Snare Agent Updates

Please note that the following Snare Agents have been updated and are now available:

These release are primarily to address the following issues with the agents:

Registry handle leak -Fix the registry handle leak issue that was causing the increasing number of registry handles. In severe cases, this issue could cause the frequent restart of the Snare service.

Man-in-the-middle attack in OpenSSL pre v1.0.1h -An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable Snare Windows Agent (pre v4.2.5) and a vulnerable third party log collector using TLS. This Snare Windows agent is not vulnerable to this attack if a pre v4.2.5 Snare is communicating with a Snare Server. Snare v4.2.5 is built using OpenSSL v1.0.1h that fixes this issue on Snare Windows agent side. Customers are also encouraged to update their log collectors to OpenSSL v1.0.1h so that vulnerability can be removed from both sides.

Objective exclude filter bug (Windows Agent Only) -Objectives allow events to be included or excluded depending on various matching criteria. A bug in previous versions resulted in the exclude option only taking full effect when applied to the ‘Event ID’ match objective. All other exclude options were ignored if a wild card match objective was performed after theexcluded match objective. This fix ensures the exclude option works correctly on the whole event including”event id”, “general match”, “user name” and “event source” fields, so that a wild card match objective after the exclude objective does not permit the excluded data.