Lastline Defender and Analyst Hosted Release Notes

Version 2019.7

New Features

  • Add "other host" filter to alert suppression wizard
  • Display 'Message Header' in mail message details view
  • Add tagging to host profile view

ADD "OTHER HOST" FILTER TO ALERT SUPPRESSION WIZARD

A new filter was added to the alert suppression wizard to support matching events where the "other host" of the detection is in the configured home network.

This new feature was tracked internally as FEAT-4173

DISPLAY 'MESSAGE HEADER' IN MAIL MESSAGE DETAILS VIEW

A new message header section was added to the mail message details view.

This new feature was tracked internally as FEAT-4148

ADD TAGGING TO HOST PROFILE VIEW

The host profile overview summary section now includes a new tag widget. As a result, dynamic tags can be associated with a host.

This new feature was tracked internally as FEAT-4133

Detection Improvements

  • TRES-584: Improved detection of compiled python scripts.
  • TRES-551: Improved prefilter detection for documents with XL4 macro code.
  • TRES-490: Reduced false positive rate for executables.
  • TRES-478: Improved detection of POWRUNER and BONDUPDATER malware families.
  • TRES-460: Improved detection rate of compressed SWF files.
  • TRES-417: Improved detection of OSX/Callisto malware family.
  • TRES-387: Improved detection of Flashback, Crisis, XSLCmd, Calisto, Coldroot, Dummy, CreativeUpdate and DarthMiner OSX malware families.
  • FEAT-4086: Include more website reputation in the classification of suspicious URLs analyzed in the Lastline Analyst API.
  • FEAT-4010: A new detector raises an alert upon observing TLS traffic with a new, never-seen-before JA3 hash. JA3 hashes characterize applications generating TLS traffic, so this detector can be used to identify new and potentially unauthorized applications generating encrypted traffic.

Bug Fixes and Improvements

  • SENT-1650: Fix to a suricata bug where an invalid certificate in the TLS handshake could cause the component to crash.
  • SENT-1175: Fix to an issue caused by a race condition where the SHA1 hash for certain file downloads processed by the sensor would be reported incorrectly in the UI.
  • SENT-1173: Fix to a major issue in the ICAP/Explicit proxy implementation of the malicious progress mode that was impacting correct functionality when processing certain downloads. The issue would often manifest by having continuously updating MD5 hashes for the file under analysis in the progress page served to users.
  • FEAT-4216: Sensors components making use of the Lastline prefilter (mail, sniffing file processing, ICAP) have been updated to ensure that prefilter invocations are always time-bound. This means that an issue in the prefilter logic causing processing to be stalled on a file can no longer lead to an impact on the file processing pipeline and queues.
  • FEAT-4144: The suricata component running on sensors and managers has been updated to version 4.1.4, addressing a number of stability and security issues. Full details can be found here: https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/
  • FEAT-4104: We have improved internal monitoring for the sensor IDS component. The status of a sensor appliance configured for packet sniffing will now be affected by issues in the operation of the component, and can lead to email notifications if appliance status notifications have been configured. More specifically, we now monitor and warn on the following conditions: A) The suricata component fails to initialize successfully; B) The suricata component is restarting too frequently; C) No packet is being processed by the IDS component despite sniffing being enabled.
  • FEAT-3931: We have improved the sensor capability of annotating netflows with an application level protocol tag by adding more protocols.
  • FEAT-3708: Anomaly alerts now include information about the detector's state at the time of when the alert was generated. This information includes, for example, the value of statistics maintained by the detector or the baseline that it has learned, and can be used to better interpret the anomaly that was detected. The information is displayed as a table of key-value pairs.
  • FEAT-2902: Events containing unicode character sets can now be successfully exported in XML format.

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1080

Distribution Upgrade

Sensor 1080, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor 1080. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.

2019.6 2019.8