Snare System Version Release Notes

Transcription

1 Snare System Version Release Notes is pleased to announce the release of Snare Server Version Snare Server Version New Features Added objective and user documentation to the header, sent out in the nonhtml component of a scheduled . Ensured that user-documentation is also included in the html component of a scheduled . Performed updates to the way that data is stored internally within the Agent Management Console to resolve an error which was encountered when a large number of agents (10,000+) is processed in a single objective. There should be no performance impacts or functionality changes as a result of this change. Network errors could lead to a situation where a newline is not sent through to the server, and the client terminates straight after partial transmission. This could potentially lead to a hanging read() in the TLS collection service. This modification implements read timeouts. An issue was discovered that prevented the Threshold Query configuration from being applied when the PreSelect functionality was disabled. This has been fixed, so the Threshold Query configuration is now applied, no matter what type of query is being used to retrieve the data. Resolved an issue with the TLS Collector that would cause it to lose connection under some circumstances. It should now maintain connection as is the expected behaviour. The Apache configuration has been updated to remove SSLv3 support from the HTTPS configuration, when enabled. This is due to the recent security vulnerabilities (poodle) discovered in SSLv3. Customers that require it can manually update the Apache configuration to reenable it asrequired. Security Updates Applied the latest security and bug fix updates to the Ubuntu operating system packages. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to

2 is pleased to announce the release of Snare Server Version Snare System Version Release Notes Snare Server Version The Agent configuration retrieval functionality within the Agent Management Console (AMC) has been changed slightly, to limit the number of concurrent connections to a sane maximum. As a result of this change, the AMC will no longer (in very extreme cases) flood the server with numerous processes and use all available resources, instead it will process Agents at a slower, but safer rate. Security Updates The bash system package has been updated to include the security patches which resolve the recently discovered Shellshock vulnerability (CVE , CVE , CVE , CVE ). Although the Snare Server web server is not running a vulnerable server configuration, other components (such as SSH) may have opened up the possibility for abuse, and this update ensures that the server is no longer vulnerable to this issue. An ssh connection to a Snare Server will still require the authentication to be valid for the connecting user in attempting the exploit. Given a Snare Server command line access is usually restricted to the admin users only this issue would be a low risk activity. If customers have other users that have command line access to their Snare Servers then the likelihood of an attack is much greater. As per normal security practices all admin console access (web and SSH) to the Snare Server should be restricted to only users who require access as part of their job function. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to

3 Snare System Version Release Notes is pleased to announce the release of Snare Server Version Snare Server Version New Features The behaviour of the Snare Server reflector has been modified so that data coming in via syslog, and being reflected via syslog, will be sent through to the target server unchanged, without additional syslog headers. Added iotop and sysstat packages into the installation package selection for customers to use as required via the command line console. The LDAP API references an LDAP object by its distinguished name (DN). Updated DN validation checker to support valid dash characters within the DN value. Resolved issue where the Objective List wasn't being generated correctly due to unexpected character encoding of the raw data. The validation phase of the samba password configuration process was overly restrictive, and would not set the password correctly. Updated User and Group information retrieval code to support different authentication types, to resolve an issue with some legacy Linux Agent versions that returned Authentication Failed messages when a password was set. Implemented checks within the Agent User and Group data retrieval functionality to help support loading data from busy or overloaded Snare Agents. This resolves an intermittent issue which occurred in older versions of the server that prevented the server from retrieving user group data on each request. Removed the (broken) Google Talk and Twitter RealTime Alerting options, and cleaned up configuration item to remove the confusion regarding where to configure Alerts. Fixed an issue with the 15 minute pattern map for the Total Events status page that prevented viewing the events list when clicking on a specific Agent under a specific Event Type. Implemented support for parsing ContentKeeper log data via syslog into the correct log table. 313 Armadale

4 Security Updates Updated ClamAV virus definitions, for customers with servers that cannot access the internet to

5 Snare Server Version Implemented enhanced memory management features within the Snare Database, to prevent reports from not running correctly in some situations when a lot of event data is being processed by a single report. These features are automatic and shouldn t affect the performance of the database queries. It some cases, objectives may even take less time to be generated. Resolved the issue with the Retrieve Users and Group data from Active Directory not retrieving the full information in some instances. Added missing functionality to support MAC Address TOKEN lookup into GenericLog queries. It can be enabled for GenericLog queries by using the 'MACADDRESS' TOKEN on a MAC Address field. Resolved issue with the Snare Reflector, which prevented the first reflector configuration entry from being removed. Fixed the LDAP DN validation process to allow dashes within the DN field, as they were beingincorrectly blocked from use. Security Updates: Prevented the Windows AD password from being written to the snare.log as part of debugging information. The string '<password>' will now be displayed instead of the password Updated vulnerability scanner plugings Updated ClamAV virus definitions for customers with servers that cannot access the internet to

