Epilog for *nix 1.5 (Linux and Unix, including Solaris) has been released. The major features of this release are:
Globbing is quite a powerful pattern matching tool for files, please checkout the following link for more details on how globbing works.
The latest version of Snare for Windows is now available with some significant security enhancements to the micro web interface:
- Cookies are now required to commit configuration changes - The authentication method has been updated to protect passwords in transit - The Remote Configuration web page has been updated to protect password updates in transit - Configuration changes cannot be made via the address bar only... [read more](/p/snare/news/2011/11/snare-for-windows-4010-released/)
There are some important updates in this version of the agent that you should be aware of:
This release contains some significant upgrades including support for log files over 2GB in size for both 32 and 64 bit operating systems as well as a work around for some collection issues on 2008 R2 where the contents of a log file wasn't always being detected immediately by Epilog. For more details on the updates in this version, check the ReadMe.
We have prepared a new version of Snare for Windows that combines the 2000/XP/2003 agent and the Vista/2008/Win7 agent into one installer! And it comes with a much more powerful built in silent installer. The documentation will be available on our website shortly.
The major updates in 3.1.5 are correct Category resolution and an update to the order that objectives are processed in (i.e. they are now processed top to bottom). The former will resolve issues where events contain incorrect Category information and the latter will make filtering and excluding events much easier and a lot more logical.
Just a quick note to let you all know about our Twitter account ia_snare (http://twitter.com/ia_snare). Here, we'll be discussing/announcing information on the agents, their development and any other information that we believe might be useful or helpful to all the hard working security folk out there. Ideas, suggestions, comments and feedback are always welcome.
Snare for Solaris 3.2.2 introduces the first round of Zones support for the agent. Under Solaris 10, the agent can now be used in a Global Zone to audit activity in all zones using the "zonename" policy to identify the source zone for each event.
Support for installing Snare for Solaris directly in a non-global is still under development. I'll be creating a new forum topic for all future Solaris Zones discussions and announcements.
The new version of Epilog provides some big improvements for Objective processing. The objectives are now processed TOP TO BOTTOM and we have included the ability to reorder objectives using the web interface. This release also boasts much better memory handling so events are processed and delivered much more efficiently.
Any problems or queries, let us know through the forums.
The latest Snare for Solaris agent introduces some changes to the way the agent handles errors in its thread structure. These changes aims to make detecting praudit problems (and recovering from them) much easier and also prevent problems when rebinding the remote control interface to the listening port.
With a massive overhaul of the file watch configuration system, SnareLinux is now easier to configure and requires far less CPU to conduct file auditing.
However, this will be the final release targeting auditd 1.0.15 (RHEL4 update 4 standard audit package). With the significant improvements available in later versions of auditd, we will be targeting much newer releases from now on to ensure the best possible performance of the agent.
The latest version of Epilog for Windows is the first version to tackle multi line log formats. Version 1.5.0 allows you to process either a fixed number of lines (e.g. 4 lines per event) or line separated events (e.g. a blank line between each event) into a single, tab separated line for transmission to your network logging server. Future release will aim to target more multi line formats, so hit the forums and let us know what other types of multi line logs you would like to collect.... read more
Testing of version 3.1.3 of the Snare for Windows agent has shown a dramatic decrease in CPU usage on high traffic systems (e.g. Domain Controllers). Combined with the page fault fix in 3.1.2, you should see a significant reduction in the agent's CPU requirements.
This agent has been updated to reduce the number of page faults caused by previous versions of the agent, in turn reducing the CPU usage, allowing the agent to process messages faster. In this case, the trade off is slightly higher memory usage, but this should remain under 10Mb (resident memory).
Anyone interested in packaging the agent for rollout, we have a new MSI build procedure available at:... read more
The latest Snare for Windows Vista agent is now a MultiArch installer with support for X64 versions of Windows Vista. The other major update in this version is ability to strip the default audit settings from C:\Windows. Most DLLs in C:\Windows have some form of auditing applied to them and this can cause a massive surge in events if File System auditing is enabled. Use "snarecore -s" to strip the default settings and "snarecore -r" to restore them. Any questions, hit the forums.... read more
The latest version of Epilog is now available as a MultiArch installer. This means 64-bit support is now available. Enjoy!
USB auditing for Windows is back in the latest version of the Snare for Windows agent. Full documentation will be available soon.
Snare for Solaris includes a new level of robustness in the thread design (especially for SMF-based systems), allowing it to recover from most error conditions.
Please check the change log for more details. Post any questions to the forum and we will get back to you as soon as possible.
A number of updates are available in this release of the AIX agent, check the changelog for details. If you are having any trouble running or installing the agent, please post a message in the forum with the output of "uname -ap" from your system.
The speed ups you have been waiting for have finally arrived. With the addition of the SnareDispatchHelper, Snare for Linux can now handle a considerably higher throughput of events without falling prey to dispatch errors and the subsequent lost events. Also available is this release is support for login/logoff events and some account management events.
Please grab the latest version from the download area and post in the forums if you have any questions.
Version 3.0.0 of the Windows agent is a milestone in our release cycle. With more bug fixes (please see the change log), this release has proven itself to be highly stable in a variety of environments. We are strongly recommending this release to anyone still using older versions of the agent.
This release is a minor update to the Windows Vista agent. The code base remains the same, but due to the abundant amount of logs generated by the default objective set, the default objectives have been update to reduce the resource usage post-install.
After a brief hiatus from agent development in order to push out version 4.0 of our Snare Server, we are now back on track with a bunch of new updates on the way for the AIX, Linux, Solaris and Windows agents just to name a few. Please keep and eye on the site for more updates and we will be back into the forums shortly.
Thanks again to everyone that has helped us out over the last couple of months, and we hope you enjoy all the new updates as they are released.... read more
SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data. Agents are available for Linux, Windows, Solaris, IIS, Lotus Notes, Irix, AIX, ISA/IIS + more.
Finally, we have one package for the Snare for Linux agent! 32 and 64 bit RPMS are available for download with a number of updates and improvements, please see the change log for details:... read more
Snare for Linux 1.1 is now available for download. Thanks to all the users who provided feedback over the last few months, there are number of improvements and bug fixes included in this release thanks to your help. Check the release notes for details on the changes and version numbering used for this release.
Thanks again, we'll be back on the forums soon.
EDIT: We are still working on a release for RHEL5, there are some problems with the SELinux interaction in Enforcing mode (Permissive mode will work fine).
There are a number of updates and fixes for this version, please check the change log for details.