Version 7.2 of Snare Server is available and includes the product name change from Snare Server to Snare Central, and the following features:

  • The Snare Agent Manager (SAM) has been integrated directly into the Snare Central Server, and provides centralized license management capabilities. The SAM may be accessed via the menu: Agent Management | Snare Agent Manager. Customers no longer need to maintain a separate standalone Windows-based SAM installation in order to manage Snare agent licensing.  Review User Information
  • In order to comply with the Security Technical Implementation Guide (STIG) recommendations for the Unix operating system (https://www.stigviewer.com/stig/unix_srg/), Snare Central now includes the Snare Linux Agent. Review User Information
  • A new graphical user interface and disk manager utility, called Disk Manager, has been created to make it easier for customers to manage their storage resources. Users of this interface can shift space between disk partitions (new 7.2 installs only), add new unallocated disk space to existing partitions (new 7.2 installs only), and also take advantage of the ‘overlayfs’ feature of 7.2, to layer other formatted disk partitions, NAS shares, or external media, over some existing Snare Central paths. The layering capability will enable, for example, backups that have been created with the Data Backup utility that are stored on optical or USB media, to be superimposed over the existing “Snare Archive” event storage location; this means there is no need to restore a data backup to have access to archived data. Review User Information
  • A historical record of Snare Central reports in PDF format are able to be saved, and available via a SMB share. Review User Information
  • Snare Central now provides an updated access control management interface, which supports both user and group authentication and access control from locally defined users/groups and also users/groups from an LDAP/AD server.  Review User Information
  • The Snare Collector/Reflector dashboard includes additional statistics regarding cache and events. Review User Information
  • Additional objectives have been added to the Snare Central server specifically to detect security incidents on Windows servers and workstations discussed in the SANS white paper at https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262. The new objectives cover administrative activity, file and resource access and process monitoring.
  • A new agent information objective in Status | Collection Status-Agent Information, provides a simple overview of the systems that have sent event data to the Snare Central over the course of a configurable number of days.
  • The Snare Central ISO image can now be written to a USB stick in order to install physical or virtual hardware.

Further Information

This video provides an outline of the new features in version 7.2.
Version 7.2 Feature Overview
Presented by Steve Challans
Time: 12.27 minutes

Review the Release Notes.

Interested in an agent capable of processing the Windows Forwarded Events log and format the logs so they appear to come from the original host?  Look no further!

The Snare Enterprise Agent for Windows for WEC is a new agent with the same features and functions as the Snare Enterprise Agent for Windows but also will allow event logs collected by the Windows operating system on Microsoft WEC configured systems, only to be forwarded to a remote audit event collection facility or SIEM, such as Snare Central.  It is only licensed to run on server versions of the Microsoft Windows platforms.

The Snare WEC agent has a modified objective that includes an additional checkbox to collect from the Windows ‘Forwarded Events’ custom event log, which is used to collect logs using the Microsoft event log subscription process and uses WinRM to poll the remote hosts to collect the event logs.

Further Information

  • A short video on Snare WEC agent and Windows Event Forwarding.

Available from version 5.0.2, for further information contact your Snare Sales representative for an evaluation license.

Released in September 2016, the version 5 agents are rearchitectured to handle all your logging needs. The new features and enhancements in the version 5.0.0 agents for Snare Enterprise Agent for Windows, Snare Enterprise Epilog for Windows and Snare Enterprise Agent for MSSQL are detailed below. Note: ‘Legacy’ agents references pre version 5.0 agents.

