RFC 3164", "Syslog RFC 5424", "QRadar", and "Envision". TLS encryption is available, if the destination server supports it.

The front page will display a snapshot of the state of the reflector. It will update every few seconds with new data, as long as the Snare Central collection/reflection service is active.

The first two 'destinations' in the configuration interface are reserved for use by Snare Central internally. They send incoming syslog events to the Snare Central syslog interpreter, and all other events to the normal Snare Central log interpreter.  The destinations do this by utilising the regular expression filter capabilities of the reflector.  All 'listeners' are currently locked by the Snare Central collection server.  Configuration options present in the dialog include:

Address

IP Address, or DNS Name of the destination server to which Snare Central should send events.

Port

Destination port number.

Protocol

TCP, UDP or TLS. Note that TLS is not really a 'protocol' as such, it is merely an encrypted TCP session.

Destination Format

• Snare Central 7.1+: The destination server is a Snare Central, and is running at least 7.1 of the software.
• Snare Central Historical: The destination server is a Snare Central, and is running a version of the software prior to 7.1. The reflector will fall back to a slightly less optimised version of an event transfer format.
• Syslog RFC 5424: The newer version of the Syslog protocol. Amongst other positives, RFC 5424 includes 'year' information in the date, which is excluded from the RFC3164 format.
• Syslog RFC 3164: The older version of the Syslog protocol.
• QRadar: A customised version of Syslog RFC 3164 protocol that works around a bug in the QRadar log parser. It detects Snare agent logs, and specifically removes the first 'hostname' entry supplied by the agent, in the eventlog data.
• RSA Envision: A customised version of Syslog RFC 3164 that prefixes the event with "[][][IPAddress][unixDate][] " (where 'IPAddress' is the IP address of the source system that reported the event to Snare Central, and 'unixDate' is the date/time in unix format (seconds since epoch).
• Raw - No conversion - Snare Central will push the event out in exactly the same format in which it arrives.

Regular Expression, and Search/Replace Filters

Regular expressions match complex patterns in text. They are a powerful tool for finding a wide variety of content, and when coupled with replacement filters, can transform your event significantly, as it passes through the snare server, to your next destination.

The snare reflector uses perl-compatible regular expressions, and also supports 'dollar sign back-references' as an alias for the traditional 'backslash' back-reference format. Regular expressions can be spectacularly confusing, particularly at first.

It is highly recommended that you test your regular expressions for errors prior to enabling them in the Snare server - as of version 7.1, regular expression syntax checks are not enforced in the reflector configuration user interface. Snares' 

The replace filter can utilise backreferences to replace certain text with the contents of a expression match term.

Other options in configuration mode include:

• Disk Cache - Size in GB.
• UTC Charts - Turn this on to display UTC (Coordinated Universal Time) times on destination charts instead of local machine times.  By default the times are displayed in local time.
  
  

Configure Server Time Zones

Snare Central has the ability, on a per-source basis, to time-shift the data at query time. In general, agents will report data back to Snare Central using their local time and time-zone. For objectives such as "Tell me whenever someone logs in before business hours", this strategy works perfectly well. However, if you have a reporting agent in Paris, another in London, and your Snare server was based in New York, and your reports predominantly needed to be based around the time in New York (EST), then you may wish to turn time zone manipulation on.

This will allow you to construct a report such as "Tell me any events that occurred between 08:30 and 09:30 US Eastern Standard Time, regardless of what the local time on the destination server was reporting".

Please note that enabling time zone manipulation, will slow down Snare Central queries by an appreciable amount, and whilst enabled, will affect all data from the configured source system. Note also that the original data will not be modified - turning off time zone manipulation will return reporting to normal.

Display the Snare Log File

In situations where you request assistance from your Snare Central support team, you may be asked to email a copy of the Snare debug log file. This file contains generic information on what objectives run, and what scheduled tasks are currently implemented. Increasing the Snare Central debug level (see the section above on "Configuration Wizard" for more information), will significantly increase the amount of data that is written to this file.

Display the Snare Service Monitor Log File

Collection is the process that Snare Central is most anxious to ensure is robust and reliable. If something causes the collection subsystem to fail, it will be restarted as soon as possible, and the server will attempt to collect as many useful statistics relating to memory usage, disk usage, and process information, as it can, in order to support debugging efforts by your Snare Central support team.

Import Objectives

The team at InterSect Alliance have come up with a quantity of default objectives that suit a diverse range of organisations, and security-related regulatory requirements. However, there may be situations where additional specialised objectives are made available to users of Snare Central. The 'Import from the InterSect Alliance Objective Store' button will allow you to select, and import, objectives.

Objectives will be imported into a new container, called "Imported Objectives YYMMDDHHMMSS" (where YYMMDDHHMMSS represents the date/time of import).
In addition to importing objectives from the InterSect Alliance web site, there is also an option to upload objectives from a file stored on your local workstation. In situations where you have previously used the 'Objective Export' capability by right-clicking on a container, the objectives will be exported to either a local file, or via email, to a selected destination user.

