Release Notes for Snare Server

Transcription

1 Release Notes for Snare Server Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General Public Licence, which covers the Snare agents and some other software. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks' and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. Page 1 of 31

2 Table of Contents 1. Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Snare Server v Page 2 of 31

3 1. Snare Server v7.0.1 Snare Server v7.0.1 was released on Thursday 19th March Summary Snare Server v7.0.1 is the first patch update release in the v7 release cycle. Please note that after the update is applied some Snare services may take up to a few minutes to restart and show up in the Heath Checker Change Log New Features Some components of a SolarisBSM log, that have been placeholders in the past, are now being used by newer versions of Solaris. The collection module has been updated to force inclusion of these fields in the 'strings' section of the event. Some minor fields within the LinuxKAudit module were not included in the final output of the event, due to their ephemeral nature (eg: process IDs). These fields have been added to the strings section of a LinuxKAudit event. Intersect Alliance International Pty Ltd Page 3 of 31

4 Bug Fixes Version 7 of the Snare Server notifies the user if an objective hits a row limit in the process of generating the objective. Version adds a notification for timeouts as well. The PIX authentication objective includes some missing eventids that the Cisco ASA creates in the default settings. Objective export only worked for the user 'Administrator'. A small bug has been fixed, which prevented export by non-administrative users of objectives. This was corrected to allow any administrator to export the objectives. The NFS toggle on the Snare Server now works again as a result of changes made to cope with the underlying operating system update to 'rpcbind' from 'portmap'. Additional packages have also been added to the Snare Server to facilitate the manual mounting of remote server storage (eg: NAS) paths if required. Ping scans in the active network scanner within version 7, required modification to cope with the modified output format of the updated version of NMap. The lack of an enforced newline character in batch collection tools within the Snare Server (eg: ACF2 log import via FTP), causes log lines to be concatenated together in the SnareArchive folder, leading to potentially corrupted hostnames. A cache file, left over from an older version of OpenVas, would block the updated scanner from running. The update process will remove this cache file. In situations where the collection subsystem is interrupted to allow the operating system to deal with urgent tasks, there is a small chance that incomplete data will be written out from the front end network collector, to the backend service that writes data out to disk. In these situations, an incomplete event causes the collection subsystem to fall back to a corrupted data handler. This means that the hostname presented within the event is likely to be prepended with extra data when it is written out to the Snare Server data store. In addition to handling the interrupts more cleanly, this patch will review the existing data store, search for events that have such extra data prepended, and will rewrite the event so that the correct hostname is included. Resolved issue with license key being adjusted with some gateways and adding in extra carriage returns. A valid login to the Snare Server did not clear the 'failed login attempts' counter causing an untimely time-based lockout. The packages required to support SNMPTrap collection have been included with the Snare Server updates. Basic SNMPTrap messages are capable of being processed. SNMPTrap data in some instances was not being collected for users who chose to enable the built-in Snare Server firewall. Firewall rulesets have been adjusted. SNMPTrap messages, when displayed in a Snare Server objective, were not shown with the actual message component. This update fixes the metadata associated with SNMPTraps so that data that has already been collected, and any new data that arrives, will display correctly. Mandatory server signatures have been turned on for the SAMBA server to limit any potential attack vectors for SAMBA. After refreshing a Snare Server license via the health checker, the window will duplicate the objective tree menu, leading to a 'hall of mirrors' style effect. Intersect Alliance International Pty Ltd Page 4 of 31

5 Security Updates The Apache web server configuration has been updated to use only secure ciphers and handshaking protocols for HTTPS connections. This included removing SSLv2 and SSLv3 from the usable ciphers list. Any customers that need to support older ciphers or protocols should manually edit the Apache configuration to re-enable the required options. Updated cron.allow and at.allow to only support the root user as per default. This provides an extra level of security, however it can be easily changed as required to support specific customer needs. Locked down the core dump functionality as part of the default install, for security reasons. It can be easily enabled by users for specific cases. The SSH configuration has been updated the remove Cipher Block Chaining (CBC) algorithms, to enhance the provided security of the SSH protocol used by the Snare Server. A range of operating system updates have been included that address security and functionality issues within packages on which Snare relies Miscellaneous Added iotop and sysstat packages into the installation package selection for customers to use as required via the command line console. Added NFS packages to facilitate the mount of remote file systems, in situations where an Administrator needs the transfer bulk data to another unix system. Updated the Geographic IP database to the latest available upstream. Updated operating system packages to the latest available upstream. Updated vulnerability scanning plugins to the latest available upstream. Updated virus scanner signatures to the latest available upstream. Intersect Alliance International Pty Ltd Page 5 of 31