  • New Encrypted Remote Configuration Management
    • Support for TLS for remote configuration management, through the Snare Server Agent Management Console (AMC), to provide a central point of management of agent configuration across all Snare Enterprise Agents.
  • New Agent Statistics and Active Monitoring
    • Support for broadcasting Agent statistics and status monitoring information, so it can be reported through the SAM and from within the agent web user interface.  The SAM will be enhanced to display and report on the agent statistics.
    • Includes graphical representation
    • EPS statistics details on latest events screen.
  • Different log format and protocol per destination
    • The ability to specify multiple event destinations, each with their own specific format, protocol and delimiter, and simulcast events to all destinations as soon as they are received by the Agent.
    • Available formats: Snare, Syslog(RFC3164 , ALT format which is 5242 compatible and RFC5424), CEF and LEEF.
  • Agent Heart Beat Notifications
    • The Agent Heart Beat notification system, which sends custom log messages regarding the status and health of the Snare Enterprise Agent to the event collector.
    • It can send periodic health messages, as a way of keeping track of online and offline agents, as well as messages triggered by specific events occurring within the Enterprise Agent. Along with the improved heartbeats are additional log levels to provide more information on the agent operation, configuration and performance activity.
    • On setting heartbeats a heartbeat is sent immediately.
    • If enabled, the agent sends a heartbeat to configured server(s) after specified minutes. Agent internally records all debug messages, and all debug messages are sent once per heartbeat cycle and the number of times (xx times) is added in the end of each message; showing how many times this debug message was generated since the heartbeat was sent previously. Error and critical messages are exceptions as they are sent as soon as they are generated.  Repetitive error and critical messages are blocked for 10 minutes, and these messages are sent to the event collector.
  • New Snare Agent Manager (SAM) Support
    • To facilitate functionality provided through the new SAM, support in the Enterprise Agents will provide centralised management for all agent licensing.
  • New Snare Agent Licensing Support
    • Support for the new Snare Agent Licensing system, which is managed through the SAM.
  • Event Throttling and Notifications
    • The ability to throttle event transmission speeds, and send notification messages based on event throughput.
    • This is useful for busy networks and systems, to prevent excessive bandwidth from being used in some situations. Each configured destination will dynamically load balance its Events Per Second (EPS) rate and cache when one destination is slow or not available.
  • Implement HTTPS UI Access
    • All agents implement the option to use HTTPS for the Web UI. The agents use a self signed generated certificate for the initial install but this certificate can be replaced to use an existing one from the certificate store by the customer if required.
  • Certificate Validation Support
    • The agents have a new option to provide public key certificate validation of the destination syslog or SIEM (Security Information and Event Management) server.  Customers will be able to install their own public/private keys on the client systems to use as part of the certificate validation of the destination SIEM.
  • Disk cache support for v5 agents
    • Added disk cache support whenever the Snare agent performs a normal shutdown down, as it will write all unsent events that are still in memory to a disk file and on next start up it will read those messages and will add them to send queue. The path of disk cache can be specified on Destination Configuration page.
  • New look and feel for the Web User Interface
    • Incorporating the new Snare logo
    • Gone are the reds and yellows from the agent, replaced with greys
    • Product consistency across Snare agents and the new SAM
    • Audit Service Status page includes extra system information
    • Latest Events page changes include:
      • displays details, status and the events per second of events sent to your destination(s)
      • an alarm bell notation signifies when new events are displayed
      • events are colour coded based on the criticality level set on your objective (Windows Agent only)
    • Network Configuration page now referred to as Destination Configuration and changes include:
      • ability to set multiple server destinations per protocol (UDP,TCP,TLS) per format (Snare,Syslog,Syslog Alt,CEF,LEEF)
      • new setting for Event Cache Size which is event number based or Event Cache Memory Size, Disk Cache Path
    • New General Configuration page with general settings from Network Configuration page in legacy moved here.
    • Remote Control Configuration page in legacy updated to Access Configuration page.  Includes Web Server Protocol and configuration for SAM
    • Each objective on the Objectives Configuration page reflects the criticality level given to the objective. The Latest Events page will highlight the event in the selected colour assigned to your objective so it’s easier to identify the important events.(Windows Agent only)
    • Improved interface for Log Configuration as it displays a separate text file of the files watched in the directory (Epilog only)
    • In Log Configuration, there is only one text field available to specify input for fixed line or multi-line (previously two input fields). This input text box will be treated as per selection.(Epilog only)
    • Added new log type for Microsoft DNS Server logs (Epilog only)
    • Added new log type for Microsoft Exchange 2013 logs (Epilog only)
    • New Event Lookup page (MSSQL Agent only)
    • New Enumerate Databases page (MSSQL Agent only)
