SNARE SIEM Software Update – March 6th

SNARE SIEM Software Update – March 6th

This SNARE update includes enhancements and bug fixes for Windows, Epilog for Windows, UNIX, MSSQL, Linux, and SNARE Server.

 


Snare Enterprise Agent for Windows v4.3.9 was released on March 6th, 2017.

SNARE for Windows Release Notes Download
SNARE for Windows View in New Tab

➤ Change Log This release includes the following:

➤ Bug Fixes • Installation issue for 32-bit OS There was an installation issue in the previous release of Snare. This installation issue may cause the Snare installation to fail if Snare is installed on some busy machines. This issue is fixed in this release. Now Snare installer properly checks the status of Snare service operations during installation and retries service operations appropriately on busy machines. This results in a clean installation even on busy machines.

➤ Security Updates • Updated the OpenSSL library Maintenance update for OpenSSL to patch to OpenSSL-1.0.2j.

 


Snare Enterprise Epilog for Windows v1.8.9 was released on March 6th, 2017.

SNARE Epilog for Windows Release Notes Download

SNARE Epilog for Windows Release Notes View in New Tab

➤ Change Log This release includes the following:

➤ Bug Fixes • Installation issue for 32-bit OS There was an installation issue in the previous release of Epilog. This installation issue may cause the Epilog installation to fail if Epilog is installed on some busy machines. This issue is fixed in this release. Now Epilog installer properly checks the status of Epilog service operations during installation and retries service operations appropriately on busy machines. This results in clean installation even on busy machines.
➤ Security Updates • XSS vulnerability in the Windows Epilog agent Agent website has been changed to enable security in case of cross site scripting attack. Validation has been included in form fields vulnerable to cross site scripting attack to reduce any security gaps. • Updated the OpenSSL library Maintenance update for OpenSSL to patch to OpenSSL-1.0.2j.

 


Snare Enterprise Agent for UNIX v1.5.8 was released on September 4th, 2017.

SNARE Epilog for UNIX Release Notes Download
SNARE Epilog for UNIX Release Notes View in New Tab

➤ Security Fixes • XSS vulnerability in the Unix Epilog agent Agent website has been changed to enable security in case of cross site scripting attack. Validation has been included in form fields vulnerable to cross site scripting attack to reduce any security gaps.

➤ Known Issue • Upgrading agent may fail to restart Epilog service Upgrading the agent using the upgrade command e.g. $rpm -U may fail to restart the service. User can issue a restart to start in case the service fails to start using a restart command, e.g. 1. Check service: ps -aef | grep epilog 2. If the epilog service is not up, issue a manual restart: service epilogd restart
➤ Other Snare Enterprise Epilog for SLED 10 32-bit is no longer available on future releases.

 

 
Snare Enterprise Agent for MSSQL v1.4.10 was released on March 6th, 2017.

SNARE for MSSQL Release Notes Download

SNARE for MSSQL View in New Tab

➤ Change Log This release includes the following:

➤ Bug • SnareMSSQL should use cluster machine IP address – legacy There was an issue with the method SnareMSSQL was computing the cluster machine IP address when running in cluster mode. This issue was particularly prevalent when option Use Host IP Address Override for source address was selected. Due to this issue, SnareMSSQL was using the physical IP address of cluster node when option Use Host IP Address Override for source address was selected on the network instead of the virtual cluster host IP address. This issue is fixed in this release. Now, SnareMSSQL uses the IP address of the virtual host of SQL server when Use Host IP Address Override for source address option is selected. • Installation issue for 32-bit OS There was an installation issue in the previous release of SnareMSSQL. This installation issue may cause the SnareMSSQL installation to fail if SnareMSSQL is installed on some busy machines. This issue is fixed in this release. Now SnareMSSQL installer properly checks the status of SnareMSSQL service operations during installation and retries service operations appropriately on busy machines. This results in clean installation even on busy machines.
➤ Security Updates • Updated the OpenSSL library Maintenance update for OpenSSL to patch to OpenSSL-1.0.2j.