6 2. Snare Server v6.4.1 Snare Server v6.4.1 was released on 6th February, Change Log Security Updates Updated the security patches for the GHOST (glibc) vulnerability. Note: v7.0.0 of the Snare Server is not affected by the glibc vulnerability. Intersect Alliance International Pty Ltd Page 6 of 31

7 3. Snare Server v7.0.0 Snare Server v7.0.0 was released on Thursday 22nd January Summary Snare Server v7.0.0 is the first release in the v7 release cycle. It is primarily a hardware support and maintenance release, aimed at resolving hardware compatibility issues some customers have been experiencing with the older versions of the Snare Server. The most important change is the upgrade of the base operating system from Ubuntu LTS to Ubuntu LTS. This upgrade brings the hardware support forward to match the latest Ubuntu LTS release, which should suit most customers needs. However, 32-bit option has been removed as part of this process, so any customers still running 32-bit hardware will need to upgrade their hardware before upgrading to v There have been some major changes to the collection system which have introduced some optimisations and resource handling improvements (with improvements up to 500% in some cases), as well as a completely redesigned Monitor Live Data tool. The groundwork has also been started for a visual refresh of the user interface, which will start to take place over the course of the v7 release cycle. Existing Snare Servers cannot be directly updated to v7 as per the usual update method. Instead either a side-by-side migration, or an over-the-top upgrade need to be used to transition an existing Snare Server into v More details are provided in the Detailed Notes section below, and two dedicated Guides for Migration and Upgrades have been released to aid in these processes. Intersect Alliance International Pty Ltd Page 7 of 31

8 3.2. Change Log New Features The base operating system has been upgraded to Ubuntu LTS, from Ubuntu LTS in v6. This provides significantly newer hardware support, and numerous fixes and optimisations within the base operating system. See the detailed notes section for more information. The Event Collection System has been through a major restructure, resulting in significant speedups, and associated jumps in events-per-second collection rates. In some cases this has introduced an improvement of up to 500%. The Monitor Live Data tool has been rebuilt to remove the confusion and ambiguity that existed with it in previous versions. It now monitors all incoming events, not just events on a specific port, and no longer has issues with fragmented packets and other networking challenges. The Snare Configuration Wizard has been updated to include the option to set the system-level Timezone. This removes the need to manually SSH into the Snare Server and run the timezone change command. The internal configuration database has been updated from SQLite2 to SQLite3. This introduces massive performance and stability enhancements into the configuration handling component. Extra statistics have been added to the System Status report, to aid in monitoring the status of the Snare Server. The Snare Update system has been completely rebuilt, to make the process a lot simpler and faster. Unlike the update process in the v6 release, v7 updates are completed in two steps: first the update file is verified, and after user confirmation, it is applied fully in the next step. There is no more need to click the 'Next' button through multiple steps. This should significantly reduce downtime during the update process. This new update system also includes a full update version history to keep a record of every update applied to the server. Upgraded the geographic IP address database to the GeoLite2 database available from MaxMind. This change brings a much greater accuracy in IP address lookups than was available in the legacy Snare Geographic IP Address Database. Upgrading to the full GeoIP2 database from MaxMind is available via a manual process in this release, with a user interface to be released in a future version. The current Snare Server License details have been added into a new section within the Health Checker. This should make it easier for customers to check their license details to aid in support requests and for internal tracking purposes. Cache selected downloadable objective clusters locally on the installed Snare Server, so that installations that do not have access to the Internet can install regulatory compliance (and related) objectives. These options have also been added into the Snare Configuration Wizard, to provide an introduction to the available options as part of the installation process. The Windows Users and Groups objective now imports Group information alongside Users when querying the provided Active Directory connection. This can be used in place of the Snare Agent group information import process. Added in new collection module to support Microsoft Exchange 2013, alongside the older Exchange formats. Intersect Alliance International Pty Ltd Page 8 of 31

