Over-the-top Upgrade Guide for Snare
Server v7
© Intersect Alliance International Pty Ltd. All rights reserved worldwide.
Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this
material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect
Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General
Public Licence, which covers the Snare agents and some other software.
The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade
names are marks' and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and
are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice.
Page 1 of 9
Table of Contents
1. Upgrade Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Upgrade Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Preparing the Existing Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Upgrading to version 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Upgrade Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Page 2 of 9
1. Upgrade Overview
This guide details the steps required to perform an over-the-top upgrade of the Snare Server v6 product to
Snare Server v7, on the same piece of hardware. It is designed to maintain all of the existing server information,
and the Snare Event Archive data currently stored on the existing server.
Other resources that may be useful to read include:
Snare Server Installation Guide
Snare Server Migration Guide
Snare Server User Guide
Snare Server Release Notes
Please note, this guide does not cover a side-by-side migration of a source Snare Server onto a
destination Snare Server. Please see the Snare Server Migration Guide for details about this process. It
also does not cover upgrading from any version of the Snare Server other than version 6.
Any organisation that has had customisations made to their Snare Server by the InterSect Alliance team, which
involve FTokens/pre-processed tokens, or custom modules/development work will need to speak to their Snare
Support Representative to organise a custom upgrade to maintain this functionality.
The over-the-top upgrade process described in this document is not without risks, and should only be
undertaken when the side-by-side migration process is not possible within your environment.
While the InterSect Alliance International team have made every effort to ensure this upgrade is as safe
as possible, the upgrade involves moving between two different core operating systems. There is a low
chance that your hardware may not be supported by the newer operating system.
If you are unable to perform a side-by-side migration, we highly recommend that you attempt to install
Snare Server v7 on identical hardware to your current server to ensure it is compatible before
proceeding with this upgrade. We also highly recommend that you take a full backup of your Snare
Event Data to prevent accidental data loss.
It should be noted that Snare Server v7 only supports 64-bit architecture, and as such it is not possible
to upgrade a 32-bit server to Snare Server v7.
© Intersect Alliance International Pty Ltd
Page 3 of 9
2. Upgrade Requirements
2.1. What you need
The existing Snare Server v6 server must be updated to the latest available version.
The ISO image for the latest version of the Snare Server v7 product, burned onto a CD if required.
2.2. Hardware Requirements
Snare Server v7 only supports a 64-bit architecture. If your server is only 32-bit, it will not support version
7, and an Upgrade should not be attempted.
Snare Server v7 is based off Ubuntu Server 14.04 LTS 64-bit. If there are known compatibilities with this
release of Ubuntu with your hardware, then the Upgrade should not be attempted.
2.3. Software Updates
In order to take advantage of the server upgrade process the existing Snare Server v6 will need to be running
the latest released version to ensure the required tools are available. The minimum version required is Snare
Server v6.4.0.
You will also need to download the ISO image for the latest version of the Snare Server v7 product, and burn it
onto a CD if required by your installation procedure.
Note: These updates and the ISO image can be downloaded from your Snare Secure Area (if applicable).
Please speak to your Snare Support Representative if you are unsure how to access this page.
2.4. Snare Server License
Due to the changes to the licensing system within Snare Server v7, a new license will need to be generated and
installed after the upgrade process is completed. This will involve retrieving the new Host IDs generated at the
completion of the upgrade process, passing them to your Snare Support Representative, receiving a new license
file, and then applying it to your server. This process may take time, and needs to be factored into the upgrade
© Intersect Alliance International Pty Ltd
Page 4 of 9
3. Preparing the Existing Server
3.1. Introduction
If you are not familiar with the operation of the Snare Server, please refer to the User Guide for Snare
Server for more information.
At this point, you should have carefully read the warnings in the ' Upgrade Overview' at the beginning of this
document. If you were able, then you should have tested the Snare Server v7 installation on identical or
similar hardware to your current server. It is also recommended that you have performed a full backup. All
the standard system folders will be removed as part of the upgrade process. If you have any custom scripts
or other files on the server, we highly recommend that you take a backup of these before proceeding with the
Important: It is critical that the server is updated to the latest release of v6 and the prepare objective is run
before attempting the upgrade.
3.2. Preparation Steps
3.2.1. Upgrade to latest v6
The current Snare Server v6 needs the latest available update, to ensure
that the pre-upgrade checks cover everything that is required for the
upgrade to v7 to be supported.
The minimum version required is v6.4.0.
3.2.2. Run the Preparation Objective
As part of the v6.4.0 and later Snare Server Updates, a new objective is
added into the System section. This objective is called "Prepare Server for
Upgrade", and it runs a series of checks and tasks on your Snare Server to
check that it is able to be upgraded.
There are no manual steps to take, it will run the checks automatically when
it is opened.
Read the output carefully to ensure no important messages are missed.
Important: This objective checks for known issues and potential
customisations which may cause a problem during the upgrade. It cannot
however find every possible issue, and it is possible that there may be other
reasons why the upgrade may fail. If you have made any customisations to
your Snare Server, it is not recommended that you attempt an upgrade, this
script may not find them.
© Intersect Alliance International Pty Ltd
Page 5 of 9
4. Upgrading to version 7
4.1. Introduction
Once you have completed the preparation steps and have taken your backups, you can proceed to the
upgrade process. You will need the Snare Server v7 ISO mentioned in the Upgrade Requirements section in
order to upgrade the server.