Manage Access Control

To access this area LDAP groups should be enabled in Configuration Wizard | Security Setup | Snare Central, or Local User groups are defined in User Administration.  This objective provides an easy and flexible interface for changing Objectives Access Rights at the group level for both local groups or LDAP defined groups.  It is capable to authenticate remote users and authorise remote groups defined in a LDAP or Active Directory server.

Prior to Snare Server v7.2, only remote user authentication was available with the constraint that the remote user should correspond to a local Snare account. This still remains to be true when the option for remote LDAP Groups support is disabled.

When LDAP Groups support is enabled in Configuration Wizard | Security Setup:

• all local Snare accounts will be temporarily disabled with the exception of the ADMINISTRATOR account, and all access to Snare will be authenticated and authorised from the LDAP server regardless if the user name exists as a Snare account or not.
• this objective will affect only LDAP users and groups and will have no effect on local Snare users or group what so ever.  Hence all legacy options for access control like the “Access Control” (lock icon) in Snare’s top panel and the “Folder Permissions” menu option in the “Reports” navigation tree will have no effect on LDAP permissions for the same objectives.

Once LDAP user and group authentication has been enabled, any valid LDAP user can have access to Snare Central web interface but will not be able to see any objectives until the correct access rights are granted to each objective, achieved via this objective.

Every objective on Snare Central can be individually secured so that only authorised staff have access to it. Access is granted at group level; therefore, an LDAP user must be attached to an LDAP group in order to view or change an objective. This also applies to local users and groups. The  Manage Access Control objective detects if Snare is in LDAP mode or not and objectives will change access rights accordingly.

Please note that most objectives under the "Administrative Tools" and "Data Restore" are restricted for only the Administrator user exclusively. This is because of the security risks and potential of harm to the Snare Central server involved. This means that most of such objectives cannot be accessed by LDAP users nor by local users that do not belong to the Administrators local group. This also means that the "Manage Access Control" interface cannot be used to assign permissions to these administrative objectives either. The complete list of the Administrator only objectives is the following.

One of two access rights levels can be granted:

• Control or Write access. This provides a user with the ability to change the configuration settings for the objective.
• Read access. This provides a user with access to view the output of this objective, and also regenerate the objective.

Manage Access Control allows to select one, many or complete tree structures of existing objectives and add or delete “Access” permissions (Read access) and/or “Control” permissions (Write access) to those objectives for a group or set of groups.

By clicking in the Objective name (or Objective directory) at the tree representation on the left (see image above) will select or deselect the objective(s). Once selected, one or more groups are required to be highlighted from the list provided and at least one access level to be checked in order to apply to selected objectives.

In the image above for example a single objective named “Flag Changes” is selected and “Access Control” (Read access) for the “Snare_Server_Default” group is about to be granted.

In addition, users who create, or clone an objective, are identified as the owner of the objective. Both the owner, and Snare Server ADMINISTRATOR have the ability to Delete the objective and Add new users to the objective.

Manage Nightly Updates

Allows an administrator to manage the updates of third party data files that Snare Central uses such as:

• The GeoIP2 database from MaxMind
•   The MAC address database from standards.ieee.org
• The Malware database from malwaredomainlist.com
•   The OpenVAS Network Vulnerability Tests (NVTs)

The update tasks are disabled by default and scheduling for each task is fully configurable.

Manage Objective Schedules

This objective provides summary information on current objective scheduling, target email addresses, and access controls. A link to each objective also enables you to modify the associated configuration settings.

Manage Plugins

The team at InterSect Alliance provide development services for customers, such as creating Snare Central objectives that meet specific organisational requirements.  We release these customisations as 'Snare Central Plugins', which can be installed using the normal 'Snare Central Update' capability, and can be turned on/off using the 'Manage Plugins' objective."

My Account

Your Snare Central password can be changed in this objective. Last login date/time information is also available. Note that Snare Central implements several password security policies, including:

• 90 Day Rotation
• Password reuse protection
• Last password similarity checks
• Password complexity requirements
• Dictionary word exceptions

Prepare Server for Upgrade

This objective runs a number of checks on your Snare Central to ensure it is ready to be upgraded to the next major version using the 'over-the-top' upgrade method.
Note that until a new major version of Snare Central is available, this objective will not provide any significant functionality.

Shutdown / Reboot Snare Central

Users with administrative-level access to Snare Central will be able to shut down, or reboot Snare Central from this objective.

Snare Central Update

The team at InterSect Alliance will release updates to:

• Add features to Snare Central
• Fix issues that have been reported
• Update operating system components in response to security issues that specifically affect Snare, or tangentially affect the operating system on which Snare relies.
• Update virus checker signatures.

The updates and patches for example FullUpdate, PatchUpdate, PreUpdate are available for download from the customer portal, SLDM for customers with a current support and maintenance agreement.

