SensorFleet software changelog Changes marked with ansible mean that an ansible re-run with new playbook is required. Contact SensorFleet to obtain new version of the ansible playbook, it's not yet available from any repository. See User Manual for details on release channels and their usage. *** CHANNELS *** Supported current releases: * release-2.9: version 2.9.3 * release-2.9-beta: version 2.9.3 * release-2.9-staging: version 2.9.3 Unsupported old releases: * release-2.8: version 2.8.1 * release-2.8-beta: version 2.8.1 * release-2.8-staging: version 2.8.1 * release-2.7: version 2.7.4 * release-2.7-beta: version 2.7.4 * release-2.7-staging: version 2.7.4 * release-2.6: version 2.6.3 * release-2.6-beta: version 2.6.3 * release-2.6-staging: version 2.6.5 * release-2.5: version 2.5.2 * release-2.5-beta: version 2.5.2 * release-2.5-staging: version 2.5.2 * release-2.4: version 2.4.13 * release-2.4-beta: version 2.4.13 * release-2.4-staging: version 2.4.13 * release-2.3: version 2.3.12 *** CHANGELOG *** 2.9.3: staging 2026-03-24, stable 2026-03-25 Security patch release (CrackArmor + Suricata) - Bug fixes: [SEN-1818] - Kernel: Update to 6.6.129 (CrackArmor fix) [SEN-1821] - Capture Engine: Update PF_RING to latest [SEN-1833] - Update Suricata to 7.0.15 and libhtp to 0.5.53 2.9.2: staging 2026-03-12, stable 2026-03-16 Bug fix, security and compatibility update. - Bug fixes: [SEN-1701] - Fix CVE-2025-69223 by updating aiohttp library in all packages [SEN-1812] - Installer v2: flush data before reboot [SEN-1650] - Installer v2: Install linux-firmware package - New features and other improvements: [SEN-1755] - Option to Prevent cross-sensor subscriptions and messaging (filter_sensor_to_sensor, default false) [SEN-1815] - Relax Sensor configuration schema by allowing extra fields in many places [SEN-1719] - Suricata Instrument, Rule Manager: Update Suricata to 7.0.14 [SEN-1718] - Fleet Tool: Adding users has a new --privilege option, use sane defaults [SEN-1720] - Zeek Instrument: Update Zeek to 7.0.11 2.9.1: staging 2025-11-20, stable 2025-11-21 Bug fix, security and compatibility update. KNOWN ISSUES - Ansible role vpn_client might be inompatible with latest Ansible versions (with ansible.netcommon >= 8.0.0). Downgrade to an older Ansible e.g. 2.16 or manually patch incompatible roles. Will be fixed in 2.10 because compatibility with old Ansible will break due to API changes. - Bug fixes: [SEN-1488] - Installer v2: Installer should install resolver to global configuration instead of interface-based [SEN-1306] - Installer v2: Generate unique machine-id on installation to prevent duplicate DHCP client IPs [SEN-1398] - Ansible: Prevent sensorfleet-efi package from being removed by APT (affects installer v2 non-TPM installs) [SEN-1404] - UI: API token does not work over FM to remote Sensor Instrument UIs (Broken in 2.9.0) [SEN-1380] - UI: Opening Sensor UI through FM reverse proxy does not work if user management enabled in Sensor, remove unnecessary UI buttons from FM [SEN-1461] - Adoption VPN: openvpn user/group might be missing when running fleet adoption vpn import [SEN-1401] - SensorFleet EFI: Improve compatibility with flash memory cards by enchancing EFI partition detection [SEN-1299] - SensorFleet EFI: Fix Fleet-EFI Boot Manager command cannot handle >9 boot entries [SEN-1301] - SensorFleet EFI: Fix debug kernel image does not contain the commandline - New features and other improvements: [SEN-1478] - Kernel: Support Broadcom MPI3 in the Fleet Kernel [SEN-1448] - Capture Engine: Update PF_RING to 9.0.0 [SEN-1446] - Kernel: Update kernel to 6.6.108 and PF_RING to latest [SEN-1433] - Capture Engine: Implement drop count metrics [SEN-1567] - Suricata Instrument, Rule Manager Instrument: Update suricata to 7.0.13 [SEN-1470] - Statistics Collector: Implement new drop count metrics from Capture Engine [SEN-1428] - SensorFleet EFI: Improve UEFI compatibility with weird UEFI implementations by adding BOOTX64.EFI [SEN-1532] - Instruments: Update Alpine Linux to 3.20.8 [SEN-1545] - Log Forwarder Instrument: Update logstash to 7.17.29 [SEN-1532] - All Instruments: Update alpine to 3.20.8 [SEN-1535] - Rule Manager, PassiveDNS, AssetGuard: Update PostgreSQL 12 to 12.21 (only used for migration) [SEN-1540] - Cowrie Instrument: Update Cowrie to 2.8.1 2.9.0: release-2.9 2025-04-23 Release highlights: - BETA: Added Single Sign On support (SAMLv2) in FM UI. - BREAKING CHANGE: User Management is now enabled by default. For old installations without User Management, refer to User Manual on how to add users to Fleet Management. This does not affect typical installations. - Performance improvements to Suricata, Recorder Instrument and PassiveDNS. - Suricata-Arkime integration enabled by