    • Heartbeat & Agent Log page updated to set a number of agent logging options, heartbeat frequency (including custom format) and ability to export the heartbeats file.
    • New Audit Service Statistics page displays the statistics for each destination server including any file output logs defined in Destination Configuration including a daily bytes graph which is a graphical representation of the bytes transmitted from 5 minute intervals and up to 30 days.
    • New Security Certificates page allows the generation of self signed certificates or selection of the certificate you would like to use to secure the events you are sending to the destination SIEM.
    • New sub menu for Users and Members page to link to local users, domain users and group users.
    • New License page displaying the KeyIDs for the host, the license token from the Snare Agent Manager and the ability to add stand alone licenses to your version 5 agent.
    • The old Apply Latest Audit Configuration button has been replaced with a dynamic button that will show if settings have not yet been applied and have a tick icon, this will now be called Appy Configuration & Restart Service.  If the agent is does not have any outstanding changes this will just display Restart Service with a recycle icon.
  • Registry changes
    • Removed from v5
      • [CONFIG] EnableRegdump,OutputFilePath,SyslogDynamicCritic,SyslogDest,FileExport
      • [NETWORK] Destination,DestPort,EncryptMsg,Syslog,SyslogAlt,SyslogDest,SocketType
      • [REMOTE] EnableCookies,WebPortChange
    • New in v5
      • [CONFIG]  FileSize,HeartbeatOutputPath
      • [NETWORK] Destination1Delimiter,Destination1Format,Destination1Host, Destination1Port,Destination1Sockettype,FileOutput1Delimiter,FileOutput1FileName,SyslogFacility,SyslogPriority,CacheSize,CacheSizeEventLog
      • [REMOTE]  WebHttps
      • [SAM]
      • [CERTIFICATE]
      • [LICENSE]
      • [STATE]
      • [STATUS]
    • Changes in v5
      • [NETWORK] CacheSizeM has changes to be used for the in memory cache settings and not the Eventlog size. Refer above to the new CacheSizeEventLog setting for the equivalent v4 agent usage.
  • Group Policy Changes
    • Each .adm and .admx/.adml GPO file is now versioned. When loaded in GPO editor, the version number will be appended in the GPO name and any GPO settings pushed using a specific version of .adm and .admx/.adml will be saved in registry under its version key.  For example. if some GPO settings are pushed using v5.0.0.0 of .adm template then the settings will be written into following path of registry \HKLM\Software\Policies\<AgentName>\5.0.0.0\<KeyName>. This feature supports pushing multiple versions of the GPO settings across the network. Each agent supports specific version(s) of .adm and .admx/.adml and will not use the GPO settings pushed by the unsupported version of .adm and .admx/.adml. Refer to the documentation Windows ADM Templates and Group Policy for supported versions of the .adm and .admx/.adml by each agent. If agent finds multiple supported versions of the GPO settings in the registry then it will load the GPO settings of latest version.
  • Changes to agent operation
    • The agent no longer saves the settings to the registry when the change configuration button is selected. The registry changes are only saved in memory.  The changes will only be written out to the registry once the Apply Configuration button is selected. This allows the user to just restart the agent service if a mistake was made during a change of settings and it will reload what was saved to the registry.   The agent will still reread its current registry settings every 10 minutes and apply any changes as the current legacy agents do.
  • Other
    • One click to apply configuration. After saving your individual settings per page, just click Apply Audit Configuration & Restart Service button to apply the new configuration to the agent.
    • Implemented PCRE Regular Expression filtering for Event Objectives for all agents.
    • Support of encrypted objectives in cluster mode (MSSQL Agent)
    • Dynamic DNS Checking.
    • Improved error checking
    • Improved session handling
    • Enhanced debug log options
    • Improved registry settings structure and format. The agent can repair invalid registry settings to use correct defaults.
    • Improved multi threading and UI speed improvements so the agent can operate faster on large highly loaded systems.
    • Various security improvements and hardening including: Address Space Layout Randomization (ASLR), Stack buffer overrun detection and Heap Corruption detection
    • Agents will generate a log file during install and uninstall, however if /log parameter is provided then log file will be created on given path. If log parameter is not provided then, during installation the log file will be created in the current folder from where setup is run (the name of the log will be <AgentName>.snare.log). During uninstall, the log file will be created in the %temp% directory of the user currently logged in or running setup (the name of the log file will be un<AgentName>.snare.log).
    • Previously, the user associated with the SnareMSSQL service must be member of local administrator group. This restriction is removed from this version of SnareMSSQL and now any non-admin user can also run the SnareMSSQL service. Though, installer of SnareMSSQL must be run by an administrator and the non-admin user must be mentioned during installer. Administrators should also explicitly assign some rights to non-admin users before running SnareMSSQL installer. These explicit rights includes, non-admin user should be added as ‘dbadmin’ into MSSQL Server and should also be given full rights on cluster (if any).
    • SnareMSSQL agent has a new command line switch ‘-e’ that can be used to delete temporarily .cache files. These cache files are generated when SnareMSSQL service is stopped and there are some unsent events.