The update will be made available in the form of a GPG signed compressed archive, for example SnareServer-FullUpdate-v7.3.0-41-g0e0d242.tar.gz.gpg. This objective will provide you with information on previously installed upgrades, and provide a link to a page that accepts such an update file, and allows you to apply the update to your Snare Central installation, after verifying that the cryptographic signature is valid.

Large files can also be uploaded to the Snare Server via the secure-shell 'scp' application. Instructions are available from the Snare Central Update main page.

To apply an update:

1. Select System | Administrative Tools | Snare Central Update | Upload. This invokes the Snare Central Update process.

2. Select Choose Update to select the patch update.  This will check the file. If it doesn't start automatically, then select Upload.

   

3. When progress reaches 100% select Next to start the update.

   

4. The update may take up to 15 minutes.  When completed, select Return to Snare Central.

   

Troubleshooting Updates

Snare Threat Intelligence

The upcoming Snare Threat Intelligence product is designed to provide real-time insight into your eventlog data, using the proven technology found in the eMite real-time analytics dashboards. Threat Intelligence can give you actionable insights in minutes.  By breaking down traditional information silos, the Threat Intelligence tool gives you a competitive advantage: more transparency, process, and productivity improvements, more rewarding customer engagement, and faster innovation cycles.  Please visit https://www.snaresolutions.com for further information.

Threat Intelligence Configuration

Snare Server 7.4+ includes an updated collection infrastructure, which is capable of interfacing with the new Snare Advanced Threat Intelligence (SATI) module. Enabling the threat intelligence capability on the Snare Central Server will facilitate delivery of selected important events, up to an infrastructure which is capable of providing enhanced dashboards and log intelligence.

Delivery of data to a non-local elasticsearch instance is also supported. Note that only a limited high value subset of the data received by the Snare Central Server, will be forwarded to the destination server.

Enabling SATI delivery will display an overview of the currently enabled forwarding filters.

The Snare Server can be configured to log to a local elastic instance (which is installed and available as part of version 7.4 of the Snare Central server), or can be configured to log to a remote elastic instance. If the remote elastic instance is protected by either X-Pack or ElasticShield from InterSect Alliance, HTTPS/TLS and authentication can be activated.

Support Data Retrieval

To aid the Snare Support team in diagnosing any issues, the information may be gathered with this tool.  Selecting Generate will create a compressed-encrypted tar file with the output of some diagnose commands and a few Snare and system configuration files ready for download. After several minutes the tar file will generate, where you have the ability to select the file and download it from the server to be forwarded to support when required.

If the resulting tar file is bigger than 10MB, the file will be separated into 10MB chunks for sending purposes (via email, FTP, etc.) to be reassembled by the support team.

Once a file has been downloaded, the support file will be deleted from the server. No original data will be deleted.

Only when all files are downloaded will there be the ability to generate another support data file. This means that if you require to run Support Data again; you need to download all existing files including any 10MB files first.

User Administration

It is recommended that a number of users be created after Snare Central has been installed, so that:

• The Administrator username and password do not have to be shared and
• It will be possible to identify which user is accessing and configuring Snare.

This objective allows you to create users and groups.

The groups built into Snare Central are: Administrators, SuperUsers, PowerUsers and Default.

All users are automatically included in the 'Default' group. The 'Administrators' group has the same access as the 'administrator' userid with the exception of a number of functions that are restricted to the 'administrator' (eg: Changing the password of the Administrator account). The 'PowerUsers' group may access all reports and all objectives in status, and to their own account. The 'SuperUser' group has no particular privileges, but can be used to group accounts with significant privileges to objectives, if you wish to take advantage of it.

You may define as many additional Groups as you wish and assign to each one one of three access right profiles:

After the group has been created, you may fine tune access rights for each particular group via System | Administrative Tools | Manage Access Control.

  Snare Central implements several password security policies, including:

• 90 Day Rotation
• Password reuse protection
• Last password similarity checks
• Password complexity requirements
• Account locking on multiple failed login attempts
• Dictionary word exceptions

If a password does not meet the requirements identified above, an error message will be displayed during password definition.

In situations where an account is locked due to several failed login attempts, an additional configuration setting on the user management screen will offer the administrator the capability to unlock a Snare Central user account. If an account is not unlocked, the account will automatically unlock after 30 minutes.

If a users account exceeds the 90 day password validity limit, Snare Central will request a password update.

Operating System Password Controls

The operating system password controls are managed by the Pluggable Authentication Modules (PAM) in Linux. The configuration files are located in /etc/pam.d directory. The password controls for Snare Central are detailed in the /etc/pam.d/common-password file. The file can be updated to reflect your corporations security policy.

The default settings are as follows and enforces a password retry of 3 attempts before failure, length of 10 characters, a difference of three characters from previous password, one uppercase letter, one numeric, one special character, and one lowercase letter:

• password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1

The configuration will enforce the password policy rules for the following operating system accounts root, snare and snarexfer. For additional information on the values of each setting refer to the manual pages for pam.d and pam_cracklib.