Version 2019.5
New Features
- New alert suppression wizard
- New "what else is interesting" widget for intrusions listing page
- New minimum impact filter in network events view
- Detector for user-agent first seen observations
- Use ICAP to remove body of malicious POST requests
- Update to suricata 4.1
NEW ALERT SUPPRESSION WIZARD
When triaging events security analysts may find that certain events are not malicious or not interesting to them based on their network environment. Security analysts can use the suppress event capability to create rules based on certain criteria which when matched for any future events will take the action of either demoting the matching event to INFO event or completely remove the matching event from the system. Removing or demoting events that match the rules will ensure that correlation rules that create incidents or intrusions are not triggered on these events. The list of criterion available for rule matching is available in user manuals.
This new feature was tracked internally as FEAT-3966
NEW "WHAT ELSE IS INTERESTING" WIDGET FOR INTRUSIONS LISTING PAGE
The intrusion listing page now includes a new widget containing custom-tailored facts and destinations that were prepared based on activity in your network.
This new feature was tracked internally as FEAT-3925
NEW MINIMUM IMPACT FILTER IN NETWORK EVENTS VIEW
A new minimum impact filter has been added to the network events view.
This new feature was tracked internally as FEAT-4080
DETECTOR FOR USER-AGENT FIRST SEEN OBSERVATIONS
This new anomaly detector detects cases when a never-seen-before user agent is first observed in a network. While this event is not per se indicative of malicious activity, it provides visibility into new applications that have been used in a network, some of which may be undesirable or outright malicious.
More precisely, the detector builds a profile of "normal" user agents used on hosts in the network, by observing the network traffic during its training period. During detection, the detector raises an alert the first time a new user agent is observed.
This new feature was tracked internally as FEAT-3939
USE ICAP TO REMOVE BODY OF MALICIOUS POST REQUESTS
ICAP integration now supports the sanitation of malicious content from POST requests rather than blocking the request. POST requests then will be forwarded to the server without the malicious content.
This new feature was tracked internally as FEAT-3930
UPDATE TO SURICATA 4.1
This release upgrades the version of Suricata used by the sensor to 4.1.2. The upgrade reworks and addresses a number of limitations and inefficiencies in previous versions of the Lastline sensor.
- Improvements to SMB file extraction: protocols SMB1 and SMB3 are now supported.
- Improvements to FTP file extraction: improved resiliency in handling both passive and active interactions.
This new feature was tracked internally as FEAT-3273
Detection Improvements
- TRES-438: Improved static detection of obfuscated Microsoft Office documents.
- TRES-436: Improved analysis of malicious executable and document files targeting Mac OS.
- TRES-407: Improved detection of malicious XLM macro in the Lastline document prefilter.
- TRES-400: Improved detection of invocation of shell functions from VBA code in the Lastline document prefilter. This behavior is often observed in Ursnif malware family.
- TRES-397: Improved detection of Shadow Hammer malware family.
- TRES-377: Improved detection of malicious URL embedded into PDF.
- TRES-371: Improved detection of XSLCmd malware family.
- TRES-301: Improved detection of evasive Microsoft Office documents which use country-specific checks to bypass analysis systems.
- TRES-295: Improved detection of malware exploiting ACE format vulnerability (CVE-2018-20250).
- TRES-197: Improve analysis of encrypted XLS documents.
- TRES-177: Improved detection of LazyMeerkat malware family.
- TRES-163: Improved detection of Chches malware family (APT10).
- TRES-150: Improved detection of embedded API names in OLE streams of XLS files.
- TRES-148: Improved detection of Vflooder malware family.
- TRES-134: Improved detection of exploits targeting Microsoft Equation Editor.
Bug Fixes and Improvements
- SENT-1148: Ensure that all sensor components honor customisations of the
sensor::max_file_sizevalue. - SENT-1146: Fix to a problem where updating the sensor hostname by means of
lastline_register --change-local-fqdn=would lead to an error in applying the configuration in xenial. - SENT-1136: Allow the selection of port 8080 as listening port for the explicit proxy component.
- SENT-1089: Improvements to the ICAP component ability to handle HTTP POST requests containing large payloads.
- LLMAIL-487: It is now possible if needed to set up the sensor MTA to receive emails in plaintext SMTP, dropping the requirement for encrypted communication.
- LLMAIL-481: Fix to a bug that would cause a deadlock when the mail sensor was restarted and a very large backlog of emails was found on cold storage.
- FEAT-3932: Sniffing sensors have now the capability to produce netflow logs for UDP flows.
- FEAT-3749: The time to run lastline_register during installation of a sensor appliance has been reduced. More packages are installed from the ISO during installation so that less time and network traffic is required at registration time.
Deprecation of API methods
The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:
Lastline Sensor version 1060
Distribution Upgrade
Sensor 1060, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor 1060. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.