Further Information

Ready for v5?
VIDEO:Configuring v5 Agents and SAM
KeyIDs are required to generate full licenses.

Snare has released an IBM App Exchange update for the IBM QRadar software. The Snare Log Analysis QRadar application is designed to provide an overview dashboardof auditing log activity that the Snare for Windows Agents are sending to the QRadar System.

A new application v1.1.0 and user guide have been released on the IBM App exchange portal.   The update includes many new features covering:

  • USB activity
  • Administration events
  • Logon success and failures
  • Process command execution information.
  • Threat Analysis
  • Filtering enhancements

In addition, events can be correlated together and matched against known fingerprints to detect possible threats on the network including an example of detecting the Rubber Ducky events from using this USB device. The main dashboard and other screens have also had a makeover to provide an enhanced user experience. Filtering has also had a makeover with enhanced date ranges to find logs for particular users or systems.

Snare now has an application on the IBM App Exchange for IBM QRadar. The Snare Log Analysis QRadar application offers overview and drill down functionality providing users with a detailed view of event file and registry auditing activity collected by Snare and sent to QRadar. Filters can be applied to restrict the view to specific users, host systems, files/registry area accesses including the log types that were collected over the specified time period. If you are a current IBM customer you should check it out on the App Exchange.

The new application is freely available to the security community through IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies. As threats are evolving faster than ever, collaborative development among the security community will help organizations adapt quickly and speed innovation in the fight against cyber crime.

This is part of Intersect Alliance’s on going efforts to improve the logging and SIEM endeavors of every company regardless of their goals or tech stacks. For the full press release, download here.

Version 7.1 is available and includes a number of great new features that you’ve asked for! These features are:

  • The Snare Server collection and reflection service has been significantly updated. The Snare Server can now perform format conversion, apply filters to events on a per-destination basis, and can also search/replace event contents on the fly. The core of the collection services and the reflector has been rewritten in C++ for speed. Sample use-cases include:
    • Sending events that are marked only with a particular criticality to a specific destination.
    • Sending Windows events to a destination SIEM server, and unix events to a syslog server.
    • Changing syslog RFC 5424 events to RFC 3164 format, to accommodate a SIEM server that can only handle the older format.
    • Switching events from using a TAB delimiter, to comma.
    • Redirecting all events that include a particular username, to a separate SIEM server for analysis.
    • Forwarding any firewall logs that include a particular IP address range, to another system for deep analysis.
  • Update and Removal of “Trusted CA root Certificates” is available from the Configuration Wizard.
  • Snare Server now supports LDAP/SSL, LDAP/TLS and SASL/TLS authentication.
  • A SNMP trap server can be configured in the Snare Server wizard. A new feature has been added to the Real Time Alerts function in the objectives that so a SNMP Trap will be sent to the server as defined in the wizard when there is a match for the Real Time objective.
  • A new “Auto-Remove Data” objective under “System -> Data Backup” is now available. This objective allows the Administrator to create tasks with a range of selection criteria, that are designed to automatically remove data from the Snare Server archive. Selection criteria include: By agent, by date, and by log type. Regular expressions, and date-delta options are available. Each Auto-Remove task has a specific schedule that determines when it executes.
  • A new notes section is available when configuring objectives. Annotations may be either included or excluded from an objectives’ output. Once the objective is regenerated, the annotations form is available for editing.
  • The open-vm-tools package has been included in the installed server package list, to facilitate easier management for customers who run the Snare Server under a virtual environment.
  • The Snare Server can now process SonicWall firewall logs. A series of new SonicWall template objectives has been added under the Dynamic Query capability for SonicWall.
  • TLS Server certificates associated with the TLS collection service should now use the fully qualified hostname of the server on which they are installed. A freshly installed system will use the fully qualified certificate format.
  • Six new Oracle Objectives have been added to the Snare Server, including:
    • Start-up and Shut-down of the Oracle application
    • Database Global Activity
    • Admin DBA Activity
    • Oracle Security
    • Oracle Startup / Shutdown
    • Password Changes
    • User Activity
  • Seven New Microsoft DNS server logs Objectives with Malware domain detection have been added in the Application Audit/Windows Log Data menu tree:
    • DNS Log
    • DNS over TCP empty
    • DNS over UDP
    • DNS search IP
    • DNS Server Failures
    • Malware Domains
    • Non Existent Domains