default in Recorder Instrument. You can now see Suricata alerts in Arkime with default configuration. - Configurable Recording Requests for Suricata Alerting (advanced filtering for Triggered Mode recording). - Log Forwarder has built-in support for DCR-based Sentinel API. - Fix for non-TPM Installer v2 EFI installation (broken by auditd changes in Ansible) Known issues: - Logging in to Sensor UI through the FM UI is no longer possible. Logging to local Sensor UI directly is still possible, provided that you manually add a user. Sensor configuration and management through the FM UI works normally. - Bug fixes: [SEN-1128] - Fleet Tool: fix None handling in getting users (list, remove commands) [SEN-1129] - Rule Manager Instrument: Fix some Rule Manager Address Group UI usability issues [SEN-1105] - Rule Manager Instrument: Rule Manager Instrument Tag Edit UI tags title missing [SEN-1265] - Ansible: Fix overwriting kernel parameters in non-TPM SensorFleet-EFI installs [SEN-1266] - Installer v2: Create multiline kernel commandline parameters instead of single line [SEN-1271] - Installer v2: Install missing sudo package for non-privileged Ansible installs [SEN-1258] - Sensor UI: Fix inconsistent clear behaviour for data retention duration input [SEN-1267] - SFConfig Importer: Fix sfconfig-makedisk not accepting parameters through the CLI alias - New features and other improvements: [SEN-1279] - Kernel: Update kernel to 6.6 and PF_RING to 8.8 [SEN-1153] - UI: Implement Single Sign On (SSO) Support for FM UI (BETA) [SEN-835] - Enable User Management by default [SEN-1194] - SBOMs and vulnerability scan results are now uploaded to https://sbom.sensorfleet.com [SEN-1187] - All Instruments: update Alpine to 3.20.6 [SEN-1134] - Zeek Instrument: update Zeek to 7.0.5 [SEN-1160] - Log Forwarder Instrument: Add sentinel DCR-based api plugin microsoft-sentinel-log-analytics-logstash-output-plugin [SEN-1134] - Log Forwarder Instrument: update logstash to 7.17.27 [SEN-1134] - Recorder Instrument: update ElasticSearch to 8.17.1 [SEN-1180] - Zeek Instrument: Zeek support for SR-IOV and physical interfaces [SEN-1172] - Fleet Tool: Support for on-demand record command [SEN-1177] - Netflow Instrument: Add support for SR-IOV VF and physical interfaces [SEN-1140] - Recorder Instrument: Suricata alerts to Arkime integration [SEN-1184] - Recorder Instrument: Configurable tpacketv3 buffer parameters [SEN-1183] - Recorder Instrument: Use mimalloc only with tpacketv3 [SEN-1178] - Recorder Instrument: Add support for SR-IOV VF and physical interfaces [SEN-1118] - Kernel: added support for Qlogic QED interfaces [SEN-1051] - Rule Manager Instrument: return the error when processing rulesource for upper functions to display the error to user [SEN-1234] - Suricata Instrument: Suricata record request filtering [SEN-1224] - Suricata Instrument: Use mimalloc for Suricata allocations to improve performance [SEN-1176] - Suricata Instrument: Add support for SR-IOV VF and physical interfaces [SEN-1210] - UI: support for X-Real-IP, X-Forwarded-For, X-SensorFleet-User headers [SEN-1225] - UI: support for PASETO Token based sensor ui authentication [SEN-1203] - PassiveDNS Instrument: Implement database partitioning for better performance [SEN-1166] - Capture Engine: Implement support for SR-IOV on Capture Engine [SEN-1143] - Capture Engine: Update capco to new PF_RING version 8.8.0-stable [SEN-918] - Sensor Orchestrator: Implement support for event type based retention [SEN-1144] - Sensor Orchestrator: Implement SR-IOV NIC support [SEN-1255] - Rule Manager Instrument: Implement ruleset_sent message title [SEN-1220] - Kernel: add nvidia open driver 2.8.1: release-2.8-staging 2025-01-13, release-2.8 2025-01-28 - Bug fixes: [SEN-1119] - Ansible: remove kernel after packages are configured (fixes firewall module issue with some cloud VM installs) [SEN-1112] - Ansible: modified apt auth.conf to support sending basic auth over http [SEN-1121] - AssetGuard Instrument: remove illegal characters from (dhcp or other originated) hostnames [SEN-1124] - Update Alpine Linux to 3.20.4 for all Instruments (CVE fixes) [SEN-1114] - sfconfig-importer: add missing alias scripts [SEN-1104] - sfconfig-importer: fix netplan configuration detection, support for nonstandard filenames [SEN-1103] - Fleet Tool: fix adoption ccd file permissions [SEN-1115] - Suricata Instrument: update Suricata to 7.0.8 (CVE fixes) [SEN-1102] - Sensor Installer v2: install sfconfig-importer to allow sfconfig settings import - New features and other improvements: [SEN-1109] - Sensor Installer v1+v2: rename installer images to be more logical [SEN-1067] - Sensor Installer v2: do not ask for installer credentials (root autologin) [SEN-1072] - Sensor Installer