9 Bug Fixes Tooltip for the TIME match term now displays information on how to specify 'now minus "x" minutes'. The first time that the network security scanner is started on a new snare server installation, starting up the openvas scanner server can take a SIGNIFICANT amount of time (several minutes). A status update is displayed to the user when this situation is detected, to provide an indication that the objective has not frozen. Updated form validation error message when creating new user within the administration area. The validation error message returned a confusing message referencing a different field to the one which actually failed validation. Implemented data sanitisation for the Dynamic Search to better support Rejected and Corrupt data display. In some cases rejected or corrupt data contained special characters which caused the Dynamic Search to fail completely. Some customers may have noticed that the disk space usage calculations between the Dashboard and Health Checker are occasionally different by a percentage. This has been changed so they use the same calculations, resulting in a consistent value across both pages. Resolved an issue with the TLS collection system that caused excessive CPU usage in some situations with multiple concurrent TLS clients. Resolved an issue with the TLS Collector that would cause it to lose connection under some circumstances. It should now maintain connection as is the expected behaviour. Resolved issue where valid events being sent from Epilog were being categorised as Rejected Data, instead of a valid event type. Events sent from Epilog should now be categorised correctly when they are received Security Updates The Apache web server configuration has been updated to use only secure ciphers and handshaking protocols for HTTPS connections. This included removing SSLv2 and SSLv3 from the usable ciphers list. Any customers that need to support older ciphers or protocols should manually edit the Apache configuration to re-enable the required options. Updated cron.allow and at.allow to only support the root user as per default. This provides an extra level of security, however it can be easily changed as required to support specific customer needs. Locked down the core dump functionality as part of the default install, for security reasons. It can be easily enabled by users for specific cases. The SSH configuration has been updated the allowed Cipher Block Chaining (CBC) algorithms, to enhance the provided security of the SSH protocol used by the Snare Server Miscellaneous Added iotop and sysstat packages into the installation package selection for customers to use as required via the command line console. Updated the Geographic IP database to the latest available upstream. Updated operating system packages to the latest available upstream Detailed Notes Migrating or Updating an existing Snare Server There are two methods available to transition from an existing Snare Server to the new Snare Server v Please note that both of these methods require your existing server to be running the latest version of Snare Server v6. Side-by-side Migration This is the preferred method of transition from a v6 server to a v7 server. It requires installing a new v7 server alongside an existing v6 server, and then running a process on both systems. It will automatically copy over all event archives, configuration, and user data. This method ensures there is no data loss during this process. Intersect Alliance International Pty Ltd Page 9 of 31

10 Documentation for this process can be found in the Side-by-side Migration Guide for Snare Server. Over-the-top Upgrade Is an option for customers who are unable to provision a separate server alongside their existing server. It involves installing v7 over the top of v6, during which the system will retain the event archives, configuration, and user data. This method involves downtime, and has the slight risk of data loss. It should only be attempted if a side-by-side migration is not possible. Documentation for this process can be found in the Over-the-top Upgrade Guide for Snare Server Base Ubuntu OS Details Snare Server v7.0.0 is based on Ubuntu LTS, running the generic Ubuntu Linux kernel. Intersect Alliance International Pty Ltd Page 10 of 31

11 4. Snare Server v6.4.0 Snare Server v6.4.0 was released on 22nd January, Change Log New Features Added the Prepare for Snare Server Upgrade Objective. Important: This release adds support for the Side-by-side Migration and Over-the-top Upgrade procedures that provide a way to upgrade to Snare Server v7. It must be applied before a migration or upgrade can be attempted. Please see the the Migration and Upgrade User Guides for more information on this process. Please see the detailed notes from the v6.3.0 release below for more information. Intersect Alliance International Pty Ltd Page 11 of 31

12 5. Snare Server v6.3.6 Snare Server v6.3.6 was released on 18th December, Change Log New Features Added objective and user documentation to the header, sent out in the non-html component of a scheduled . Ensured that user-documentation is also included in the html component of a scheduled Bug Fixes Performed updates to the way that data is stored internally within the Agent Management Console to resolve an error which was encountered when a large number of agents (10,000+) is processed in a single objective. There should be no performance impacts or functionality changes as a result of this change. Network errors could lead to a situation where a newline is not sent through to the server, and the client terminates straight after partial transmission. This could potentially lead to a hanging read() in the TLS collection service. This modification implements read timeouts. An issue was discovered that prevented the Threshold Query configuration from being applied when the PreSelect functionality was disabled. This has been fixed, so the Threshold Query configuration is now applied, no matter what type of query is being used to retrieve the data. Resolved an issue with the TLS Collector that would cause it to lose connection under some circumstances. It should now maintain connection as is the expected behaviour. The Apache configuration has been updated to remove SSLv3 support from the HTTPS configuration, when enabled. This is due to the recent security vulnerabilities (poodle) discovered in SSLv3. Customers that require it can manually update the Apache configuration to re-enable it as required Security Updates Applied the latest security and bug fix updates to the Ubuntu operating system packages Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Please see the detailed notes from the v6.3.0 release below for more information. Intersect Alliance International Pty Ltd Page 12 of 31

