SNARE Enterprise Agents
Features
A Prophecy International Company
SNARE ENTERPRISE AGENT: FEATURES
1.
Agents
Centralized log management and analysis is essential to assuring the integrity of critical logs and
achieving compliance with a growing list of regulations. However, the requisite process of transmitting
log data across public or even private networks can simultaneously work against these important
objectives.
The SNARE Agents provide users with the tools necessary to address this challenge. The SNARE
Agent is the industry standard for logging security events and is used with most SIEM servers,
services and MSSP’s. They are easy to install, configure and manage and greatly enhance the three
pillars of information security: Confidentiality, Integrity and Availability.
The SNARE Agents are issued as a supported Enterprise Agent and as an unsupported limited Open
Source download. When deciding which release of the Agent your organization should use, the
following questions should be considered:
1. Support - If you need a supported security platform, then you need to use the Enterprise
Agent. The Open Source Agent is provided to the open source community, free of charge and
as issued. The Enterprise Agents include maintenance, upgrades, bug fixes and support of the
product and for you as a customer.
2. Complete and Factual - If your organization needs to know that every log will be captured and
forwarded with integrity, then you need to use the Enterprise Agents. The Open Source Agent
does not support TCP, caching, custom event logs, UTC or registry audits.
3. Sensitivity and Confidentiality – If your organization works with sensitive data, then you
need to use the SNARE Enterprise Agents, which include best practices and encryption
protocols.
The SNARE Agent features are summarized in the following table.
Agent Features
Enterprise
1. Support – Maintenance, Upgrades and Customer Support

2. Windows 2012 / Windows8 Platforms

3. Custom Windows Event Logs

4. Event Log Caching

5. Confirmed Log Message Delivery

6. Encryption

7. Monitor Registry Events

8. Dynamic DNS Support

9. External Device Monitoring, e.g. USB Devices

© InterSect Alliance …..A Prophecy International Company
Open
Source
Page 2
SNARE ENTERPRISE AGENT: FEATURES
1.
10. UTC for Time Zone Normalization

