Snare Lite (SIEM & Logging Software) News

We want to wish Thomas in Switzerland a big congrats on winning the drone. It is currently on it's way.

Happy 2017 everybody!

In keeping with the holiday spirit, Intersect Alliance, is raffling off a drone. Interested? Check out more details on the official entry page:

http://info.intersectalliance.com/2016-Holidays-Drone_Raffle-Page.html

Attention QRadar users, Snare has an integration available now, on the IBM App Exchange. To learn more check out the announcement and press release here:

https://www.intersectalliance.com/2016/11/snare-ibm-app-exchange/

We get a lot of questions around the difference between Lite and Enterprise. One of the biggest differentiators is Enteprrise's ability to reduce the logging noise. To learn more check out the white paper:

http://info.intersectalliance.com/reduce_noise_wp.html

Not a lot going on for Snare Lite since the deprecation but you can keep tabs on Intersect and Snare on their blog.

https://www.intersectalliance.com/blog/

A privately reported vulnerability exists in the Open Source versions of the Snare agents. The Snare Windows agents and some other agents are vulnerable to a Denial of Service attack. The exploit attempts to overflow an input buffer in the remote management interface, and can be performed by an unauthenticated user using a custom crafted URL.

Impact
This vulnerability does not allow the attacker to gain privileged access, but it does affect the operation of the agent and can cause the agents to hang or crash.... read more

PCI DDS Compliance v 3.0
If you’re dealing with any form of payment card data, starting on January 2015, security audits will need to prove PCI 3.0 compliance. Banks, card brands and regulators are stepping up action in the face of recent significant breaches in name brand companies. If you are running the unsupported open source agent for event logging, you will most likely fail your audit as they do not address several key aspects of the PCI DSS V3.0 audit requirements:

1. There is no technical, product, vendor or customer support – i.e. you are on an unsupported security tool/platform.
2. More than half of the critical event log data is in the custom event logs which are not processed by the open source agents, allowing forensic evidence to be lost.**
3. Best Practices, such as event data encryption, TCP protocols and caching in case of network outages or spikes, are not available.
   To take a crucial step towards compliance, we encourage you to try the Snare Enterprise Agents, which are used by the world’s leading organizations and enterprises in finance, defense, e-commerce and retail.
   Snare Enterprise Agents assist with PCI DSS compliance by collecting all applicable event logs out-of-the-Box.
   To learn how the Snare Enterprise agent is used to address PCI, click on PCI DSS ¬ Best Practices with Snare Enterprise Agents https://www.intersectalliance.com/wp-content/uploads/2014/11/PCIDSS-BestPracticeswithSnareEnterpriseAgents.pdf ... read more

Position: Snare Consultant

Location: USA. Our US office is in Denver, CO, but we will consider applicants based elsewhere in the US.

Reports to: Chief Technology Officer

Responsibilities:

Assist Snare customers with the installation and configuration of Snare products
Support sales staff and business partners, including discussions and demonstrations to          prospective customers
Work closely with the CTO and development team to keep abreast of support activity, new product features and product plans... [read more](/p/snare/news/2014/11/position-available--snare-consultant-/)

Snare Server V6.2 builds on the very successful V6 release which included enhanced multi destination forwarding and encryption options.

Snare Server V6.2 includes:

• Support for Snare Enterprise Agent for Windows v4.2.x into the Agent Management Console
• The Agent Management Console that uses the Windows SID information is now retrieved from an LDAP connection, where previously it was only through a direct Agent retrieval for local accounts. This method should be considerably faster for most large environments.
• Added option to skip retrieving users and groups from Agents and simply use the LDAP connection, to support large AD instances
• Optimized Users and Groups import speed to dramatically reduce the processing time when large user databases are being refreshed.
• Added support for the Apache ‘vhost_combined’ log format as part of the Apache log processor.... read more

4.2 includes
• Support for Group Policy configuration – administrative templates available
• Event throughput throttling and alerting
• Destination Status Indicator (i.e. all OK at the Server end)
• Use of Regular Expressions for event matching
• Optional Truncation of verbose event narrative

Snare for Windows Enterprise edition V4.2 builds on the very successful 4.1 release with included TLS/SSL and other features.... read more

Epilog for *nix 1.5 (Linux and Unix, including Solaris) has been released. The major features of this release are:

• Glob support for file names (aka Wildcard support, only better)
• RHEL6 support
• Support for non-privileged use

Globbing is quite a powerful pattern matching tool for files, please checkout the following link for more details on how globbing works.

