Snare now has an application on the IBM App Exchange for IBM QRadar. The Snare Log Analysis QRadar application offers overview and drill down functionality providing users with a detailed view of event file and registry auditing activity collected by Snare and sent to QRadar. Filters can be applied to restrict the view to specific users, host systems, files/registry area accesses including the log types that were collected over the specified time period. If you are a current IBM customer you should check it out on the App Exchange.

The new application is freely available to the security community through IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies. As threats are evolving faster than ever, collaborative development among the security community will help organizations adapt quickly and speed innovation in the fight against cyber crime.

This is part of Intersect Alliance’s on going efforts to improve the logging and SIEM endeavors of every company regardless of their goals or tech stacks. For the full press release, download here.

Version 7.1 is available and includes a number of great new features that you’ve asked for! These features are:

  • The Snare Server collection and reflection service has been significantly updated. The Snare Server can now perform format conversion, apply filters to events on a per-destination basis, and can also search/replace event contents on the fly. The core of the collection services and the reflector has been rewritten in C++ for speed. Sample use-cases include:
    • Sending events that are marked only with a particular criticality to a specific destination.
    • Sending Windows events to a destination SIEM server, and unix events to a syslog server.
    • Changing syslog RFC 5424 events to RFC 3164 format, to accommodate a SIEM server that can only handle the older format.
    • Switching events from using a TAB delimiter, to comma.
    • Redirecting all events that include a particular username, to a separate SIEM server for analysis.
    • Forwarding any firewall logs that include a particular IP address range, to another system for deep analysis.
  • Update and Removal of “Trusted CA root Certificates” is available from the Configuration Wizard.
  • Snare Server now supports LDAP/SSL, LDAP/TLS and SASL/TLS authentication.
  • A SNMP trap server can be configured in the Snare Server wizard. A new feature has been added to the Real Time Alerts function in the objectives that so a SNMP Trap will be sent to the server as defined in the wizard when there is a match for the Real Time objective.
  • A new “Auto-Remove Data” objective under “System -> Data Backup” is now available. This objective allows the Administrator to create tasks with a range of selection criteria, that are designed to automatically remove data from the Snare Server archive. Selection criteria include: By agent, by date, and by log type. Regular expressions, and date-delta options are available. Each Auto-Remove task has a specific schedule that determines when it executes.
  • A new notes section is available when configuring objectives. Annotations may be either included or excluded from an objectives’ output. Once the objective is regenerated, the annotations form is available for editing.
  • The open-vm-tools package has been included in the installed server package list, to facilitate easier management for customers who run the Snare Server under a virtual environment.
  • The Snare Server can now process SonicWall firewall logs. A series of new SonicWall template objectives has been added under the Dynamic Query capability for SonicWall.
  • TLS Server certificates associated with the TLS collection service should now use the fully qualified hostname of the server on which they are installed. A freshly installed system will use the fully qualified certificate format.
  • Six new Oracle Objectives have been added to the Snare Server, including:
    • Start-up and Shut-down of the Oracle application
    • Database Global Activity
    • Admin DBA Activity
    • Oracle Security
    • Oracle Startup / Shutdown
    • Password Changes
    • User Activity
  • Seven New Microsoft DNS server logs Objectives with Malware domain detection have been added in the Application Audit/Windows Log Data menu tree:
    • DNS Log
    • DNS over TCP empty
    • DNS over UDP
    • DNS search IP
    • DNS Server Failures
    • Malware Domains
    • Non Existent Domains

New features of Snare Server v7.0 include:

  • The base operating system has been upgraded to Ubuntu 14.04 LTS, from Ubuntu 10.04 LTS in v6. This provides significantly newer hardware support, and numerous fixes and optimisations within the base operating system.
  • The Event Collection System has been through a major restructure, resulting in significant speedups, and associated jumps in events-per-second collection rates. In some cases this has introduced an improvement of up to 500%.
  • The Monitor Live Data tool has been rebuilt to remove the confusion and ambiguity that existed with it in previous versions. It now monitors all incoming events, not just events on a specific port, and no longer has issues with fragmented packets and other networking challenges.
  • The Snare Configuration Wizard has been updated to include the option to set the system-level Timezone. This removes the need to manually SSH into the Snare Server and run the timezone change command.
  • The internal configuration database has been updated from SQLite2 to SQLite3. This introduces massive performance and stability enhancements into the configuration handling component.
  • Extra statistics have been added to the System Status report, to aid in monitoring the status of the Snare Server.
  • The Snare Update system has been completely rebuilt, to make the process a lot simpler and faster. Unlike the update process in the v6 release, v7 updates are completed in two steps: first the update file is verified, and after user confirmation, it is applied fully in the next step. There is no more need to click the ‘Next’ button through multiple steps. This should significantly reduce downtime during theupdate process. This new update system also includes a full update version history to keep a record of every update applied to the server.
  • Upgraded the geographic IP address database to the GeoLite2 database available from MaxMind. This change brings a much greater accuracy in IP address lookups than was available in the legacy Snare Geographic IP Address Database. Upgrading to the full GeoIP2 database from MaxMind is available via a manual process in this release, with a user interface to be released in a future version.
  • The current Snare Server License details have been added into a new section within the Health Checker. This should make it easier for customers to check their license details to aid in support requests and for internal tracking purposes.
  • Cache selected downloadable objective clusters locally on the installed Snare Server, so that installations that do not have access to the Internet can install regulatory compliance (and related) objectives. These options have also been added into the Snare Configuration Wizard, to provide an introduction to the available options as part of the installation process.
  • The Windows Users and Groups objective now imports Group information alongside Users when querying the provided Active Directory connection. This can be used in place of the Snare Agent group information import process.
  • Added in new collection module to support Microsoft Exchange 2013, alongside the older Exchange formats.