New features of Snare Server v7.0 include:

  • The base operating system has been upgraded to Ubuntu 14.04 LTS, from Ubuntu 10.04 LTS in v6. This provides significantly newer hardware support, and numerous fixes and optimisations within the base operating system.
  • The Event Collection System has been through a major restructure, resulting in significant speedups, and associated jumps in events-per-second collection rates. In some cases this has introduced an improvement of up to 500%.
  • The Monitor Live Data tool has been rebuilt to remove the confusion and ambiguity that existed with it in previous versions. It now monitors all incoming events, not just events on a specific port, and no longer has issues with fragmented packets and other networking challenges.
  • The Snare Configuration Wizard has been updated to include the option to set the system-level Timezone. This removes the need to manually SSH into the Snare Server and run the timezone change command.
  • The internal configuration database has been updated from SQLite2 to SQLite3. This introduces massive performance and stability enhancements into the configuration handling component.
  • Extra statistics have been added to the System Status report, to aid in monitoring the status of the Snare Server.
  • The Snare Update system has been completely rebuilt, to make the process a lot simpler and faster. Unlike the update process in the v6 release, v7 updates are completed in two steps: first the update file is verified, and after user confirmation, it is applied fully in the next step. There is no more need to click the ‘Next’ button through multiple steps. This should significantly reduce downtime during theupdate process. This new update system also includes a full update version history to keep a record of every update applied to the server.
  • Upgraded the geographic IP address database to the GeoLite2 database available from MaxMind. This change brings a much greater accuracy in IP address lookups than was available in the legacy Snare Geographic IP Address Database. Upgrading to the full GeoIP2 database from MaxMind is available via a manual process in this release, with a user interface to be released in a future version.
  • The current Snare Server License details have been added into a new section within the Health Checker. This should make it easier for customers to check their license details to aid in support requests and for internal tracking purposes.
  • Cache selected downloadable objective clusters locally on the installed Snare Server, so that installations that do not have access to the Internet can install regulatory compliance (and related) objectives. These options have also been added into the Snare Configuration Wizard, to provide an introduction to the available options as part of the installation process.
  • The Windows Users and Groups objective now imports Group information alongside Users when querying the provided Active Directory connection. This can be used in place of the Snare Agent group information import process.
  • Added in new collection module to support Microsoft Exchange 2013, alongside the older Exchange formats.

The Snare Linux Agents are not affected directly by the Ghost vulnerability, but the customer will need to patch their Operating System to a minimum of glibc-2.18.

The version 7 Snare Server/Agent Management Console is not affected, however the version 6 Snare Server/Agent Management Console will require a patch to the glibc, with expected patch release date in the first week of February 2015.

For further information see US-CERT

New features of Snare Server v6.3 include:

  • Support was added into the collection system for the AppleBSM audit events provided by the new Snare Enterprise Agent for OSX
  • An option was added to the Configuration Wizard to allow customers to disable the daily Pre-Cache functionality, if instructed by a Snare Support Representative. This option disables the daily pre-cache functionality of the internal Snare Database, which can, in rare instances, use more resources during the caching process than are actually saved during the report generation process when caching is enabled.
  • With larger and larger drives being used for the storage of log data, the ‘percentage free space’ warning and problem threshold settings on the Snare Server Health Checker, have been migrated to a ‘gigabytes free’ model. As part of the server update process, your previous settings will be automatically converted to the new format
  • Added support for the upcoming v4.0.0 releases of the Snare Enterprise Agents for Linux and Solaris.
  • Added a new objective for Windows USB events into the default objectives installed as part of a fresh install of the Snare Server.