http://linux.about.com/library/cmd/blcmdl7_glob.htm... read more

The latest version of Snare for Windows is now available with some significant security enhancements to the micro web interface:

 - Cookies are now required to commit configuration changes
 - The authentication method has been updated to protect passwords in transit
 - The Remote Configuration web page has been updated to protect password updates in transit
 - Configuration changes cannot be made via the address bar only... [read more](/p/snare/news/2011/11/snare-for-windows-4010-released/)

There are some important updates in this version of the agent that you should be aware of:

• There are now two release versions of the agent:
  • 1.x series of the agent is now for RHEL5 and below only (auditd versions less than 2.0)
  • 2.x series of the agent is for RHEL6 and above (auditd versions greater than or equal to 2.0)
• A number of security enhancements have been made to the micro web interface that will eventually make their way into the other agents
  • Cookies are now required to commit configuration changes
  • The authentication method has been updated to protect passwords in transit
  • The Remote Configuration web page has been updated to protect password updates in transit
  • Configuration changes cannot be made via the address bar only... read more

This release contains some significant upgrades including support for log files over 2GB in size for both 32 and 64 bit operating systems as well as a work around for some collection issues on 2008 R2 where the contents of a log file wasn't always being detected immediately by Epilog. For more details on the updates in this version, check the ReadMe.

We have prepared a new version of Snare for Windows that combines the 2000/XP/2003 agent and the Vista/2008/Win7 agent into one installer! And it comes with a much more powerful built in silent installer. The documentation will be available on our website shortly.

The major updates in 3.1.5 are correct Category resolution and an update to the order that objectives are processed in (i.e. they are now processed top to bottom). The former will resolve issues where events contain incorrect Category information and the latter will make filtering and excluding events much easier and a lot more logical.

Hi All,

Just a quick note to let you all know about our Twitter account ia_snare (http://twitter.com/ia_snare). Here, we'll be discussing/announcing information on the agents, their development and any other information that we believe might be useful or helpful to all the hard working security folk out there. Ideas, suggestions, comments and feedback are always welcome.

Cheers, David.

Snare for Solaris 3.2.2 introduces the first round of Zones support for the agent. Under Solaris 10, the agent can now be used in a Global Zone to audit activity in all zones using the "zonename" policy to identify the source zone for each event.

Support for installing Snare for Solaris directly in a non-global is still under development. I'll be creating a new forum topic for all future Solaris Zones discussions and announcements.

The new version of Epilog provides some big improvements for Objective processing. The objectives are now processed TOP TO BOTTOM and we have included the ability to reorder objectives using the web interface. This release also boasts much better memory handling so events are processed and delivered much more efficiently.

Any problems or queries, let us know through the forums.

The latest Snare for Solaris agent introduces some changes to the way the agent handles errors in its thread structure. These changes aims to make detecting praudit problems (and recovering from them) much easier and also prevent problems when rebinding the remote control interface to the listening port.

With a massive overhaul of the file watch configuration system, SnareLinux is now easier to configure and requires far less CPU to conduct file auditing.

However, this will be the final release targeting auditd 1.0.15 (RHEL4 update 4 standard audit package). With the significant improvements available in later versions of auditd, we will be targeting much newer releases from now on to ensure the best possible performance of the agent.

The latest version of Epilog for Windows is the first version to tackle multi line log formats. Version 1.5.0 allows you to process either a fixed number of lines (e.g. 4 lines per event) or line separated events (e.g. a blank line between each event) into a single, tab separated line for transmission to your network logging server. Future release will aim to target more multi line formats, so hit the forums and let us know what other types of multi line logs you would like to collect.... read more

Testing of version 3.1.3 of the Snare for Windows agent has shown a dramatic decrease in CPU usage on high traffic systems (e.g. Domain Controllers). Combined with the page fault fix in 3.1.2, you should see a significant reduction in the agent's CPU requirements.

This agent has been updated to reduce the number of page faults caused by previous versions of the agent, in turn reducing the CPU usage, allowing the agent to process messages faster. In this case, the trade off is slightly higher memory usage, but this should remain under 10Mb (resident memory).

Anyone interested in packaging the agent for rollout, we have a new MSI build procedure available at:... read more

The latest Snare for Windows Vista agent is now a MultiArch installer with support for X64 versions of Windows Vista. The other major update in this version is ability to strip the default audit settings from C:\Windows. Most DLLs in C:\Windows have some form of auditing applied to them and this can cause a massive surge in events if File System auditing is enabled. Use "snarecore -s" to strip the default settings and "snarecore -r" to restore them. Any questions, hit the forums.... read more