11. Agent Heartbeat

12. Multiple Destinations

13. Single MSI

14. Snare Agent Management Console

15. Monitor Policy Status

16. Service Tracking

17. Group Policy Support

18. Monitor Agent Configuration Changes

19. Event Throttling

20. Light on Resources


21. Regulation Compliance


22. Real Time Event Filtering


23. Easy to use Installer


24. UDP Option


25. Locale Date Information


26. Stability


27. Latency and Real Time


28. Multiple Syslog Headers Options


29. Remote Control Interface


30. Native OS Audit Control


31. Upgrading


Following is a more detailed description of the SNARE Agent Features:
1. Vendor Support
The SNARE Enterprise Agents give you access to customer, product and technical support to
ensure compliance.
2. Windows 2012 / Windows8
SNARE Enterprise Agents are supported on all Windows platforms, including W2012 and W8.
3. Custom Windows Event Logs
The SNARE Enterprise Agents extend the reach of the open source SNARE Agents beyond the
core Windows Event Logs. They enable the collection, filtering and transmission of non-standard
and third party Windows Event Logs as well.
© InterSect Alliance …..A Prophecy International Company
Page 3
SNARE ENTERPRISE AGENT: FEATURES
1.
4. Event Log Caching
Intermittent network outages pose a significant challenge to the integrity of centralized log
management. One of the most feared IT Auditor questions has long been: “What happens to the
log events if there is a network disruption?” This is particularly true of systems leveraging syslog for
log aggregation.
Event Log Caching significantly enhances the integrity of the overall log management system by
storing undelivered messages in memory on the originating host in the event of a transmission
failure. Common sources of transmission failures include: network stack malfunction on the host
machine, network device failure or misconfiguration (e.g. router), destination server being offline or
network outages.
Once the SNARE Enterprise Agent is notified of any problems delivering messages to the
destination server, by using TCP mode the event log cache is used to preserve subsequent
messages as long as the destination server is unavailable. Once a new connection can be
established with the server, the cached events are forwarded to their destination. This ensures that
events are not lost.
5. Guaranteed Log Message Delivery
System administrators and security professionals alike are under ever increasing pressure to
ensure the completeness and integrity of logs. This is particularly challenging during the process of
transmitting log messages from the originating host via syslog to a centralized log repository.
Leveraging the features of Smart TCP, SNARE Enterprise Agents are notified of any problems
encountered during transmission and take appropriate actions to preserve event log continuity and
completeness, ensuring that events make it to the target destination and that there are no lost or
missing logs.
6. Encryption
One of the goals of security IT is to ensure the secure and protected transportation between the
agent and the collector, preventing the compromising of your security information during transit.
This entails the ability to encrypt messages between the originating host and the Server, be it
SNARE or others. SNARE Enterprise Agent supports both TLS and SSL* encryption, allowing the
agent to securely and confidentially send event logs to any TLS or SSL* capable collection device.
The agent will negotiate the best encryption available. Once the messages have been accepted by
the Server, they are decrypted and processed as normal messages. By utilizing the Centralized
Configuration Management option, agent message encryption can be quickly rolled out across the
network, enhancing log integrity and confidentiality throughout the organization.
7. Monitor Registry Events
The SNARE Enterprise Agents include the ability to apply auditing to sections of the registry and
report changes, thus ensuring that the auditing system is not compromised to provide a false
sense of security.
8. Dynamic DNS Support
If DNS names are used in the configuration of either the Advance Remote Control or Log Message
Simulcast features, generally the host name is resolved only once as the agent starts up. With
dynamic DNS support, the agent can be scheduled to automatically refresh the associated IP
© InterSect Alliance …..A Prophecy International Company
Page 4
SNARE ENTERPRISE AGENT: FEATURES
1.
address. This setting is crucial for installing new SNARE Servers or dynamically changing the
destination server in the event of a network or site failure (i.e. disaster recovery) without having to
reconfigure or restart a single agent. This feature provides uninterrupted real time 24x7 operation.
9. External Device Monitoring, e.g. USB Devices
Tracking USB device connection/disconnection is difficult using only the Windows event log.
Depending on the device in question, the events generated when active varies widely in the
number and amount of detail. A mechanism registers the agent directly with the operating system
so as to be notified on the arrival and detach events for all USB devices. USB auditing is
supported on Windows XP, 2003, 2008 and 2012.
10. UTC for Time Zone Normalization
In organizations that cover multiple time zones, the SNARE Enterprise Agent can use UTC time
zone normalization to ensure the correct sequencing of events, by standardizing across
geographies and time zones.
11. Agent Heartbeat
The SNARE Enterprise Agent can send out regular heartbeats, letting the collecting device know
that the agent is operational at all times without having to make contact and therefore enabling
quick response if a system is down or being compromised.
12. Multiple Destinations
Log message simulcasting allows distribution of events to multiple destinations. Each Enterprise
Agent is able to simultaneously direct event logs to multiple destination servers for redundancy,
disaster-recovery, correlation and transitioning purposes. Deployed along with a hot-standby
SNARE Server, perhaps deployed at an off-site disaster recovery site, SNARE Enterprise Agents
provide an extremely cost-effective, high-availability log management system. When deployed
along with a 3rd party correlation engine or SIEM tool, Log Message Simulcasting also facilitates a
best-of-breed approach to both Log and Security Event Management.
The best redundancy measures in a logging architecture, is to duplicate the events at the point of
generation. This function is built into the SNARE Enterprise agents, and therefore allows for full
redundancy in those situations where a continuous logging operation is required.
13. Single MSI
The SNARE Enterprise Agent supports being used as a single smart MSI for all Windows
platforms and releases, thus ensuring a simplified and error free distribution.
14. Snare Agent Management Console
The SNARE Enterprise Agents can be managed, monitored and configured by the SNARE Agent
Management Console. This Console is able to query all deployed SNARE Enterprise Agents for
their current configuration settings. It can then automatically compare deployed agents with the
master template and remotely apply and activate an updated configuration if necessary.
15. Monitor Policy Status
The SNARE Enterprise Agent sends an audit event any time it attempts to make a change to the
local security policy
© InterSect Alliance …..A Prophecy International Company
Page 5
SNARE ENTERPRISE AGENT: FEATURES
1.
16. Service Tracking
The SNARE Enterprise Agent sends audit events on service operations such as starting, stopping,
memory usage, configuration fingerprints and any errors or warnings triggered during operations.
