Knowledge is your Best Security
|
|
|
|

 

"In the IT security field, you fight knowledge with knowledge"

Robert Hocking, 2005
Symtrex CTO

 

 


SNARE Server 2.4
System iNtrusion Analysis & Reporting Environment

SNARE Server 2.4

The latest version of SNARE Server has been released. New features have been added, as well as, some improvements to the existing program.

New / Updated Agents
  • Solaris, Linux, AIX, Irix and Windows agents have been changed during the Snare 2.4 development cycle.
  • A new 'Snare Reflector' capability has been created, which is able to 'split' a log message, and send it to more than one destination Snare Server. This will be released soon, after some more testing.
  • A simple 'print monitor', operating on the Solaris platform, has been created. This is to audit all print requests on a Solaris network.
New / Updated Objectives
  • The Dynamic Query objective has a new 'IS IN' option - whereby multiple, comma-separated values, can be specified by a user (eg: to search for eventIDs 123,234 or 345)
  • The 'Application01' objective has been significantly enhanced. Note that this objective relates specifically to a Aust. DoD requirement, so is unlikely to be particularly useful for most Snare Server users.
  • The Windows System/Application summary objective now includes Security, DNS, Active Directory, and File Replication Service log information.
  • The AIX operating system has been enabled as a 'System' and 'Configuration Checking' objective source.
  • A new configuration checking objective relating specifically to ACF2 file permissions, is now available.
  • A Solaris 'JASS' security analysis and reporting objective is now available, which takes advantage of the new JASS scanning capability included with more recent Snare for Solaris agents. Configurations can be saved on a per-system basis, and compared against the latest 'scan'.
  • A new PIX / CISCO Router configuration checking objective can telnet into the router/firewall, and compare an authorised rule configuration against the current configuration.
  • The NMap objective has been updated significantly, and now supports a tabular presentation format, which can be exported to spreadsheet, or text file.
  • A user can now change their own password, without needing administrator intervention.
  • A user can display their most recent login date/times.
  • Snare can now pull back Solaris user and group information directly from a LDAP server (as long as the LDAP server does not require authentication to view public data).
  • The Health Checker has been updated to include a warning if data has not been recently archived to CD/DVD.
  • The objective that examines the agent configurations, can now display a list of objectives for each agent.
  • A new capability to 'email' the Snare Server log data to a third party is now available.

New / Updated Data Collection Capabilities
The ability to collect logs from the following operating systems and applications have been created or improved:
  • AIX
  • ACF2
  • Irix
  • Windows Active Directory, File Replication Service, and DNS log data.
  • Ï CISCO Router logs, that have been preprocessed by a 'WhatsUP' server, and forwarded to Snare.
  • Data that has been forwarded to the Snare Server by the new 'Snare Reflector'.


Encryption

The Snare Server can now operate in HTTPS (SSL - secure HTTP) mode. A new self-signed x.509 certificate is generated by the Snare Server after the server DNS name is changed in the Snare 'General Configuration Items' objective.


Objective Regeneration
Data regeneration (particularly interactive regeneration) has changed significantly. We have implemented a 'queued background task' process, that pushes an objective into a regeneration queue when a user clicks on the 'regenerate' button. Overnight objective regeneration is also integrated into this process, which has several follow-on effects:
  • If an objective that takes a long time to complete, has been queued interactively by the snare user, overnight tasks should wait for the task to complete, rather than trying to run concurrently (which can significantly slow down BOTH tasks).
  • Internet Explorer 'timeouts' are no longer a significant issue for a large majority of objectives.
  • Users can continue to explore the Snare Server interface (and queue other objectives) while an objective is regenerating. It will no longer "lock up" the browser session.
  • A new queue management tool is available from the 'Status and Statistics' area, which can manage both interactively queued, and tasks that are generated overnight.
  • Some objectives that are very light on database access (eg: NMap), are tagged as 'background' tasks - that can be run at the same time as other snare objectives. This means that a long NMAP run (perhaps over 2 days!) will not block other tasks from running.


Documentation
A new 'visual editor' is available for dynamic documentation. Font sizes, text styles, lists, and indentation are all supported. Also, all the Snare documentation has been reviewed, as well as all the documentation found in the "Documentation" tab for all objectives.