13 6. Snare Server v6.3.5 Snare Server v6.3.5 was released on Monday 29th September, Change Log Bug Fixes The Agent configuration retrieval functionality within the Agent Management Console (AMC) has been changed slightly, to limit the number of concurrent connections to a sane maximum. As a result of this change, the AMC will no longer (in very extreme cases) flood the server with numerous processes and use all available resources, instead it will process Agents at a slower, but safer rate Security Updates The bash system package has been updated to include the security patches which resolve the recently discovered Shellshock vulnerability (CVE , CVE , CVE , CVE ). Although the Snare Server web server is not running a vulnerable server configuration, other components (such as SSH) may have opened up the possibility for abuse, and this update ensures that the server is no longer vulnerable to this issue. An ssh connection to a Snare Server will still require the authentication to be valid for the connecting user in attempting the exploit. Given a Snare Server command line access is usually restricted to the admin users only this issue would be a low risk activity. If customers have other users that have command line access to their Snare Servers then the likelihood of an attack is much greater. As per normal security practices all admin console access (web and SSH) to the Snare Server should be restricted to only users who require access as part of their job function Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Please see the detailed notes from the v6.3.0 release below for more information. Intersect Alliance International Pty Ltd Page 13 of 31

14 7. Snare Server v6.3.4 Snare Server v6.3.4 was released on Tuesday 2nd September, Change Log New Features The behaviour of the Snare Server reflector has been modified so that data coming in via syslog, and being reflected via syslog, will be sent through to the target server unchanged, without additional syslog headers. Added iotop and sysstat packages into the installation package selection for customers to use as required via the command line console Bug Fixes The LDAP API references an LDAP object by its distinguished name (DN). Updated DN validation checker to support valid dash characters within the DN value. Resolved issue where the Objective List wasn't being generated correctly due to unexpected character encoding of the raw data. The validation phase of the samba password configuration process was overly restrictive, and would not set the password correctly. Updated User and Group information retrieval code to support different authentication types, to resolve an issue with some legacy Linux Agent versions that returned Authentication Failed messages when a password was set. Implemented checks within the Agent User and Group data retrieval functionality to help support loading data from busy or overloaded Snare Agents. This resolves an intermittent issue which occurred in older versions of the server that prevented the server from retrieving user group data on each request. Removed the (broken) Google Talk and Twitter Real-Time Alerting options, and cleaned up configuration item to remove the confusion regarding where to configure Alerts. Fixed an issue with the 15 minute pattern map for the Total Events status page that prevented viewing the events list when clicking on a specific Agent under a specific Event Type. Implemented support for parsing ContentKeeper log data via syslog into the correct log table Security Updates Updated core system packages with latest security and bug fixes Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Please see the detailed notes from the v6.3.0 release below for more information. Intersect Alliance International Pty Ltd Page 14 of 31

15 8. Snare Server v6.3.3 Snare Server v6.3.3 was released on Tuesday 17th June, Change Log Bug Fixes Implemented enhanced memory management features within the Snare Database, to prevent reports from not running correctly in some situations when a lot of event data is being processed by a single report. These features are automatic and shouldn't affect the performance of the database queries. It some cases, objectives may even take less time to be generated. Resolved the issue with the Retrieve Users and Group data from Active Directory not retrieving the full information in some instances. Added missing functionality to support MAC Address TOKEN lookup into GenericLog queries. It can be enabled for GenericLog queries by using the 'MACADDRESS' TOKEN on a MAC Address field. Resolved issue with the Snare Reflector, which prevented the first reflector configuration entry from being removed. Fixed the LDAP DN validation process to allow dashes within the DN field, as they were being incorrectly blocked from use Security Updates Prevented the Windows AD password from being written to the snare.log as part of debugging information. The string '<password>' will now be displayed instead of the password. Updated core system packages with latest security and bug fixes Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Please see the detailed notes from the v6.3.0 release below for more information. Intersect Alliance International Pty Ltd Page 15 of 31

