Snare Server version 7.1 released
Version 7.1 is available and includes a number of great new features that you’ve asked for! These features are:
- The Snare Server collection and reflection service has been significantly updated. The Snare Server can now perform format conversion, apply filters to events on a per-destination basis, and can also search/replace event contents on the fly. The core of the collection services and the reflector has been rewritten in C++ for speed. Sample use-cases include:
- Sending events that are marked only with a particular criticality to a specific destination.
- Sending Windows events to a destination SIEM server, and unix events to a syslog server.
- Changing syslog RFC 5424 events to RFC 3164 format, to accommodate a SIEM server that can only handle the older format.
- Switching events from using a TAB delimiter, to comma.
- Redirecting all events that include a particular username, to a separate SIEM server for analysis.
- Forwarding any firewall logs that include a particular IP address range, to another system for deep analysis.
- Update and Removal of “Trusted CA root Certificates” is available from the Configuration Wizard.
- Snare Server now supports LDAP/SSL, LDAP/TLS and SASL/TLS authentication.
- A SNMP trap server can be configured in the Snare Server wizard. A new feature has been added to the Real Time Alerts function in the objectives that so a SNMP Trap will be sent to the server as defined in the wizard when there is a match for the Real Time objective.
- A new “Auto-Remove Data” objective under “System -> Data Backup” is now available. This objective allows the Administrator to create tasks with a range of selection criteria, that are designed to automatically remove data from the Snare Server archive. Selection criteria include: By agent, by date, and by log type. Regular expressions, and date-delta options are available. Each Auto-Remove task has a specific schedule that determines when it executes.
- A new notes section is available when configuring objectives. Annotations may be either included or excluded from an objectives’ output. Once the objective is regenerated, the annotations form is available for editing.
- The open-vm-tools package has been included in the installed server package list, to facilitate easier management for customers who run the Snare Server under a virtual environment.
- The Snare Server can now process SonicWall firewall logs. A series of new SonicWall template objectives has been added under the Dynamic Query capability for SonicWall.
- TLS Server certificates associated with the TLS collection service should now use the fully qualified hostname of the server on which they are installed. A freshly installed system will use the fully qualified certificate format.
- Six new Oracle Objectives have been added to the Snare Server, including:
- Start-up and Shut-down of the Oracle application
- Database Global Activity
- Admin DBA Activity
- Oracle Security
- Oracle Startup / Shutdown
- Password Changes
- User Activity
- Seven New Microsoft DNS server logs Objectives with Malware domain detection have been added in the Application Audit/Windows Log Data menu tree:
- DNS Log
- DNS over TCP empty
- DNS over UDP
- DNS search IP
- DNS Server Failures
- Malware Domains
- Non Existent Domains