v2: format netplan config as yaml, no json [SEN-1010] - Enable JA3, JA4 fingerprints by default in app layer engine 2.8.0: release-2.8 2024-12-05 Release highlights: - BETA: New Installer available with support for Secure Boot - Maintenance: lots of library updates and Alpine Linux 3.20 - Recorder Instrument: Arkime 5.5.0, ElasticSearch 8.16 - Recorder Instrument: Huge optimizations to packet handling speed - Log Forwarder Instrument: Easier to implement FM event pipeline (multi Sensor subscribe from FM) - Suricata Instrument: Suricata 7.0.7 - PassiveDNS, Rule Manager, AssetGuard PostgreSQL 12 to 16 upgrade (automatic migration) - Netflow Instrument: New nfdump version with new data format. Note that old version nfdump cannot read this format. - Some other bug fixes - Bug fixes: [SEN-1045] - AssetGuard Instrument: Fix event subscription with multiple AssetProbes [SEN-1019] - Log Forwarder Instrument: fix permissions issue after 2.6 -> 2.7 upgrade [SEN-1028] - Log Forwarder Instrument: fix situation where no event history was found and history=false [SEN-1020] - Log Forwarder Instrument: fix some timeout warnings [SEN-1019] - Log Forwarder Instrument: fix permissions issue after 2.6 -> 2.7 upgrade [SEN-1089] - Netflow Instrument: fix netflow search api error 500 [SEN-920] - Rule Manager Instrument: fix handling of None in suricata version [SEN-906] - Sensor UI: fix Token modal close [SEN-858] - Sensor UI: Fix FM overview rendering on safari [SEN-886] - Sensor UI: Fix SfTooltip overflowing on narrow screens [SEN-880] - Sensor UI: Fix scrolling to selected Sensor [SEN-937] - Capture Engine: fix regression that breaks capco optics statistics [SEN-875] - Capture Engine: Fix pipe leak on pyroute2.IPRoute usage [SEN-856] - Sensor Orchestrator: Fix orchestrator restart issue [SEN-1056] - Netflow Instrument: Don't show validation errors for old form data [SEN-403] - Rule Nanager Instrument: Reliable offline sensor handling [SEN-1081] - Sensor UI: add missing sudo dependency [SEN-967] - Suricata Instrument: If files event type is configured, allow fileinfo events [SEN-965] - Suricata Instrument: Allow configuring additional outputs for suricata [SEN-955] - Ansible: make shell variable TMOUT readonly & exported (CIS audit) [SEN-872] - Ansible: grub-pc unattended install fix - New features and other improvements: [SEN-1090] - Netflow Instrument: New nfdump version (1.7.5+) [SEN-849] - Ansible: Grub installs: Set default grub password in sample configuration [SEN-1040] - Ansible: set kernel.panic to 10 by default (makes Sensor reboot on kernel crash) [SEN-526] - All Instruments: update Alpine Linux to 3.20.2 [SEN-1061] - Recorder Instrument: update Arkime to 5.5.0 [SEN-1071] - Recorder Instrument: update Elasticsearch to 8.16 [SEN-1002] - Recorder Instrument: Use mimalloc allocator and other performance improvements [SEN-900] - Zeek Instrument: update to Zeek 7.0.3 [SEN-1047] - Suricata Instrument: upgrade suricata to 7.0.7, libhtp to 0.5.49 [SEN-889] - Statistics Collector: Context rule hits and directions support [SEN-899] - AssetGuard Instrument: Update PostgreSQL to v16 [SEN-1005] - PassiveDNS Instrument: PostgreSQL 12 to 16 upgrade [SEN-1014] - Log Forwarder Instrument: Support for multi sensor subscribe when running on FM [SEN-1014] - Log Forwarder Instrument: use OpenMetrics style stats [SEN-1021] - Log Forwarder Instrument: support for new logstash pipeline settings [SEN-968] - Log Forwarder Instrument: sample configuration: change codec to plain [SEN-874] - Fleet Tool: list sensors and filter by online status [SEN-860] - Sensor UI: Implement container options ui [SEN-869] - Configuration: display known LXD defaults [SEN-411] - Sensor UI: Implement compact mode for Overview tab [SEN-825] - Sensor UI: Ask webcrawlers not to index Sensor and FM UI [SEN-972] - Capture Engine: Be more lenient on capture process operation durations [SEN-972] - Capture Engine: Add logging for commands that take 1s or over to process [SEN-915] - Capture Engine: Support for accelerated packet capture [SEN-914] - Sensor Orchestrator: Orchestrator support for accelerated packet capture pipeline [SEN-1014] - SensorMessageBroker: allow instruments on FM to read sensors@ config 2.7.4: release-2.7 2024-09-11 - Bug fixes: [SEN-1006] - Rule Manager: Suricata rule validation does not consider custom variables 2.7.3: release-2.7-staging 2024-07-24, release-2.7 2024-07-26 - Bug fixes: [SEN-928] - Recorder Instrument: Instrument configuration changes cause invalid stats event to be generated [SEN-937] - Capture Engine: Fix regression that broke optics statistics [SEN-938] - Suricata Instrument: Update to 7.0.6 to address security issues 2.7.2: release-2.7-staging 2024-07-02 - Bug fixes: [SEN-875] - Capture