7.25

27 Jun 2017

Version 7.25

New features

Knowledge Base Alerting service
Explicit proxy support
Adjust error reporting verbosity of appliance test utility
Show license status in appliances UI
Improved file analysis

Knowledge Base Alerting service

Users with a Knowledge Base license now have access to a new alerting service under the Knowledgebase interface of the Lastline Enterprise Portal Intelligence Page. With this version, licensed users can create matching rules to match on Lastline analysis results while they are being indexed within the Knowledge Base. Rules are based on the same language as queries, offering the same rich set of terms, with the additional support of regular expressions.

The alerting service enriches the capabilities of the Knowledge Base with the support of new use cases. With alerting, users can monitor for company assets (e.g. domains, mail addresses, clients) and understand if their company is being targeted by recent threats. Users can also generate feeds of samples satisfying certain criteria or exhibiting specific IoCs (e.g. hunting for samples using bit coin wallets).

Users can directly access rule matches from the Lastline Enterprise Portal. For proactive notification, users can also configure different types of notifications to automatically receive these matches (e.g. email notification, syslog notification).

The alerting service, the creation of matching rules, the access to matches from the portal, or the configuration of notification based on matches are described in details within the Lastline Portal Guide.

This improvement was tracked internally with tickets FEAT-1414 and FEAT-1735.

Explicit proxy support

It is now possible to configure a Lastline sensor appliance to act as an explicit HTTP/HTTPS proxy. It is possible to configure it to listen on a specific sensor interface as well as defining ACL rules for the network ranges that should be allowed to perform requests towards it. By default the proxy performs man-in-the-middle inspection of HTTPS interactions by using a locally-generated CA certificate. It is possible to define one or more upstream proxies the sensor will rely on when serving requests; if TLS inspection is enabled, the upstream proxies are required to support SSL encryption. The detection and blocking capabilities of the proxy are equivalent to those currently offered through the ICAP service, and include:

Analysis of artifacts identified in HTTP responses, with the possibility to block files that have been already analyzed by the platform and whose analysis score is above a configurable threshold.
Matching of destination IPs/domains against our threat intelligence data.

Blocking based on threat intelligence information and more complete support for C&C and drive-by download detection will be supported in a future release.

This improvement was tracked internally with tickets FEAT-1608 and FEAT-1951.

Adjust error reporting verbosity of appliance test utility

With the previous release 7.24, the existing lastline_test_appliance utility was configured to run periodically on sensors to check the appliance's status. Any issues detected by that utility are then reported to our backend so they are visibile in the appliance monitoring logs view of the portal, and are included as appropriate into appliance status notifications that user has configured.

This can help to proactively detect a wide variety of error conditions on an installation. This change, however, revealed some issues in the error reporting verbosity of the test utility, that have been resolved with this release:

FEAT-2012: lack of sniffing interfaces is no longer considered an error on sensors where sniffing is disabled, such as mail-only sensors.
CC-1940: the "SOFTWARE:heavy_processes" check which detects processes with extremely high CPU usage has been downgraded from error to warning.
CC-1928: errors and warnings about a hardware configuration that is not compliant with minimum requirements for our software have all been downgraded to warning with impact level 30. This is lower than the impact level of other warnings, which start at 40. To receive appliance status notifications but exclude hardware requirements issues reported by lastline_test_appliance, users can configure a notification threshold of 35.

Show license status in appliances UI

The appliance overview and status pages now display information on the validity of an appliance's license. If an appliance's license is expired, or a sensor's subkey is inactive, the appliance's overall status will be set to "License expired".

Furthermore, if an appliance's license will expire in the next 15 days, the appliance's overall status will be "License expires soon".

This improvement was tracked internally as FEAT-1892.

Improved file analysis

We have made enhancements to the detection of

SIGLOGSCAN-185 installing hooks.
SIGREPSCAN-255 document exploits via non-ASLR libraries.
SIGREPSCAN-307 LLADOC-392 LLADOC-419 LLADOC-428 document exploits via remote OLE objects.
LLADOC-425 hidden action events in Microsoft Powerpoint files.
LLADOC-422 scripts embedded in documents.
LLADOC-408 obfuscated, embedded EPS images.
ANREV-3807 ANREV-3808 spambots.
ANREV-3899 ransomware behavior.

Bug fixes and improvements

USER-2129: In analysis report, improve display of DNS queries that get an NXDOMAIN reply
USER-2466: Upgrade market verticals and analysis timeline graphs under report overview to new UI standard displays.
MALS-2229: Better Analyst API documentation for submit file when the file upload is required.
MALS-2143: Ability to specify low-priority submission in the Analyst API.
LLAM-2832: Stability improvements when extracting PE metadata.
LLAM-2620: Improved extraction of files dropped during the analysis inside the analysis sandbox.
SENT-615: It is now possible to configure the sensor as an ICAP server without need to enable the sniffing services.
SENT-624: Support for the analysis and detection of .jse files on sensor.
SURI-579: A bug was preventing the correct analysis of SMTP exchanges in sniffing mode when the SMTP transaction was involving a large number of recipients.
LLMAIL-360: No longer test nexthop SMTP connection with NOOP commands.
CC-1946: Make sure lastline_test_appliance will not hang forever on a stalling HTTP request, but terminates with a timeout error.

Deprecation of API methods

With release 7.24, all methods of the legacy API (/ll_api/ll_api) are now deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 722

Deprecation of appliance versions

No additional appliance versions are being deprecated or discontinued with this release.

Sensor versions before 720 were deprecated with release 7.23. Support for these sensor versions may be dropped in the upcoming release 7.26.
Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 722, which is being made available as part of this release, will be the last sensor version to support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the following Sensor version 723, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded. A distribution upgrade can be performed with the "lastline_distribution_upgrade" command-line utility. These updates are not done automatically to prevent unexpected downtime. Please contact support@lastline.com for help with the upgrade process.