6 Snare Server Version New Features: Added support for the upcoming V4.0.0 releases of the Snare Enterprise Agents for Linux and Solaris. Added a new objective for Windows USB events into the default objectives installed as part of a fresh install of the Snare Server Resolved issue with the Snare SNMPTrap Collector preventing it from working with some devices. In v6.3.1, the Snare SNMPTrap collector could process snmptrap data tagged as PUBLIC. Unfortunately some devices included double-quotes around the string ("public"), which was causing the underlying SNMPTrap receiver to ignore those specific events. This fix disables tag checking completely, and allows Snare to accept SNMPTrap data with any tags. Fixed the issue with the per-agent timezone selection, which prevented users from specifying different timezones for different agents within their fleet. Fixed issue which allowed a TOKEN to be removed accidently while updating it through the configuration dialog. The deletion button has been switched to checkbox, to prevent accidental selection and submission of the form. Resolved issue for new installations v where the System Statistics page wasn't showing the full information by default. Resolved issue affecting recent fresh installations of the Snare Server where the User Group metadata database was being incorrectly initiated. This has been fixed in in the ISO installation image, and the v update(s) will correctly initiate the database if it is found to be affected. Security Updates: Updated vulnerability scanner plugings Updated ClamAV virus definitions for customers with servers that cannot access the internet to.

7 Snare Server Version Bug Fixes Updated the default firewall configuration to use UDP instead of TCP for SNMP. Resolved issue that broke FTOKEN support for some queries. Resolved the sanitization check that lead to not being able to select the < and <= functions within the Snare Server match interface. Security Updates NFS services, made available as an option on Snare Server v6.2, can now be completely disabled on the Snare Server, through the installation and configuration wizard. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily.

8 Snare Server Version New Features Support was added into the collection system for the AppleBSM audit events provided by the new Snare Agent for OSX (to be released in the near future). An option was added to the Configuration Wizard to allow customers to disable the daily Pre-Cache functionality, if instructed by a Snare Support Representative. This option disables the daily pre-cache functionality of the internal Snare Database, which can, in rare instances, use more resources during the caching process than are actually saved during the report generation process when caching is enabled. With larger and larger drives being used for the storage of log data, the 'percentage free space' warning and problem threshold settings on the Snare Server Health Checker, have been migrated to a 'gigabytes free' model. As part of the server update process, your previous settings will be automatically converted to the new format. Bug Fixes Resolved display issue which prevented the Progress bar from progressing in Google Chrome. Resolved a configuration issue with the OpenVAS vulnerability scanner. In some circumstances, data validation routines will use an extended path, when saving default values back to the Snare configuration database in the event of a input validation failure, which means that data validation and correction routines will be called for each and every objective initialisation until the invalid data is updated. This fix trims the path, so that default data can overwrite the invalid data, leading to a tiny speedup in objective instantiation in situations where invalid data has been entered. Resolved issue that affected some older installations which involved old package updates being applied during the newer updates. The result of which was incorrectly configured packages preventing some system functionality from working. Safeguards have been put into place to ensure this does not occur in the future, and an upgrade to v6.3.0 should resolve any existing issues some customers are experiencing due to this issue. Added support into the Agent Management Console for Legacy Agent configurations which allowed empty passwords. Resolved issue that caused the 'Remove Data' objective from reporting a completed data removal process in some situations. Resolved bug that prevented the Port and Vulnerability Scanner from correctly displaying response of completed scan..

9 Security Updates Completed security audit and applied updates as required. Implemented centralised checking and sanitisation of input across all user interface components, in order to further reduce the risk of cross site scripting, database injection, and related attempts at corrupting the Snare Server interface. Implemented CSRF Tokens to eliminate potential avenues for attack against the Snare Server UI. Security options have been migrated to a separate category in the Snare Server wizard. The ability to block external sites from being displayed in a clickable format (eg: the link to the Snare Server documentation, hosted on the InterSect Alliance web server) has been added. Paths for hard coded temporary files have been modified to use unique randomly generated filenames, where possible. Paths for files that store process ID information have been migrated to /var/run to follow unix best practice. Updated ClamAV virus definitions, for customers with servers that cannot access the internet to download their own updates easily. Updated copyright date stamp on the splash screen to reflect the current year (2014). Detailed Notes: 1. Applying the Update to a Snare Server v6. This update can be applied to an existing Snare Server v6, by downloading the Snare Update file from your client area and using the update wizard, found at: System > Administrative Tools > Snare Server Update If you have trouble applying this update, please speak to your Snare Support Representative. 2. Update file size issue. Due to a file-size restriction issue, it is not possible to directly upgrade to v6.3.0 on an existing Snare Server that is still on version Instead, the special PreUpdate provided in your client area must be applied first, and then the v6.3.0 update can be used. 3. Base Ubuntu OS Information Snare Server v6.3.0 is based on a stripped down, and hardened version of Ubuntu LTS. The 32-bit and 64 -bit releases have the same (or equivalent) packages installed with the exception of the Linux Kernel. 32-bit has Ubuntu Kernel generic-pae, which is based off the drm33.5 mainline Linux Kernel version 64-bit has Ubuntu Kernel ~lucid1-server, which is based off the mainline Linux Kernel version. A full package list for each release version of the Snare Server can be provided upon request