Engine: fix pipe leak on pyroute2.IPRoute usage causing continuous memory usage increase 2.7.1: release-2.7 2024-06-13 - Bug fixes: [SEN-839] - Capture Engine: Fix erroring out on missing optical info on SFP transceiver [SEN-864] - Capture Engine: Fix ethtool usage when reading interface statistics, causing a memory leak [SEN-817] - Kernel: Depend on initramfs-tools or sensorfleet-efi, fixing Ansible run on non-installer installed Sensors [SEN-804] - VPN: Fix OpenVPN startup issue with Adoption VPN for hardened OpenVPN installs [SEN-856] - Firewall, Sensor Orchestrator: Ensure ferm startup to avoid situation where Sensor may boot without firewall in an error situation [SEN-810] - SensorFleet EFI: Fix initial SecureBoot key insertion [SEN-815] - SensorFleet EFI: Use udevadm instead of readlink to query actual device from /dev/mapper [SEN-884] - Log Forwarder Instrument: Fix permission error after configuration change [SEN-885] - UI: Fix type error in console when editing YAML fields - New features and other improvements: [SEN-816] - Capture Engine: SEN-816: add support for QSFP28 transceivers statistics 2.7.0: release-2.7 2024-04-30 Release highlights: - Security improvements (some required by CIS, plus others, new ansible playbook required) - Preparation for Secure Boot support with the SensorFleet EFI bootloader - Lots of OS & 3rd party component updates, including Vue 2 -> Vue 3 migration - Statistics events support with sensorfleet-statistics package - Bug fixes: [SEN-517] - AssetGuard Instrument: Fix overlapping vendor mac addresses [SEN-534] - Recorder Instrument: Fix incorrect parameter being sent to index cleanup logic [SEN-599] - Kernel: Fix latest tag in build and grep in build.sh [SF-3249] - Kernel: Fix detection of grub being present after EFI migration [SF-3172] - Sensor UI: Fix friendly name save [SEN-222] - Sensor Orchestrator: Fix a theoretical directory traversal attack [SEN-550] - Messaging: Fix crash when set was modified while iterating [SEN-739] - Ansible: Fix OpenVpn service startup in rare instances - New features and other improvements: [SEN-702] - Ansible: add logrotate dependency [SEN-591] - Ansible: Security: Enable auditd for default installs [SEN-590] - Ansible: Security: Ensure Sudo Logfile Exists [SEN-584] - Ansible: Security: Set Interactive Session Timeout [SEN-717] - Ansible: Add option to install extra packages [SEN-701] - Ansible: allow v6 icmp in ferm [SEN-660] - Ansible: Security: Default to Finnish TL3 compatible ciphers on sshd [SEN-588] - Ansible: Security: enforce better logfile permissions [SEN-589] - Ansible: Security: Disable some kernel modules [SEN-575] - Ansible: Security: Implement some SSH hardening options [SEN-390] - Ansible: Security: Drop OpenVPN user privileges [SEN-393] - Ansible: Security: Change default OpenVPN cipher from AES-256-OFB to AES-256-CBC (see User Manual) [SEN-393] - Ansible: Security: Reject port 41337 by default on FM [SF-3217] - AssetGuard Instrument: Ensure interface is up before accepting configuration [SF-3173] - AssetGuard Instrument: Make assetprobe visible in UI [SF-3119] - SFConfig Importer: ignore special interface when missing hwconfig [SF-3202] - Zeek Instrument: Stats events for zeek [SF-2636] - Portdiff Instrument: SF-2636: Change file save to use flush [SEN-76] - Portdiff Instrument: SEN-76 Update to pscan 0.3.1 [SEN-74] - Fleet Tool: Add stats:read privilege to admin user [SF-3170] - Fleet Tool: Add --sensor and --json options to subscribe [SF-3020] - Fleet Tool: Fix config editor editing wrong Sensor's configuration [SF-3147] - Fleet Tool: Check for root permissions check when running [SF-3052] - Rule importer instrument: Send rulesets in parallel [SEN-385] - Netflow Instrument: Show first and last seen using UTC in main view [SF-3198] - Netflow Instrument: Add stats event [SF-3247] - Kernel: Update kernel and PF_RING to latest stable [SF-3171] - Kernel: Add boot manager dependency and generate initramfs on BIOS systems [SF-3145] - Kernel: Prepare for SensorFleet-EFI boot [SEN-731] - Rule Manager Instrument: Proper error handling when unable to update zeek blacklists [SF-3099] - Rule Manager Instrument: Data retention: purge may fail after retention time rotation [SF-3145] - SensorFleet EFI: Add SensorFleet-EFI package to replace Grub2 and for future SecureBoot support [SEN-758] - SensorFleet EFI: Add support for SensorFleet-EFI and ESP on NVMe drives [SEN-668] - SensorFleet EFI: Regard any newlines in the kernel commandline files as spaces [SEN-642] - SensorFleet EFI: Default to PCR7 on TPM2 SecureBoot Bindings [SEN-567] - SensorFleet EFI: Add dependency for LVM2 package [SEN-537] - SensorFleet EFI: Rework TPM2 Key Tool RootFS LUKS partition checking to more dynamic [SEN-537] - SensorFleet EFI: Rework RootFS LUKS partition checking to more dynamic [SEN-647] - Suricata Instrument: Update to suricata to v7.0.3 [SEN-700] - Suricata Instrument: save config in transient-data instead of /etc [SEN-379] - Sensor UI: redirect HTTP 80 to 443 by default [SEN-290] - Sensor UI: Improve Custom Configuration editing [SEN-510] - Sensor UI: Fix timeouting sensor websockets [SF-3250] - Sensor UI: Add stats:read permission [SF-3187] - Sensor UI: Always write upgrade header [SF-3182] - Passivedns Instrument: Send statistics events [SEN-444] - Capture Engine: monitor sfp/qsfp module statistics [SF-3199] - Capture Engine: Added stats event [SF-3247] - Capture Engine: Update for PF_RING 8.6.1 [SEN-574] - CI: Automatic vulnerability scans on releases [SEN-605] - Sensor Orchestrator: Do not try to force apply config right after restart [SEN-46] - Sensor Orchestrator: Set status age at startup to avoid an error [SF-3181] - Sensor Orchestrator: Add stats event [SEN-658] - SensorMessageBroker: Use 521-bit curve for the initial key exchange [SF-3185] - SensorMessageBroker: Implement stats events 2.6.5: release-2.6-staging 2024-02-06 - New features and other improvements: [SF-3277] - Recorder Instrument: Support having minimum required disk space in bytes in addition to % (disk_min_free_mib) [SF-3275] - Recorder Instrument: Recorder should emit health warnings when elastic has an issue [SF-3274] - Recorder Instrument: Rewrite PCAP retention logic to be more reliable and not trust the Arkime index so much 2.6.3: release-2.6 2023-11-13 - Bug fixes: [SF-3238] - Recorder Instrument: Recorder buffer limit is incorrectly calculated leading to potential out-of-memory conditions (oomkiller) - New features and other improvements: [SF-3271] - Update Alpine Linux to 3.17.5 for all instruments 2.6.2: release-2.6 2023-10-13 - Bug fixes: [SF-3099] - Rule Manager: Data Retention purge may fail after retention time rotation (introduced in 2.6.0) 2.6.1: release-2.6 2023-08-18 - New features and other improvements: [SF-3153] - Sensor Installer: Ensure old encryption keys are not used when reinstalling a sensor with different keysource [SF-3150] - Sensor Installer: Create larger EFI partition by default - Bug fixes: [SF-3152] - Sensor Installer: Package Type 2 installer in addition to Type 1 installer 2.5.2: release-2.5 2023-08-18 - New features and other improvements: [SF-3153] - Sensor Installer: Ensure old encryption keys are not used when reinstalling a sensor with different keysource [SF-3150] - Sensor Installer: Create larger EFI partition by default - Bug fixes: [SF-3152] - Sensor Installer: Package Type 2 installer in addition to Type 1 installer 2.6.0: release-2.6 2023-06-15 Highlights: * Rule Manager: assign rule lists per Suricata instrument using the new "Tags" feature * Experimental feature: sfconfig-importer, securely configure Sensor management interface IP/authentication/adoption VPN using external media * Experimental feature: Adoption of Sensors over Adoption VPN (call-home vpn, configurable via sfconfig or manually using fleet tool) * Major 3rd party component upgrades (Arkime, Suricata, Zeek, etc) * New Instrument: AssetGuard Manager & Probe Instruments (beta, replaces TrafficGuard) * Bug fixes See Manual for details the new SFConfig/Adoption VPN feature. - Bug fixes: [SF-3042] - Sensor Installer: Sensors are installed with non-standard EFI mountpoint [SF-3029] - Fleet Tool: Fix adoption VPN client revocation [SF-2995] - Sensor Installer: Add -updates/-security repos to sensor-installer [SF-2960] - Netflow: Fix netflow invalid timestamp milliseconds - New features and other improvements: [SF-3096] - Ansible: Disable sfconfig auth/vpn import by default when adopting Sensors [SF-3091] - Recorder Instrument: Update arkime to 4.3.1 [SF-3089] - PortDiff Instrument: Update to pscan 0.3.0 [SF-3085] - Zeek Instrument: Update Zeek to 5.0.9 [SF-3080] - Update suricata to 6.0.12, hyperscan to 5.4.2, libhtp to 0.5.43 [SF-3056] - Fleet Tool: Support for generating SSH config [SF-3052] - Rule Importer: Asynchronous rule list delivery to multiple sensors simultaneously [SF-3051] - Sensor Installer: Remove default generated fleetbase ssh key from image [SF-3049] - Sensor Installer: Enable ttyS0 serial console for installed sensor [SF-3046] - UI: Tweak health popups [SF-3039] - Fleet Tool: Add option to read newest events [SF-3028] - Fleet Tool: Allow Sensor to be installed over adoption VPN [SF-3023] - UI: FM UI spams "Sensor offline" [SF-3021] - Kernel: Enable some missing kernel modules for Intel drivers [SF-3012] - Autobuilds and repositories: Alpine 3.17.3 update [SF-2976] - Recorder Instrument: Backport db.pl from Arkime 3.3.0 to allow direct upgrade to 4.2.0 [SF-2961] - Recorder