SNARE - Auditing and EventLog Management / News: Recent posts

Intersect Alliance releases V6.2 of the Snare Server

Snare Server V6.2 builds on the very successful V6 release which included enhanced multi destination forwarding and encryption options.

Snare Server V6.2 includes:
- Support for Snare Enterprise Agent for Windows v4.2.x into the Agent Management Console
- The Agent Management Console that uses the Windows SID information is now retrieved from an LDAP connection, where previously it was only through a direct Agent retrieval for local accounts. This method should be considerably faster for most large environments.
- Added option to skip retrieving users and groups from Agents and simply use the LDAP connection, to support large AD instances
- Optimized Users and Groups import speed to dramatically reduce the processing time when large user databases are being refreshed.
- Added support for the Apache ‘vhost_combined’ log format as part of the Apache log processor.... read more

Posted by SteveC 2014-02-13

Intersect Alliance releases V4.2 of the Snare for Windows Enterprise Agents

4.2 includes
• Support for Group Policy configuration – administrative templates available
• Event throughput throttling and alerting
• Destination Status Indicator (i.e. all OK at the Server end)
• Use of Regular Expressions for event matching
• Optional Truncation of verbose event narrative

Snare for Windows Enterprise edition V4.2 builds on the very successful 4.1 release with included TLS/SSL and other features.... read more

Posted by SteveC 2014-02-12

Epilog for *nix 1.5 has been released

Epilog for *nix 1.5 (Linux and Unix, including Solaris) has been released. The major features of this release are:

  • Glob support for file names (aka Wildcard support, only better)
  • RHEL6 support
  • Support for non-privileged use

Globbing is quite a powerful pattern matching tool for files, please checkout the following link for more details on how globbing works.

http://linux.about.com/library/cmd/blcmdl7_glob.htm... read more

Posted by David Mohr 2012-01-11

Snare for Windows 4.0.1.0 released

The latest version of Snare for Windows is now available with some significant security enhancements to the micro web interface:

 - Cookies are now required to commit configuration changes
 - The authentication method has been updated to protect passwords in transit
 - The Remote Configuration web page has been updated to protect password updates in transit
 - Configuration changes cannot be made via the address bar only... [read more](/p/snare/news/2011/11/snare-for-windows-4010-released/)
Posted by David Mohr 2011-11-15

Snare for Linux 1.7.0 and 2.0.0 released

There are some important updates in this version of the agent that you should be aware of:

  • There are now two release versions of the agent:
    • 1.x series of the agent is now for RHEL5 and below only (auditd versions less than 2.0)
    • 2.x series of the agent is for RHEL6 and above (auditd versions greater than or equal to 2.0)
  • A number of security enhancements have been made to the micro web interface that will eventually make their way into the other agents
    • Cookies are now required to commit configuration changes
    • The authentication method has been updated to protect passwords in transit
    • The Remote Configuration web page has been updated to protect password updates in transit
    • Configuration changes cannot be made via the address bar only... read more
Posted by David Mohr 2011-08-09

Epilog for Windows 1.5.6 is now available

This release contains some significant upgrades including support for log files over 2GB in size for both 32 and 64 bit operating systems as well as a work around for some collection issues on 2008 R2 where the contents of a log file wasn't always being detected immediately by Epilog. For more details on the updates in this version, check the ReadMe.

Posted by David Mohr 2011-07-04

New Snare for Windows

We have prepared a new version of Snare for Windows that combines the 2000/XP/2003 agent and the Vista/2008/Win7 agent into one installer! And it comes with a much more powerful built in silent installer. The documentation will be available on our website shortly.

Posted by David Mohr 2011-06-09

Snare for Windows 3.1.5 released

The major updates in 3.1.5 are correct Category resolution and an update to the order that objectives are processed in (i.e. they are now processed top to bottom). The former will resolve issues where events contain incorrect Category information and the latter will make filtering and excluding events much easier and a lot more logical.

Posted by David Mohr 2009-05-31

InterSect Alliance is now on Twitter

Hi All,

Just a quick note to let you all know about our Twitter account ia_snare (http://twitter.com/ia_snare). Here, we'll be discussing/announcing information on the agents, their development and any other information that we believe might be useful or helpful to all the hard working security folk out there. Ideas, suggestions, comments and feedback are always welcome.

Cheers, David.

Posted by David Mohr 2009-05-24

Snare for Solaris 3.2.2 released

Snare for Solaris 3.2.2 introduces the first round of Zones support for the agent. Under Solaris 10, the agent can now be used in a Global Zone to audit activity in all zones using the "zonename" policy to identify the source zone for each event.

Support for installing Snare for Solaris directly in a non-global is still under development. I'll be creating a new forum topic for all future Solaris Zones discussions and announcements.

Posted by David Mohr 2009-05-17

Epilog for Windows 1.5.1 released

The new version of Epilog provides some big improvements for Objective processing. The objectives are now processed TOP TO BOTTOM and we have included the ability to reorder objectives using the web interface. This release also boasts much better memory handling so events are processed and delivered much more efficiently.

Any problems or queries, let us know through the forums.

