Snare IBM App Exchange 1.1.0

Snare has released an IBM App Exchange update for the IBM QRadar software. The Snare Log Analysis QRadar application is designed to provide an overview dashboardof auditing log activity that the Snare for Windows Agents are sending to the QRadar System.

A new application v1.1.0 and user guide have been released on the IBM App exchange portal.   The update includes many new features covering:

  • USB activity
  • Administration events
  • Logon success and failures
  • Process command execution information.
  • Threat Analysis
  • Filtering enhancements

In addition, events can be correlated together and matched against known fingerprints to detect possible threats on the network including an example of detecting the Rubber Ducky events from using this USB device. The main dashboard and other screens have also had a makeover to provide an enhanced user experience. Filtering has also had a makeover with enhanced date ranges to find logs for particular users or systems.

/by

Snare on the IBM App Exchange

Snare now has an application on the IBM App Exchange for IBM QRadar. The Snare Log Analysis QRadar application offers overview and drill down functionality providing users with a detailed view of event file and registry auditing activity collected by Snare and sent to QRadar. Filters can be applied to restrict the view to specific users, host systems, files/registry area accesses including the log types that were collected over the specified time period. If you are a current IBM customer you should check it out on the App Exchange.

The new application is freely available to the security community through IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies. As threats are evolving faster than ever, collaborative development among the security community will help organizations adapt quickly and speed innovation in the fight against cyber crime.

This is part of Intersect Alliance’s on going efforts to improve the logging and SIEM endeavors of every company regardless of their goals or tech stacks. For the full press release, download here.

/by

Snare Server version 7.1 released

Version 7.1 is available and includes a number of great new features that you’ve asked for! These features are:

  • The Snare Server collection and reflection service has been significantly updated. The Snare Server can now perform format conversion, apply filters to events on a per-destination basis, and can also search/replace event contents on the fly. The core of the collection services and the reflector has been rewritten in C++ for speed. Sample use-cases include:
    • Sending events that are marked only with a particular criticality to a specific destination.
    • Sending Windows events to a destination SIEM server, and unix events to a syslog server.
    • Changing syslog RFC 5424 events to RFC 3164 format, to accommodate a SIEM server that can only handle the older format.
    • Switching events from using a TAB delimiter, to comma.
    • Redirecting all events that include a particular username, to a separate SIEM server for analysis.
    • Forwarding any firewall logs that include a particular IP address range, to another system for deep analysis.
  • Update and Removal of “Trusted CA root Certificates” is available from the Configuration Wizard.
  • Snare Server now supports LDAP/SSL, LDAP/TLS and SASL/TLS authentication.
  • A SNMP trap server can be configured in the Snare Server wizard. A new feature has been added to the Real Time Alerts function in the objectives that so a SNMP Trap will be sent to the server as defined in the wizard when there is a match for the Real Time objective.
  • A new “Auto-Remove Data” objective under “System -> Data Backup” is now available. This objective allows the Administrator to create tasks with a range of selection criteria, that are designed to automatically remove data from the Snare Server archive. Selection criteria include: By agent, by date, and by log type. Regular expressions, and date-delta options are available. Each Auto-Remove task has a specific schedule that determines when it executes.
  • A new notes section is available when configuring objectives. Annotations may be either included or excluded from an objectives’ output. Once the objective is regenerated, the annotations form is available for editing.
  • The open-vm-tools package has been included in the installed server package list, to facilitate easier management for customers who run the Snare Server under a virtual environment.
  • The Snare Server can now process SonicWall firewall logs. A series of new SonicWall template objectives has been added under the Dynamic Query capability for SonicWall.
  • TLS Server certificates associated with the TLS collection service should now use the fully qualified hostname of the server on which they are installed. A freshly installed system will use the fully qualified certificate format.
  • Six new Oracle Objectives have been added to the Snare Server, including:
    • Start-up and Shut-down of the Oracle application
    • Database Global Activity
    • Admin DBA Activity
    • Oracle Security
    • Oracle Startup / Shutdown
    • Password Changes
    • User Activity
  • Seven New Microsoft DNS server logs Objectives with Malware domain detection have been added in the Application Audit/Windows Log Data menu tree:
    • DNS Log
    • DNS over TCP empty
    • DNS over UDP
    • DNS search IP
    • DNS Server Failures
    • Malware Domains
    • Non Existent Domains
/by