Instrument: Use nodejs v16, update some arkime dependencies [SF-2959] - Netflow: Update netflow to 1.6.24 [SF-2951] - PortDiff Instrument: Update pscan dependencies and move to tokio async runtime [SF-2926] - UI: Hide internal instruments in FM/Sensor UI [SF-2847] - UI: Show advanced event search UI by default [SF-2718] - Sensor Installer: support sfconfig by default 2.4.13: release-2.4-staging 2023-06-13, release-2.4 2023-07-31: - New features and other improvements: [SF-2944] - Release Upgrade: Implement free space check for fleet-release-upgrade - Bug fixes: [SF-3042] - Fix non-standard EFI mountpoint during upgrade 2.5.1: release-2.5 2023-03-27 - New features and other improvements: [SF-2992] - Update all instruments to Alpine 3.17.2 [SF-2969] - Fleet Tool: Do not include defaults when saving sensor config [SF-2995] - Sensor Installer: Add updates/security-repos default apt.sources [SF-2996] - Ansible: Override system repositories by default to avoid configuration errors [SF-2967] - Recorder Instrument: Update to Arkime 4.2.0 [SF-2974] - Recorder Instrument: Add simpleCompression as a configurable setting [SF-2976] - Recorder Instrument: Backport db.pl from Arkime 3.3.0 to allow direct upgrade to 4.2.0 [SF-2975] - Ansible: Default APT protocol to https [SF-2931] - Suricata Instrument: Update Suricata to 6.0.10 - Bug fixes: [SF-2972] - Rule Manager Instrument: Fix broken Address groups / Port groups editing [SF-2965] - Fix release-2.5 FM fresh install failure [SF-2848] - Recorder Instrument: Configurable ES shards (allows >42d retention times) [SF-2966] - Fleet Tool: Allow adoption vpn client import work on non-installed Sensor [SF-2709] - Rule Manager Instrument: Invalid Zeek script passes validation 2.5.0: release-2.5 2023-02-12 See User Manual for upgrade procedure due to Ubuntu 22.04 requirement. - Release highlights: [SF-2689] - Zeek Instrument: Clustering/multithreading support [SF-2686] - Update to Ubuntu 22.04 LTS [SF-2141] - Support overriding homenets for individual instruments - New features and other improvements: [SF-2930] - Recorder Instrument: Update arkime to 3.4.2 and openjdk to v17 [SF-2929] - SensorFleet LXD: Update lxd to 5.0.2, dqlite to 1.14.0, raft to 0.17.1 [SF-2927] - PassiveDNS, Rule Manager, TrafficGuard Manager: Update postgresql to 12.13 [SF-2863] - Suricata instrument: Allow EXTERNAL_NET to match when HOME_NET 0.0.0.0/0 or ::0/0 is used [SF-2845] - UI: Standardize UI behavior and buttons for adding items to list [SF-2817] - UI: Sensor-UI: Fix confusing "Add range" in homenets editor [SF-2771] - Sensor Orchestrator: Add metadata from download configuration to download.available event [SF-2769] - Support transmission on IPv6 for FM-Sensor tunnels [SF-2760] - Update python requirements of all instruments [SF-2755] - Replay Instrument: Add downloader support for replay [SF-2754] - Replay Instrument: Update tcpreplay to 4.4.2 [SF-2725] - PortDiff Instrument: Update to pscan 0.2.0 release [SF-2720] - Fleet Tool: Preliminary Adoption VPN server support [SF-2700] - Cowrie Instrument: Refactor cowrie configuration handling [SF-2699] - Cowrie Instrument: Update Cowrie to 2.4.0 - Bug fixes: [SF-2892] - SensorFleet LXD: Unable start containers (Health check timeout) when conflicting SubUID/SubGID mapping [SF-2701] - Suricata instrument: Suricata does not update the produced event configuration properly [SF-2668] - UI: UI fails to add bridge interface without an IP [SF-2658] - Installer: Fix installer error when management interfaces are not present in install phase [SF-2638] - PortDiff Instrument: Scanning large networks might deadlock the scanner [SF-2632] - Rule Manager: Fix timeout with a big rulelist [SF-2594] - PortDiff Instrument: Portdiff: Invalid baseline config passing validation 2.4.12: release-2.4 2023-02-12 See latest User Manual for information on upgrade from 2.4.12 to 2.5+. - Bug fixes: [SF-2892] - SensorFleet LXD: Unable start containers (Health check timeout) when conflicting SubUID/SubGID mapping - New features and other improvements: [SF-2873] - Upgrade Script to automate Ubuntu upgrade from 18.04 to 22.04 2.4.11: staging 2022-12-11 - Bug fixes: [SF-2807] - Rule Manager: Fix Health Check timeout error when processing big rulesources on a slow I/O sensor [SF-2836] - Rule Manager: Fix diff generation failing under some circumstances [SF-2833] - Rule Manager: Fix Data Retention error on foreign key constraint check 2.4.10: staging 2022-10-14, beta 2022-12-05 - Bug fixes: [SF-2740] - Rule Manager: Zeek related purge might fail after upgrade to 2.4.X - New features and other improvements: [SF-2698] - Netflow Instrument: Add netflow search UI, move API to /api [SF-2642] - Rule Manager: Improve rule view for smaller resolutions [SF-2600] - Rule Manager: Rule classification should display value as enum instead of number [SF-2601] - Rule Manager: UI cleanup (Oink revision => Revision) 2.4.9: staging 2022-10-06, beta 2022-10-14 - Bug fixes: [SF-2739] - SensorFleet LXD: LXD upgrade to 5.0 does not wait for storage to be deleted - New features and other improvements: [SF-2703] - SensorFleet LXD: Update to LXD version 5.0.1 2.4.8: staging 2022-09-07 - Bug fixes: [SF-2708] - Sensor Orchestrator: Fix mirror-bridge traffic not being forwarded to instruments in some cases, introduced in 2.4.7 2.4.7: staging 2022-08-17 - New features and other improvements: [SF-2659] - Kernel: Updated Kernel with new grsecurity, add CDC-ethernet module, update Capture Engine - Bug fixes: [SF-2632] - Rule Manager: Fix ruleset update timeout and race condition [SF-2661] - Suricata Instrument: Sometimes stops producing events after a configuration change [SF-2668] - UI: failure to add bridge interface without an IP [SF-2662] - Sensor Orchestrator: Sensor Orchestrator fails to get physical interfaces and returns error [SF-2620] - Rule Manager: Rule Manager can send an empty rulelist to Suricata [SF-2568] - UI: FM UI displays FM version instead of Sensor version 2.4.6: beta 2022-06-28 - New features and other improvements: [SF-2633] - UI: Alphabetical sort order of Sensors for Fleet Management UI [SF-2630] - UI: Add instrument layout broken - Bug fixes: [SF-2644] - UI fails to render some instrument YAML configurations 2.4.5: beta 2022-06-13 - New features and other improvements: [SF-2550] - UI: Send an event when user logs in/out [SF-2573] - PortDiff Instrument: baseline support for Simple UI - Bug fixes: [SF-2625] - UI: Sensor name formatter does not work with non-numeric serial numbers [SF-2622] - Recorder Instrument: cannot access old pcaps after upgrade to release-2.4 [SF-2618] - UI: Exception when trying to use open Simple UI (without events) [SF-2617] - UI: Updating instrument list via UI is unreliable [SF-2570] - UI: "License limit exceeded" error message is not displayed 2.4.4: staging 2022-05-27 - New features and other improvements: [SF-2592] - UI: Do not crash with invalid licenses/metadata yaml [SF-2566] - PortDiff Instrument: Add latest baseline alerts also to full event [SF-2552] - UI: Fixes for Simple UI and SaaS [SF-2548] - Recorder Instrument: Update capture-plugin to latest rust edition [SF-2498] - UI: Hide Simple tab when it's not required [SF-2228] - Rule Manager, Suricata instrument: Support for overriding Suricata address groups and port groups [SF-2545] - SensorFleet LXD: Update LXD to 5.0 and lock all build dependencies - Bug fixes: [SF-2599] - UI: Cannot save bridge interface without IP enabled [SF-2583] - PortDiff Instrument: PortDiff displays "No successful scan results" warning after enabling scan [SF-2580] - Rule Manager: Rule Manager does not send ruleset to newly adopted suricata [SF-2572] - UI: Clicking sensorfleet logo redirects user to non working simple UI [SF-2516] - Suricata instrument: Refactor commit_config to support classification and variables configs from rmgr [SF-2459] - Rule Manager: "No rulesource with id X" after clearing rmgr data 2.4.2, 2.4.3: internal test releases 2.4.1: staging 2022-04-20 Permanent snapshot name: release-2.4.1 - Bug fixes: [SF-2547] - UI: Interface saving not possible without IP address [SF-2530] - TrafficGuard Manager: tgmanager build does not copy /etc/network/interfaces file in place [SF-2529] - UI: Password change was not enforced [SF-2528] - PortDiff Instrument: Portdiff repeats the same error in health status [SF-2522] - Recorder Instrument: Fix Arkime retetion logic bug introduced in 2.4.0 [SF-2514] - API: Some events may be missing context_uuid [SF-2513] - Sensor Orchestrator: /mnt/persistent-data/ins directory not created on new Azure deployments [SF-2497] - UI: Any authenticated user can change it's username introduced in 2.4.0 [security] [SF-2496] - UI: Any authenticated user can modify it's permissions to admin:write introduced in 2.4.0 [security] [SF-2484] - Ansible: Do not replace running sensor configuration if fleet tool fails for some reason within fleetgram playbook [SF-2460] - Rule Manager: Deleted rules are not cleaned in some cases [SF-2456] - UI: Sensor-UI: DHCP was enabled for mirror-bridge [SF-2422] - UI: Fix race condition when deleting instrument [SF-2290] - UI: Sensor UI: Create users config if it's missing - New features and other improvements: [SF-701] - UI: Feature to restart Instrument manually [SF-2025] - UI: Feature to restart Sensor manually [SF-2559] - Autobuilds and repositories: Instruments: Update Alpine to 3.14.6 [SF-2541] - Suricata instrument: Update Suricata to 6.0.4 [SF-2520] - Fleet Tool: Allow setting