 


Snare Enterprise Agent for Linux v4.1.11 was released on March 6th, 2017.

SNARE for Linux Release Notes Download
SNARE for Linux View in New Tab

➤ Bug Fixes • Snare Agent fails to start in RHEL 7.3 This change is made to support audit version 2.6.5, which included changes with respect to service start and restart management. As a result of this change restart of agent will no longer fail when systemd manages the service. 
➤ Other Snare Enterprise Agent for SLED 10 32-bit is no longer available on future releases.

 

SNARE Server                     Snare Server v7.1.4 was released on March 6th, 2017.

SNARE Server Release Notes v.7.1.4
SNARE Server View in New Tab

Change Log Enhancements:

The allowable length of the login warning message, which is configured in the Snare Server wizard, has been increased. F5 Networks ASM log in CEF format is now supported by the Snare Collection subsystem. Sensitive Group objectives can now filter user comments, optionally eliminating any text that is found within brackets inside the user comment field. For users retrieved from a Windows Active Directory source, the description name will now be taken from a combination of the ‘description’ and ‘displayName’ fields, with “CN” used as a backup in case those fields are blank. Last regeneration duration is now displayed in the header of each objective. Hide table option when CSV/TXT attachments are selected in the objective configuration for the tabular output component.

Bug Fixes:

In some circumstances, reports scheduled to run ‘once only’ on a particular date, would also run again on the last day of the month in which they were scheduled. Fixed an issue in which SnareCollector was not handling TLS connection shutdowns correctly on systems with large numbers of cores Resolved issue with the CLI menu not updating the DNS configuration correctly. Fixed timeout issue found when retrieving user and group information using v5 agent when a large (more than 20,000 users and/or groups) AD database is being acquired. Improved handling of agent sessions on congested networks where sessions can be stuck in a SYN RECV state at the TCP layer for agents sending logs using TCP or TLS. Resolved issue found where events being reflected to a destination specified with format RAW” were losing their end-of-line new-line characters.

Configure security objectives to capture Windows Custom Event Logs

Capturing custom event logs requires configuration of an objective. If the events are correctly captured then they will display in the latest events window.

When creating an objective in the Snare agent to capture custom event logs, the Source Search Term is required. The Source Search Term is deduced by the name in the Event Viewer, on its Details tab in Friendly View.

Continue Reading

Configure SNARE Enterprise Agents to forward SIEM Events to QRadar

Configure SNARE Enterprise Agents to forward SIEM Events to QRadar

Procedure

  1. Download and install the SNARE Agent.  

Note: To request a 30 day trial of the SNARE Enterprise Agent, see the following website: www.snarealliance.com/free-trial/

  1. On the navigation menu, select Network Configuration.
  2. Type the IP address of the QRadar system in the Destination SNARE Server address field.
  3. Select the Enable SYSLOG Header check box.
  4. Click Change Configuration.
  5. On the navigation menu, select Objectives Configuration.
  6. In the Identify the event types to be captured field, select check boxes to define the event types you want SNARE to forward to QRadar.
  7. In the Identify the event logs field, select check boxes to define the event logs you want SNARE to forward to QRadar.

Continue Reading

SNARE Log Analysis for QRadar is now on the IBM App Exchange

SNARE Log Analysis for QRadar is now on the IBM App Exchange

 

SNARE has an application on the IBM App Exchange for QRadar. The new application is freely available to the security community through IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies.   The SNARE Log Analysis QRadar application offers overview and drill down functionality providing users with a detailed view of event file and registry auditing activity collected by SNARE and sent to QRadar.   Filters can be applied to restrict the view to specific users, host systems, and files/registry areas access, including the log types that were collected over the specified time period.

 

Watch the SNARE QRadar Application PlugIn Video:

This video clip shows how the SNARE for Windows agent can be used for monitoring files and registry changes.    
Presented by Steve Challans, CTO, Intersect Alliance,   Time: 4:33 minutes.

Subscribe

to receive updates on SNARE products and security industry news.