16 9. Snare Server v6.3.2 Snare Server v6.3.2 was released on Thursday, 1st May Change Log New Features Added support for the upcoming v4.0.0 releases of the Snare Enterprise Agents for Linux and Solaris. Added a new objective for Windows USB events into the default objectives installed as part of a fresh install of the Snare Server Bug Fixes Resolved issue with the Snare SNMPTrap Collector preventing it from working with some devices. In v6.3.1, the Snare SNMPTrap collector could process snmptrap data tagged as PUBLIC. Unfortunately some devices included double-quotes around the string ("public"), which was causing the underlying SNMPTrap receiver to ignore those specific events. This fix disables tag checking completely, and allows Snare to accept SNMPTrap data with any tags. Fixed the issue with the per-agent timezone selection, which prevented users from specifying different timezones for different agents within their fleet. Fixed issue which allowed a TOKEN to be removed accidently while updating it through the configuration dialog. The deletion button has been switched to checkbox, to prevent accidental selection and submission of the form. Resolved issue for new installations v where the System Statistics page wasn't showing the full information by default. Resolved issue affecting recent fresh installations of the Snare Server where the User Group metadata database was being incorrectly initiated. This has been fixed in in the ISO installation image, and the v update(s) will correctly initiate the database if it is found to be affected Security Updates Updated core system packages with latest security and bug fixes Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Please see the detailed notes from the v6.3.0 release below for more information. Intersect Alliance International Pty Ltd Page 16 of 31

17 10. Snare Server v6.3.1 Snare Server v6.3.1 was released on Wednesday, 2nd April Change Log Bug Fixes Updated the default firewall configuration to use UDP instead of TCP for SNMP. Resolved issue that broke FTOKEN support for some queries. Resolved the sanitisation check that lead to not being able to select the < and <= functions within the Snare Server match interface Security Updates Updated core system packages with latest security and bug fixes. NFS services, made available as an option on Snare Server v6.2, can now be completely disabled on the Snare Server, through the installation and configuration wizard Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Please see the detailed notes from the v6.3.0 release below for more information. Intersect Alliance International Pty Ltd Page 17 of 31

18 11. Snare Server v6.3.0 Snare Server v6.3.0 was released on Monday, 10th March Change Log New Features Support was added into the collection system for the AppleBSM audit events provided by the new Snare Agent for OSX (to be released in the near future). An option was added to the Configuration Wizard to allow customers to disable the daily Pre-Cache functionality, if instructed by a Snare Support Representative. This option disables the daily pre-cache functionality of the internal Snare Database, which can, in rare instances, use more resources during the caching process than are actually saved during the report generation process when caching is enabled. With larger and larger drives being used for the storage of log data, the 'percentage free space' warning and problem threshold settings on the Snare Server Health Checker, have been migrated to a 'gigabytes free' model. As part of the server update process, your previous settings will be automatically converted to the new format Bug Fixes Resolved display issue which prevented the Progress bar from progressing in Google Chrome. Resolved a configuration issue with the OpenVAS vulnerability scanner. In some circumstances, data validation routines will use an extended path, when saving default values back to the Snare configuration database in the event of a input validation failure, which means that data validation and correction routines will be called for each and every objective initialisation until the invalid data is updated. This fix trims the path, so that default data can overwrite the invalid data, leading to a tiny speedup in objective instantiation in situations where invalid data has been entered. Resolved issue that affected some older installations which involved old package updates being applied during the newer updates. The result of which was incorrectly configured packages preventing some system functionality from working. Safeguards have been put into place to ensure this does not occur in the future, and an upgrade to v6.3.0 should resolve any existing issues some customers are experiencing due to this issue. Added support into the Agent Management Console for Legacy Agent configurations which allowed empty passwords. Resolved issue that caused the 'Remove Data' objective from reporting a completed data removal process in some situations. Resolved bug that prevented the Port and Vulnerability Scanner from correctly displaying response of completed scan. Intersect Alliance International Pty Ltd Page 18 of 31

