|
|
|
"
Why would you try to hack
into someone's security
system when you can get
them to open the
door and let you in."
ITBusiness.ca
SNARE Server 2.3
System iNtrusion Analysis & Reporting Environment
SNARE Server 2.3 The latest version of SNARE Server has been released. New features have been added, as well as, some improvements to the existing program.
New Features
• New Data Collection capabilities - The ability to collect logs from the following operating systems and applications have been created or improved:
- ACF2 Log (via scp/ftp)
- ACFRPTLL
- ACFRPTRL
- ACFRPTDS
- ACFRPTRV
- ACFRPTEL
- Irix (via a Snare agent)
- Cyberguard Firewalls (via the Syslog capability)
- Snort (via syslog)
- Squid (via scp/ftp)
- Apache (via scp/ftp)
- Linux Snare (via a Snare agent)
- Linux IPTables (via Syslog)
- Generic Syslog objectives (via Syslog)
- Generic text-based log files (via syslog)
- Lotus Notes (via the Snare agent)
• Clonable, dynamic queries - It is now possible to create storable, ad-hoc queries.
• Data Export - The Dynamic Query objective can now export data to either a tab-delimited text file, or an excel spreadsheet.
• SQL and Snare Process Management - This new objective details the current overnight “cron” process and database tasks which are still running. The user is also able to terminate the processes via the web page, if required.
• Dynamic Windows Application and System objectives - It is now possible to create storable, ad-hoc queries against the Windows System and Application objectives.
• Irix - File, Application, Administration and Login Objectives have been created to support the release of the Snare for Irix agent.
• Linux - File and Application Objectives have been created to support improvements in the Snare for Linux agent.
• Lotus Notes Access Control List Objective - This new objective has been created to query the Lotus Notes Access Control Lists associated with each Lotus Notes database.
• Cyberguard Firewall Objectives - Cyberguard firewall logs can now be collected. The new objectives have been modeled on the PIX firewall objectives.
• IPTables Firewall Objectives - IPTables firewall logs can now be collected. The new objectives have been modeled on the PIX firewall objectives.
• Dynamic Syslog objectives - It is now possible to create storable, ad-hoc queries against the generic syslog events.
Improved Features
• Interface Improvements- Some general interface improvements have been added to provide user interface consistency. ‘Details’ tables associated with each objective, for example, all include a capability to show the ‘next X results’ (eg: next 50 results), rather than truncating the result list at 500 entries.• Snort - Snort collection capabilities have been integrated directly into the Snare collection subsystem. This mean that Snort logs from a remote location can be sent directly to the Snare Server via SYSLOG. A set of new objectives has been developed around the Snort log capabilities, and provide both general management-level statistical reporting, and detailed analysis tools.
• Data Archival - Integrated Snare & Event backup system. Each time an archive is undertaken, the Snare Server configuration settings are automatically saved off to the CD or DVD archive.
• Collection - The new auditserver/syslogserver binaries include a massive increase in memory-based cache, and a threaded structure, that allows it to store incoming events while the mysql database is in ‘query mode’.
• Fedora - The Fedora Core 2 base operating system underpins the new Snare Server 2.3.
• Agent Query and Retrieving User and Group Accounts - The URL query timeout in the Client ‘configuration’ detection module has been set to 10 seconds (plus a 5 second connection timeout). Also, when retrieving user and group accounts, the timeout has been set to 1 hour.
• Statistics - Several statistics objectives have been combined into one objective called “General Statistics”. The SQL query that generates this objective is much more efficient and should result in some significant time improvements during the daily scheduled tasks.
• CISCO Router - The CISCO Router log collection module has been updated to work with more versions of Cisco IOS.
• Health Checker - The Health Checker ‘agent reception’ thresholds are checked inside the health-checker objective. If the ‘last date’ is LESS than the ‘first date’, the dates are switched around automatically. This is in addition to the normal ‘form input validation’ feature. Also, data import and email checking facility has been added.
• Data Collection - Log data that does not “fit” or cannot be interpreted as a recognized collection source either via port 6161 or Syslog, will be sent to the “generic log table”. Also, the Snare Data Import modules have been updated to allow users to use either the date/time combination discovered in the log entry (if available), or to use the Snare Server localtime at the time the event has been received by the Snare Server. This will allow organizations with differing date settings on servers to have a consistent date/time across all servers.
• PHP MyAdmin - This feature is a powerful and dangerous tool. Phpmyadmin has been updated to 2.6.0, and access is now only available from hosts on the same CLASS B network as the snare server.
• Forensic Mode - The Snare Server is able to be selected for either “Production” or “Forensic” mode. In “Forensic” mode, the Snare Server will not migrate any data to disk, and will also not collect any logs via Syslog or UDP 6161.
• Scheduled Tasks - All aspects of the “Scheduled Tasks” tab can now be fully controlled from the updated objective: “Modify Scheduled Task Settings”.
• Select Individual Client Systems - This objective has been organized so that the clients/nodes reporting events are organized into their respective operating system/application groupings.
