Lastline Defender and Analyst Hosted Release Notes

Version 24.2

New Features

  • Sensor appliance performance improvements
  • Deprecation of Knowledgebase alerting
  • New sniffing MTU setting

SENSOR APPLIANCE PERFORMANCE IMPROVEMENTS

The release ships with a number of architectural improvements aiming at reducing lock contention across multiple sniffing threads in sensor appliances. This practically results in significant performance improvements, leading up to 1Gbps HTTP throughput per IDS engine thread. On current recommended hardware for 10Gbps appliances, this can lead to the ability to monitor up to two links at 10Gbps throughput.

This new feature was tracked internally as SENT-3933

DEPRECATION OF KNOWLEDGEBASE ALERTING

The KnowledgeBase alerting feature allowing users to write their own rule for proactive search is now deprecated, both at the UI and API levels. The Matching Rules and Results tabs under Intelligence will no longer be available.

This change was tracked internally as USER-6004

NEW SNIFFING MTU SETTING

We have addressed a number of problems introduced in previous releases when having to deal with networks using large packets (packets with size higher than 1500 bytes). A new setting (sniffing_mtu) has been added to lastline_setup on sensor appliances to configure the maximum size of the packet expected to be seen on the monitored network.

This change was tracked internally as SENT-3920

Detection Improvements

  • LLAM-11518: Improved detection of PetitPotato
  • LLAM-11515: Improved detection of z0Miner Shellscript
  • LLAM-11474: Improved detection of Turla backdoor
  • LLAM-11372: Improved detection of TeslaRvng ransomware
  • LLAM-11503: Improved detection of XRed backdoor
  • LLAM-11548: Improved detection of GoRAT
  • LLAM-11419: Improved detection of Pikabot Loader
  • LLAM-10539: Improved detection of Mirai
  • LLAM-11418: Improved detection of ModiLoader
  • LLAM-11485: Improved detection of Jkwerlo ransomware
  • LLAM-11363: Improved detection of GootLoader
  • LLAM-10523: Improved detection of MediaArena PUA applications
  • LLAM-11571: Improved detection of AgentTesla
  • LLAM-11460: Improved detection of DarkVNC
  • LLAM-11392: Improved detection of FritzFrog
  • LLAM-11501: Improved detection of Bifrose
  • LLAM-11218: Improved detection of BATLoaders
  • LLAM-11487: Improved detection of Stealers
  • LLAM-11519: Improved detection of AVKillBAT
  • LLAM-11390: Improved detection of Pterodo
  • LLAM-11314: Improved detection of Kuiper ransomware
  • LLAM-11517: Improved detection of Rekoobe
  • LLAM-11455: Improved detection of Netwalker ransomware
  • LLAM-11391: Improved detection of PurpleFox Rootkits
  • LLAM-11555: Improved detection of ShellScript Downloader
  • LLAM-11374: Improved detection of Smokeloader
  • LLAM-11699: Improved detection of Striker
  • LLAM-11673: Improved detection of Pikabot
  • LLAM-11564: Improved detection of Snowlight
  • LLAM-11587: Improved detection of Upstyle backdoor
  • LLAM-11588: Improved detection of ReverseSSH hacktool
  • LLAM-11482: Improved detection of Pikabot
  • LLAM-11464: Improved detection of Korplug
  • LLAM-11280: Improved detection of CobaltStrike Beacon
  • LLAM-11499: Improved detection of GenericLoader
  • LLAM-11375: Improved detection of BianLianGoMonitor
  • LLAM-10536: Improved detection of BlackByte ransomware
  • LLAM-11484: Improved detection of Dridex
  • LLAM-11384: Improved detection of Grandoreiro malware
  • LLAM-10971: Improved detection of WinLNK
  • LLAM-11560: Improved detection of Tasos
  • LLAM-11133: Improved detection of Runner

Bug Fixes and Improvements

  • SENT-3881: Fix to an issue where a custom-defined blacklist entry added to an appliance via the threat intelligence API would never be removed from the appliance even when removed via the API.
  • SENT-3917: The lastline_test_appliance tool on the sensor appliance has been extended to verify that the NIC hardware used for sniffing is officially supported and tested.
  • SENT-3918: Improvement to the logic used by the sensor appliance to decide whether the sniffing hardware is officially supported, and therefore can be used in DPDK native modes. This addresses some unusual hardware configurations that have been observed in the field and that were not handled correctly in previous releases.
  • SENT-3919: Releases 1380 and 1380.1 were not reporting correctly the ratio of flows presenting reassembly gaps. This could cause the appliance to trigger false warnings for degraded network visibility. The problem is now fixed and the flow ratio for reassembly gaps is correctly calculated.
  • SENT-3903: Fixed an issue that can cause the ICAP pipeline to fail at correctly processing large files.
  • SENT-3991: Fix to an issue that would cause packet loss and low performance on silicom NICs running in inline mode.
  • SENT-4025: Fix to an issue where custom IDS variables were not correctly taken into account by the appliance.
  • SENT-3979: lastline_setup on sensors was not allowing to configure a max_file_size greater than 100MB (despite the default being 200MB). The issue is now fixed.
  • FEAT-8430: VMware EULA replaced by Broadcom's Terms and Conditions. The first time you use the product after installing/upgrading to this release you'll be prompted to view/accept these.

Deprecation of API Methods

  • USER-6004: Remove LLKb alerting UI views in Defender

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1390

Distribution Upgrade

Sensor 1390, which is being made available as part of this release, is supported only running on Ubuntu Bionic or Ubuntu Focal as the underlying operating system distribution. Version 1390 will be the final version that supports Ubuntu Bionic as the operating system distribution. In all future releases, Ubuntu Focal will be required. To support this distribution upgrade, 1390 will support both Ubuntu Bionic and Ubuntu Focal. Before upgrading to any future version, appliances on Ubuntu Bionic must be upgraded to Ubuntu Focal while running version 1390. The upgrade of the distribution will require a reboot and may take up to an hour to complete.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "focal". If it is "bionic", the appliance distribution needs to be upgraded. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.

24.1.1