Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Profile

Snare Enterprise Agent Update

by

Intersect Alliance has released the following updates to their Enterprise Snare Agents, plus a new MSI package:

Enterprise Windows Agent V 4.3.6 – This release dealt with the following issues (download complete release notes):

  • Snare Unable to handle network destination starting with numeric value – There was an issue how a network destination is checked for IP address or DNS name. Due to the issue a DNS name starting with a numeric value can be treated as an IP address. Due to this issue, the network destination wont get used correctly to send the logs. This issue only affected sites where the destination address included a DNS name starting with a numeric value. This issue is fixed in this release and now the agent properly distinguishes between a full IP address and DNS name that begins with a numeric value.
  • Fixed same expression comparison – The agent was not correctly processing the 4739 “Account Administration” and the 4707 “A trust to a domain was removed” events internal expression matching via the objective radio buttons. If individual  matching was configured under the any event option then it would still be collected. This patch resolves the collection of these events.
  • Potential memory allocation error in Debug Msg – There was an issue with the memory allocation handling while sending the heartbeat. The issue is more prevalent on machines low on virtual memory. This issue can cause the agent to enter in an infinite heartbeat sending loop and consequently can cause denial of service attack on log collector destination(s). This issue is fixed in this release and now memory allocation error is correctly handled.
  • Potential SnareCore Crash Issue – There was an internal issue with the event log source name checking. Due to this issue the  Snarecore.exe process can crash when event log source name is is set to a null value from the event data which was unexpected from the Windows API. This issue is fixed in this release and now Snare properly handles the issue; logs the warning if event log source name is set to a null value. As a compensating process, as Snare internally knows the name of the event log source name from where it is pulling the events it will use that name as the log source if the Windows API replies with a NULL value.

Enterprise Epilog for Windows V 1.8.6 (download complete release notes) and Enterprise Agent for MS SQL V 1.4.7 (download complete release notes)

  • Snare Unable to handle network destination starting with numeric value – There was an issue how a network destination is checked for IP address or DNS name. Due to the issue a DNS name starting with a numeric value can be treated as an IP address. Due to this issue, the network destination wont get used correctly to send the logs. This issue only affected sites where the destination address included a DNS name starting with a numeric value. This issue is fixed in this release and now the agent properly distinguishes between a full IP address and DNS name that begins with a numeric value.

Enterprise Agent for Linus V 4.1.9 – New Feature was added (download complete release notes)

  • A user should be able to create their own audit.rules file and the Linux Agent should be able to monitor any events it generates – Added the ability to specify a single rule objective with an ‘Any Event’ objective type and use a wildcard (‘*’) which indicates the agent will process all events coming from the audit subsystem. This is useful if the user wishes to use the agent but use a custom audit.rules file.

These updates are now available within your client area.  If you have difficulty accessing please contact our office with your maintenance number.