19 Security Updates Updated core system packages with latest security and bug fixes. Completed security audit and applied updates as required. Implemented centralised checking and sanitisation of input across all user interface components, in order to further reduce the risk of cross site scripting, database injection, and related attempts at corrupting the Snare Server interface. Implemented CSRF Tokens to eliminate potential avenues for attack against the Snare Server UI. Security options have been migrated to a separate category in the Snare Server wizard. The ability to block external sites from being displayed in a clickable format (eg: the link to the Snare Server documentation, hosted on the InterSect Alliance web server) has been added. Paths for hard coded temporary files have been modified to use unique randomly generated filenames, where possible. Paths for files that store process ID information have been migrated to /var/run to follow unix best practice Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Updated copyright date stamp on the splash screen to reflect the current year (2014) Detailed Notes Applying the Update to a Snare Server v6. This update can be applied to an existing Snare Server v6, by downloading the Snare Update file from our downloads area and using the update wizard, found at: System > Administrative Tools > Snare Server Update If you have trouble applying this update, please speak to your Snare Support Representative Update file size issue. Due to a file-size restriction issue, it is not possible to directly upgrade to v6.3.0 on an existing Snare Server that is still on version Instead, the special PreUpdate provided on the download page must be applied first, and then the v6.3.0 update can be used Base Ubuntu OS Information Snare Server v6.3.0 is based on a stripped down, and hardened version of Ubuntu LTS. The 32-bit and 64-bit releases have the same (or equivalent) packages installed with the exception of the Linux Kernel. 32-bit has Ubuntu Kernel generic-pae, which is based off the drm33.5 mainline Linux Kernel version. 64-bit has Ubuntu Kernel ~lucid1-server, which is based off the mainline Linux Kernel version. A full package list for each released version of the Snare Server can be provided upon request. Intersect Alliance International Pty Ltd Page 19 of 31

20 12. Snare Server v6.2.2 Snare Server v6.2.2 was released on Thursday, 30th January Change Log New Features Added support for Snare Agent for Windows v4.2.x into the Agent Management Console Bug Fixes Resolved confusing error that was thrown when an invalid Regular Expression was provided to the Agent Management Console. The complete HTTP 400 error message that is returned from the Snare Agent is now displayed within the Console, to aid in debugging when pushing updates to compatible Agents. This update is a tiny patch to add support for the Snare Agent for Windows v4.2.x. Please see the release notes for the v6.2.1 release below for complete details of what has changed since the v6.2.0 release. Intersect Alliance International Pty Ltd Page 20 of 31

21 13. Snare Server v6.2.1 Snare Server v6.2.1 was released on Monday, 20th January Change Log New Features Windows SID information is now retrieved from an LDAP connection, where previously it was only through a direct Agent retrieval for local accounts. This method should be considerably faster for most large environments. Added option to skip retrieving users and groups from Agents and simply use the LDAP connection, to support large AD instances where retrieving data from each Agent takes too much bandwidth. Optimised Users and Groups import speed to dramatically reduce the processing time when large user databases are being refreshed. Added support for the Apache 'vhost_combined' log format as part of the Apache log processor. Added option to restart the Apache web server after making changes in the Snare Configuration Wizard, to apply changes that may have been made within the Wizard Bug Fixes Updated validation of the destination field in Agent managed to support multiple destinations. Resolved issue with the regex handling and slash escaping for some objective configurations. Refined LDAP SID User retrieval to prevent double-counting of records and invalid searches. Resolved issue with the Live Monitor Screen that prevented information from being displayed in some cases. Fixed issue with the Default Linux Login Failures objective that caused it to check for the wrong status code in some situations. A modification to the output format of the Reflector was made, to retain compatibility with the collection service on remote legacy systems. Password history checks now enabled in the "My Account" panel, when enhanced password security is activated Security Updates Updated core system packages with latest security and bug fixes. Completed security audit and applied updates as required. Removed redundant publicly accessible pages from the web interface, since they didn't need to be there and may have caused potential security concerns for some customers. Implemented non-default, but recommended, security settings and other changes to resolve concerns for some customers. There should be no side-effects from these changes for normal customers. An option has been added into the General Settings section of the Snare Configuration Wizard to enable and disable the Snare Basic Firewall, which configures the built-in firewall to block all non-default Snare ports. This option is enabled by default on new ISO installations, but must be manually enabled after an upgrade to v Added in option to regenerate the default self-signed Apache SSL certificate used for HTTPS connections through the General Settings section of the Snare Configuration Wizard. The self-signed SSL key used in the Snare Server has been upgraded to use a 2048 bit key size, from the 1024 bit key size used previously, as well as stronger ciphers were enabled through Apache and weak ciphers disabled to keep the SSL connections secure. The Snare Server Database Manager is now off by default for new ISO installations and can be enabled and disabled through the General Settings section of the Snare Configuration Wizard. Intersect Alliance International Pty Ltd Page 21 of 31