17. Group Policy Support
The SNARE Enterprise Agent checks the MS Policy location as the primary source for
configuration settings. This means that Group Policy Objects (e.g. ADM files) can be used to
configure the agent in an easy and widely supported way without the need for setting
"Preferences", also known as tattooing.
18. Monitor Agent Configuration Changes
The SNARE Enterprise Agent monitors activity in the operating system, but, "Who is watching the
watcher?" This feature adds another layer of security to the SNARE Enterprise Agents, by allowing
administrators to remotely monitor changes to the Agent’s configuration.
19. Event Throttling
The SNARE Enterprise Agents include an event throughput EPS control for environments where
there is a limited, restricted or low band width. The EPS Rate Limit is a hard limit on the number of
events sent by the agent per second to any destination server. This EPS rate limit applies only to
sending the events, not capturing the events. The EPS rate limit settings help to reduce the load
on slow network links or to reduce the impact on the destination servers during unexpected high
event rates.
20. Light on Resources
Small Deployment Footprint (< 5Mb)
Minimal Host Resource Requirements (E.G. <5% of CPU)
Minimal Host Memory Requirements (E.G. less than 20Mb
21. Regulation Compliance
The SNARE Agents provide the ability to gather information to comply with NISPOM, PCI, SOX or
other regulatory requirements.
22. Real Time Event Filtering
Most operating system logging sub-systems can generate a flood of events. It is therefore
important that the agents are able to filter those events which contribute to the organization’s
security requirements, or to trap only those that are required while ignoring others, greatly reducing
network traffic as well as back end server and analysis resources measured in EPS. Tailoring the
required events, whilst filtering or discarding the unwanted ones, can be undertaken by the
SNARE Agents. The SNARE Agents include the ability to filter events by inclusion or exclusion,
using standard or complex expressions to filter on content, event type, user, and/or success/failure
of the event record. Multiple objective filtering expressions may exist at any one time. The SNARE
Agents find, filter and forward events in real time as they are generated, and automatically send
them to the SIEM server.
SNARE also provides the ability to bypass any agent filtering in situations where all events are
required, and/or the resource allocation of filtering is to be performed on the server.
© InterSect Alliance …..A Prophecy International Company
Page 6
SNARE ENTERPRISE AGENT: FEATURES
1.
23. Installer
The SNARE Agents include an easy to use Installer which also provides a Silent install option.
24. UDP Option
SNARE Agents can use the UDP protocol for “fire and forget” message delivery.
25. Locale Date Information
If there are locations where the language is not English, the SNARE Agent uses a fixed date and
time locale of US English to ensure the integrity of the log record.
26. Stability
The event collection minimizes any interference with the host's operating system and applications,
so that the service can be stable and independent.
27. Latency and Real Time
The SNARE Agents operate in real time mode. This means that as the events are generated, they
are automatically sent to the SIEM server without delay. This provides as real time alerting as
possible, as well as making it increasingly difficult to compromise a system. Deleting the local log
files will not remove the events which have already been sent to the remote SIEM Server.
28. Multiple Syslog Headers Options
The SNARE Agents allow for a tailorable event log format, with native SNARE or multiple syslog
headers options. Most event logs are simply 'flat' text files, in which a system or application
appends event records. In this case, the only discriminators required to read any type of event log
would be the location of the log file, and the record structure. This could easily be coded so that
these parameters are tailorable by the user, and hence able to be adapted to a wide range of
event logs.
29. Remote Control Interface
When the audit/event logging configuration of the target system needs to be dynamically changed,
SNARE provides the ability to remotely control the SNARE Agents. The extent of the remote
control functionality includes the ability to manage the filtering “objectives”' of the remote agents,
along with the ability for the remote agent to reset the host's event logging system. The remote
control functionality is able to control almost all facets of the agent's operation. The control over the
agent's operation is provided with minimal if any impact on the host. If required, the SNARE
Agents are also able to change the operating system's native audit settings to match the audit
collection requirements.
The Advanced Remote Control feature allows each agent to be remotely configured from a set of
administrator IP addresses or the IP address associated with the backup SNARE Server.
30. Native OS Audit Control
The event generation or event sub-system on most modern operating systems includes the ability
to control how the event logs are generated, configured and produced. On some systems this can
be quite complicated and confusing. Fortunately, the SNARE Agents are able to configure the
native event sub-system, and if so desired, allow only specific events to be generated which are
required or defined by the security policy. Also, the SNARE Agent can be configured so that it does
© InterSect Alliance …..A Prophecy International Company
Page 7
SNARE ENTERPRISE AGENT: FEATURES
1.
not, in any way, reconfigure the underlying operating system.
31. Upgrading
The SNARE Agents provide an upgrade option to preserve existing configuration settings.
*This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
© InterSect Alliance …..A Prophecy International Company
Page 8
SNARE ENTERPRISE AGENT: FEATURES
1.
Summary
Are the Confidentiality, Integrity and Availability of distributed system logs critical to you? Do you
currently manage a large deployment of Open Source SNARE Agents? Are you looking for a costeffective, end-to-end log analysis and management system? If the answer to any of these
questions is “yes”, then SNARE Enterprise Agents offer high-value capabilities that simply cannot
be found in any other solution available today.
Many thousands of organizations, including Fortune 500, government agencies, multinational
businesses and highly sensitive sites around the world rely on SNARE every second of every day
as the platform of choice for audit, collection, analysis, reporting, management and archival of
event information.
, the Trusted, Low Risk, High Value Choice.
For more information visit us at www.intersectalliance.com or contact us as follows:
The Americas 1 (800) 834 1060 Toll Free or +1 (303) 488 3451 Denver
Asia Pacific +61 8 8213 1200 Adelaide Australia
Europe and the UK +44 (797) 090 5011
or email us at [email protected]
Intersect Alliance International Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with
the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted
by Intersect Alliance International Pty Ltd. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance
International Pty Ltd. Other trademarks and trade names are marks and names of their owners as may or may not be indicated. All
trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement.
Specifications and content are subject to change without notice.
© InterSect Alliance …..A Prophecy International Company
Page 9