Posted by David Mohr 2009-03-16

Snare for Solaris 3.2.0 released

The latest Snare for Solaris agent introduces some changes to the way the agent handles errors in its thread structure. These changes aims to make detecting praudit problems (and recovering from them) much easier and also prevent problems when rebinding the remote control interface to the listening port.

Posted by David Mohr 2008-11-17

Snare for Linux 1.4.1 released

With a massive overhaul of the file watch configuration system, SnareLinux is now easier to configure and requires far less CPU to conduct file auditing.

However, this will be the final release targeting auditd 1.0.15 (RHEL4 update 4 standard audit package). With the significant improvements available in later versions of auditd, we will be targeting much newer releases from now on to ensure the best possible performance of the agent.

Posted by David Mohr 2008-10-24

Epilog for Windows 1.5.0 released

The latest version of Epilog for Windows is the first version to tackle multi line log formats. Version 1.5.0 allows you to process either a fixed number of lines (e.g. 4 lines per event) or line separated events (e.g. a blank line between each event) into a single, tab separated line for transmission to your network logging server. Future release will aim to target more multi line formats, so hit the forums and let us know what other types of multi line logs you would like to collect.... read more

Posted by David Mohr 2008-10-20

Snare for Windows 3.1.3 released

Testing of version 3.1.3 of the Snare for Windows agent has shown a dramatic decrease in CPU usage on high traffic systems (e.g. Domain Controllers). Combined with the page fault fix in 3.1.2, you should see a significant reduction in the agent's CPU requirements.

Posted by David Mohr 2008-08-13

Snare for Windows 3.1.2 released, MSI packaging available

This agent has been updated to reduce the number of page faults caused by previous versions of the agent, in turn reducing the CPU usage, allowing the agent to process messages faster. In this case, the trade off is slightly higher memory usage, but this should remain under 10Mb (resident memory).

Anyone interested in packaging the agent for rollout, we have a new MSI build procedure available at:... read more

Posted by David Mohr 2008-07-23

Snare for Windows Vista 1.1.0 MultiArch released

The latest Snare for Windows Vista agent is now a MultiArch installer with support for X64 versions of Windows Vista. The other major update in this version is ability to strip the default audit settings from C:\Windows. Most DLLs in C:\Windows have some form of auditing applied to them and this can cause a massive surge in events if File System auditing is enabled. Use "snarecore -s" to strip the default settings and "snarecore -r" to restore them. Any questions, hit the forums.... read more

Posted by David Mohr 2008-07-01

Epilog for Windows 1.4.0 released with 64-bit support

The latest version of Epilog is now available as a MultiArch installer. This means 64-bit support is now available. Enjoy!

Regards, David.

Posted by David Mohr 2008-06-03

Snare for Windows 3.1.0 and Snare for Solaris 3.1.0 released

USB auditing for Windows is back in the latest version of the Snare for Windows agent. Full documentation will be available soon.

Snare for Solaris includes a new level of robustness in the thread design (especially for SMF-based systems), allowing it to recover from most error conditions.

Please check the change log for more details. Post any questions to the forum and we will get back to you as soon as possible.

Posted by David Mohr 2008-05-08

Snare for AIX 1.5.0 released

A number of updates are available in this release of the AIX agent, check the changelog for details. If you are having any trouble running or installing the agent, please post a message in the forum with the output of "uname -ap" from your system.

Posted by David Mohr 2007-12-05

Snare for Linux 1.3 released

The speed ups you have been waiting for have finally arrived. With the addition of the SnareDispatchHelper, Snare for Linux can now handle a considerably higher throughput of events without falling prey to dispatch errors and the subsequent lost events. Also available is this release is support for login/logoff events and some account management events.

Please grab the latest version from the download area and post in the forums if you have any questions.

Posted by David Mohr 2007-12-04

Snare for Windows 3.0.0 released

Version 3.0.0 of the Windows agent is a milestone in our release cycle. With more bug fixes (please see the change log), this release has proven itself to be highly stable in a variety of environments. We are strongly recommending this release to anyone still using older versions of the agent.

Posted by David Mohr 2007-12-03

Snare for Windows Vista 1.0.1 released

This release is a minor update to the Windows Vista agent. The code base remains the same, but due to the abundant amount of logs generated by the default objective set, the default objectives have been update to reduce the resource usage post-install.

Posted by David Mohr 2007-11-30

Back to agent development

Hi,

After a brief hiatus from agent development in order to push out version 4.0 of our Snare Server, we are now back on track with a bunch of new updates on the way for the AIX, Linux, Solaris and Windows agents just to name a few. Please keep and eye on the site for more updates and we will be back into the forums shortly.

Thanks again to everyone that has helped us out over the last couple of months, and we hope you enjoy all the new updates as they are released.... read more

Posted by David Mohr 2007-10-26

Snare for Linux 1.2 released

SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data. Agents are available for Linux, Windows, Solaris, IIS, Lotus Notes, Irix, AIX, ISA/IIS + more.

Finally, we have one package for the Snare for Linux agent! 32 and 64 bit RPMS are available for download with a number of updates and improvements, please see the change log for details:... read more

Posted by David Mohr 2007-08-09