22 Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily Detailed Notes Applying the Update to a Snare Server v6. This update can be applied to an existing Snare Server v6, by downloading the Snare Update file from our downloads area and using the update wizard, found at: System > Administrative Tools > Snare Server Update If you have trouble applying this update, please speak to your Snare Support Representative Important - Update file size issue. The Snare Server v6.2.1 update cannot be directly applied to an existing v6.0.0 server, due to a file-size restriction issue with the Snare Update page in the v6.0.0 release of the Server. This issue was fixed in v6.1.1 of the Snare Server, however, it prevents this upgrade from being applied to a Snare Server with a version below v To work around this issue, a special PreUpdate file has been provided on the download page. This update can be applied to any Snare Server v6, and will resolve the file-size issue to allow a full update to be successfully applied. This PreUpdate also adds the ability to SCP the update file directly to the server, rather than having to upload it via a web browser. Important: If you have already updated to v6.1.1 or newer, you do not need to run this PreUpdate again Base Ubuntu OS Information Snare Server v6.2.1 is based off a stripped down, and hardened version of Ubuntu LTS. The 32-bit and 64-bit releases have the same (or equivalent) packages installed with the exception of the Linux Kernel. Snare Server v bit has Ubuntu Kernel generic-pae, which is based off the drm33.5 mainline Linux Kernel version. Snare Server v bit has Ubuntu Kernel ~lucid1-server, which is based off the mainline Linux Kernel version. A full package list for each released version of the Snare Server can be provided upon request Snare Basic Firewall The Snare Server has had the UFW firewall installed by default since v6.0.0, and prior to the v6.2.1 release, it has always been disabled by default and left for customers to manage as required. It was decided that this firewall should be enabled by default for all new installations from v6.2.1 with a set of default firewall rules that allow the common Snare functionality to work as expected. The Firewall is not enabled during the upgrade process from a previous version, however it can be easily toggled on and off within the Snare Configuration Wizard. This will enable and disable the firewall, and set the default Snare configuration. The firewall can also be manually configured within the SSH administration interface, with the standard UFW commands that are documented here: Intersect Alliance International Pty Ltd Page 22 of 31

23 14. Snare Server v6.2.0 Snare Server v6.2.0 was released on Wednesday, 13th November Change Log New Features Implemented new Snare Reflector functionality for multiple configurable destinations. Implemented support for receiving events over a TLS connection from TLS supported Agents. Implemented Password Complexity rules for user accounts. Included packages for NFS in the base operating system to allow for custom configuration of NFS. Implemented custom expand/contract options for the Objective Navigation Panel to allow for longer objective names and complex nested paths. Implemented objective container-based permissions to allow for simpler permission management across large objective sets. Added support into the Agent Management Console for remote read-only management of the v3 release of the Snare Agent for Linux Bug Fixes Resolved incompatibility with Online Objective Pack importer when the Snare Server is inside a firewall that is blocking most ports. Resolved issues with Microsoft SID parsing in some log formats. Updated references to support new Microsoft event IDs for specific events that had been changed in newer versions of Windows. server availability checks in the Configuration Wizard, modified to cope with firewalls that do not accept ICMP-requests. Configuration wizard also accepts blank server. Resolved parsing issue that may occur with some incoming event dates. Resolved various page rendering issues in IE9 and IE10. Reworded User Account Creation form to remove ambiguity. Resolved bugs within the Dynamic Search functionality that prevented it from functioning successfully in some environments. Fixed a bug that caused the TCP event collection system to incorrectly handle badly formatted event information of extreme lengths. Resolved IP and hostname display issues with the Monitor Live Data objective. Remove additional redundant resources once an objective has been deleted from the system. Resolved an issue with the Retrieve Linux Accounts login/logoff events being incorrectly saved. Added checks into the Update system to prevent incompatible updates from being applied Security Updates Updated core system packages with latest security and bug fixes. Completed security audit and applied updates as required Miscellaneous Updated vulnerability scanner plugins. Updated Snare Geographic IP Address database. Intersect Alliance International Pty Ltd Page 23 of 31