4.2. Upgrade Process
4.3. Boot the v7 ISO
The first step is to reboot the existing v6 server and boot the v7 ISO.
Depending on your environment, this may happen automatically when the
ISO is mounted/inserted during the boot process. If not, most systems
provide a boot media option from which it can be selected from, and the fall
back option is to change the boot priority in the server BIOS.
When the boot menu comes up, select the 'Upgrade existing Snare Server'
option from the available prompts.
4.3.1. Follow the Installation Process
The Upgrade process uses a very similar procedure to the Install process,
and the Snare Server Installation Guide should be referenced for more
information about these steps. These steps are a very limited subset of the
standard Ubuntu installation steps, and should be fairly self-explanatory for
anyone who has experience installing the Snare Server and/or Ubuntu
After the initial language and keyboard selections, you should be presented
with a confirmation screen for the Snare Server Upgrade. This marks the
point of no return, and there is a slim chance of data loss if your system is
incompatible for the upgrade.
The Upgrade process uses a black colour scheme within the
prompts that perform the system installation, in contrast to the
purple used by the normal installation process. If you are not
presented with a black colour scheme during this process, cancel
the process, reboot, and try again.
4.3.2. System Passwords
Although the Upgrade process will maintain all of the configuration and login
details for the user interface, the system accounts (root, snare,
snarexfer) are not copied across. The Upgrade process will ask for a new
password for each of those accounts.
The passwords previously used for each account can be re-entered,
although for security reasons, we recommend choosing new passwords.
© Intersect Alliance International Pty Ltd
Page 6 of 9
4.3.3. System Reboot and Further Configuration
After the passwords are entered, the system will reboot and continue the
system installation and configuration process. This process installs the extra
packages used by the Snare Server that are not included as part of the
default Ubuntu installation. It also performs any package updates since the
last Ubuntu ISO release, to ensure the latest security patches and bug fixes
have been applied.
This process may take some time on some systems.
Note: Unlike the installation process, the colour scheme for this process will
be a purple, and look the same as the standard installation process.
4.3.4. Final Reboot
When the Installation and Configuration has finished, the Snare Server will
prompt for one final reboot. This allows the server to apply some of the more
complex updates that were installed (such as kernel updates), and also
ensures that the server can successfully boot in its final configuration.
Click Enter to reboot, and when the reboot has completed you will have a
working Snare Server v7 containing all of your existing event data and
© Intersect Alliance International Pty Ltd
Page 7 of 9
5. Upgrade Notes
5.1. Upgrade Compatibility
The upgrade process expects the existing Snare Server installation to be in the default layout with no
customisations. This includes custom objectives, modified scripts, and even new collection modules. These
changes will be completely ignored and lost during the upgrade process.
The Prepare for Snare Server Upgrade objective checks two main areas for any signs of changes:
It is expected that everything within /data and /var/lib/sqlite is stored on the primary partition, on the
primary drive. This is because the upgrade process mounts the first partition, and expects specific files to be
there. It does not go looking for other partitions or drives.
Some customers will have moved /data/SnareArchive on a different drive to the primary drive for storage
reasons. If this is the case, then you will not be able to proceed with the upgrade.
It is common to use Symlinks to move around data, such as /data/SnareArchive, to a different partition.
These cannot be followed by the upgrade process, and as such if these exist, the upgrade may fail and data
may be lost.
5.2. Backing up the Snare Server
The Snare Server v6 is a heavily modified version of Ubuntu Server 10.04 LTS. Any existing backup tool that
supports Ubuntu 10.04 LTS should also work on the Snare Server. A full system or bare metal backup is
recommended to make restoration as easy as possible. However, if this is not possible, then backing up the
following directories will save all important data on a default Snare Server install:
5.3. Event Collection Downtime
During the process of the upgrade, Event Collection will be disrupted. This will occur from the point when the
Snare Server is rebooted for the first time to boot from the ISO disk, until the server finishes booting after the
final reboot in the process. This downtime can take 15 to 30 minutes or more depending on hardware
performance, and delays when completing the installation configuration steps. This will need to be factored into
your environment and upgrade plans, as it may affect your company policies and monitoring requirements.
It is recommended that all Snare Agents are set to send events via TCP to allow the Agent to queue the events
for transmission after the Server comes back online, rather than sending them blindly during the downtime as is
the case with UDP.
Although Snare Server v7 will require a new license to be generated and installed before the user interface can
be used, collection will continue while the server is unlicensed to ensure no events are lost during the license
request process.
5.4. New License for v7
The Snare Server v7 uses a different licensing system to Snare Server v6, which means that existing licenses
for v6 servers will not work for v7 servers. For a new installation, or a side-by-side migration, this is no different
from the existing process of requesting a new license after installation. For the over-the-top upgrade, this means
that once the upgrade has been completed, a new license request must be sent to generate a new license to
activate the v7 server.
© Intersect Alliance International Pty Ltd
Page 8 of 9
It is not possible to generate the license request for v7 within v6, and as such it must be completed after the
upgrade process is completed and not before.
© Intersect Alliance International Pty Ltd
Page 9 of 9
Download PDF