24 14.2. Detailed Notes Applying the Update to a Snare Server v6. This update can be applied to an existing Snare Server v6, by downloading the Snare Update file from our downloads area and using the update wizard, found at: System > Administrative Tools > Snare Server Update If you have trouble applying this update, please speak to your Snare Support Representative Important - Update file size issue. The Snare Server v6.2.0 update cannot be directly applied to an existing v6.0.0 server, due to a file-size restriction issue with the Snare Update page in the v6.0.0 release of the Server. This issue was fixed in v6.1.1 of the Snare Server, however, it prevents this upgrade from being applied to a Snare Server with a version below v To work around this issue, a special PreUpdate file has been provided on the download page. This update can be applied to any Snare Server v6, and will resolve the file-size issue to allow a full update to be successfully applied. This PreUpdate also adds the ability to SCP the update file directly to the server, rather than having to upload it via a web browser - for customers who have difficulty using the web upgrade form. Important: If you have already updated to v6.1.1 or newer, you do not need to run this PreUpdate again Base Ubuntu OS Information Snare Server v6.2.0 is based off a stripped down, and hardened version of Ubuntu LTS. The 32-bit and 64-bit releases have the same (or equivalent) packages installed with the exception of the Linux Kernel. Snare Server v bit has Ubuntu Kernel generic-pae, which is based off the drm33.5 mainline Linux Kernel version. Snare Server v bit has Ubuntu Kernel ~lucid1-server, which is based off the mainline Linux Kernel version. A full package list for each released version of the Snare Server can be provided upon request as required TLS Receiver The Snare Server is now capable of receiving TLS encrypted data on port Agents, or other data sources, that are capable of using TLS encryption (such as the Snare for Windows Agent), can utilise this feature to provide point to point encryption of log data New Snare Reflector The new version of the Snare Reflector provides a significant update on the previous capabilities. The Reflector can now send data to: One or more destinations. Either Snare or Syslog format messages. Using UDP or TCP connections. With SSL or TLS encryption enabled, if supported by the remote server. It can be accessed in the Snare Server by going to: System > Administrative Tools > Configure Snare Server Reflector Intersect Alliance International Pty Ltd Page 24 of 31

25 Password Complexity Additional password security controls have been implemented in both the Snare Server user interface, and in the underlying operating system in order to better match the general requirements of a range of national and international security regulatory frameworks. Controls include: Password complexity and dictionary checks Password history checks Password rotation Controls that are likely to have a significant operational impact on your Snare Server user base, such as password rotation, can be enabled or disabled via the Snare Server Configuration Wizard Access Controls In situations where access controls need to be applied to an entire folder of objectives, recursively, the 'Reports' navigation panel offers a 'Folder Permissions' menu option when you right click on a folder. Selecting the "Folder Permissions" option will generate a dialog box that lists the Groups that are currently defined on the Snare Server, and provides the opportunity to add or remove groups from the 'Read' or 'Configure' capabilities. Intersect Alliance International Pty Ltd Page 25 of 31

26 15. Snare Server v6.1.2 Snare Server v6.1.2 was released on Friday, 6th September Change Log Bug Fixes Fixed drop down selection reset issue when attempting to make a selection in a long drop down list. Fixed no fields displaying when empty event table selected for objective. Fixed XML tag removal in tabular details display, to allow full event messages to be displayed correctly. Fixed issue prevent SMTP server validation in the Snare Configuration Wizard for some environments. Fixed common Monitor Live Data IP address display issues. Fixed invalid Data Backup links on the Health Checker page Security Updates Updated core system packages with the latest security and bug fixes. Implemented File Guard module to remove the potential vulnerability due to some file paths being requested directly through the browser Miscellaneous Version string display now shows the system architecture. Removing old objective artifacts when objectives are deleted to save space for large installations Detailed Notes Important: The 32-bit version of the v6.1.2 update can be applied as-is to any existing 32-bit server, however, the 64-bit version of the v6.1.2 update is too large for the v6.0.0 update form to handle. A special PreUpdate file has been provided on the download page which upgrades the Snare Update form so it will support the 64-bit v6.1.2 update file. Important: If you have already updated to v6.1.1, you do not need to run this PreUpdate again. If you have trouble applying this update, please speak to your Snare Support Representative. Intersect Alliance International Pty Ltd Page 26 of 31

27 16. Snare Server v6.1.1 Snare Server v6.1.1 was released on Tuesday, 18th June Change Log New Features Updated the "Snare Server Update" feature to provide the current version number and a manual SSH update method Bug Fixes Raised the maximum update file size limit from 100MB to 500MB Detailed Notes The purpose of v6.1.1 was to release the 64-bit support for the Snare Server. The only changes since the v6.1.0 update that are not directly related to building a 64-bit version are listed above and relate to the "Snare Server Update" objective. Important: The 32-bit version of the v6.1.1 update can be applied as-is to any existing 32-bit server, however, the 64-bit version of the v6.1.1 update is too large for the v6.0.0 update form to handle. A special PreUpdate file has been provided which upgrades the update form so it will support the 64-bit v6.1.1 update file. If you have trouble applying this update, please speak to your Snare Support Representative. Intersect Alliance International Pty Ltd Page 27 of 31