force_change flag on password [SF-2519] - Fleet Tool: Allow reading password from file [SF-2504] - Netflow: Add API to netflow to get flow information for given time range [SF-2466] - Ansible: Add initial UI admin user to a new deployment with Ansible [SF-2465] - Ansible, Fleet Tool: Fleet Tool & Ansible: Create new users with generated passwords [SF-2462] - Fleet Tool: Various user management improvements [SF-2458] - UI: Sensor-UI: Argon2-cffi's default parameters changed to respect RFC 9106 [SF-2450] - UI: Sensor-UI: Pre-generate readable passwords [SF-2371] - UI: Sensor-UI: update user's own information [SF-1321] - API, Sensor Orchestrator: Events should have an instrument_type field [SF-1052] - Make LXD container names human readable and based on instrument type (e.g. ins-recorder-0) 2.4.0: devel Highlights: * Major 3rd party software updates (e.g. updated Alpine, Arkime, Zeek, Suricata, lot of libraries) * User Management support * PassiveDNS search UI * Simple UI for PortDiff * PortDiff improvements (e.g. baseline, banners) * Major performance improvements (TrafficGuard, PassiveDNS) - Bug fixes: [SF-2435] - Suricata instrument: Suricata classification config is overwritten [SF-2428] - Suricata instrument: Suricata tries to create trigger message from event with no context_uuid and fails [SF-2427] - API: Time-critical transient event deliveries can be delayed in certain scenarios [SF-2421] - Sensor Orchestrator, UI: get_physical_interfaces does not update "user" field immediately [SF-2418] - UI: Fix instrument download editing [SF-2417] - API: Fix download validation in SensorConfig schema [SF-2412] - PortDiff Instrument: PortDiff: Exposed services descriptions have trailing spaces [SF-2405] - UI: Sensor/FM UI caches a failed configuration change [SF-2400] - SensorFu Beacon: SensorFu Beacon output events do not work [SF-2398] - TrafficGuard Manager: Fix autovacuum and autoanalyze for tgmanager [SF-2395] - FleetCert: python3.8 missing from sensor in some installations [SF-2394] - PortDiff Instrument: Banner diff event does not contain all removed banners [SF-2375] - Sensor Orchestrator: Sensor orchestrator network thread crash while upgrading [SF-2360] - UI: Instrument custom config UI boolean values are wrong [SF-2353] - API: Subscription worker is not cancelled properly on all cases [SF-2348] - SensorFu Beacon: Beacon instrument does not handle restarting (or failure to stop) non-running beacon binary [SF-2339] - Sensor Orchestrator: Orchestrator should disable unneeded features to bridged veth legs [SF-2335] - Log Forwarder Instrument: Force a timeout for beats connection [SF-2334] - Log Forwarder Instrument: logstash force kill is broken [SF-2327] - PortDiff Instrument: PortDiff does not handle shutdown when scan is running [SF-2317] - Rule Importer: Rule Importer Instrument refuses to start [SF-2307] - Sensor Orchestrator: Invalid network configuration breaks Sensor Orchestrator logic [SF-2306] - Replay Instrument, UI: Replay Instrument displays duplicate errors [SF-2291] - Rule Manager: Upgrading from 2.1.4/2.2.3 to 2.3.X may result in unusable database [SF-2282] - UI: DHCP checkbox disappears from UI and never comes back [SF-2281] - Replay Instrument: Replay instrument refuses to start task with the same filename [SF-2279] - Base Packages, Sensor Image: Apt may refuse to install sensorfleet packages when grub-efi-amd64-signed is installed [SF-2277] - Rule Manager: Implement proper error handling and/or restarting of download poller task [SF-2270] - UI: Cannot view events from another sensor [SF-2255] - PassiveDNS: PassiveDNS database slowdown due to missing periodic autoanalyze [SF-2235] - UI: FM UI takes a long time to restart/stop [SF-2227] - Rule Manager: Rule Manager import regex is insufficient for some rule sources [SF-2221] - Recorder Instrument: Recorder fetch PCAP API does not return all packets with the requested filter [SF-2197] - Instruments should be started on 'default' runlevel [SF-2145] - UI: UI error after mis-selecting bridge [SF-1747] - Sensor Orchestrator: sensor-orchestrator removes default route [SF-1122] - Recorder Instrument: moloch-capture does not stop without kill -9 [SF-1008] - UI: Automatic IP assignment for bridges is broken [SF-978] - UI: Version query fails after update [SF-515] - UI: New context menu should close others - New features and other improvements: [SF-2419] - UI: Improve Sensor config validation before save [SF-2413] - UI: Simple UI: API endpoint to display original Portdiff event [SF-2411] - PortDiff Instrument: Set loopback interface up on instrument container [SF-2404] - Fleet Tool: Fleet Tool: Export configs for Ansible [SF-2403] - Fleet Tool: Fleet Tool: Allow empty and instrument-only config IDs [SF-2399] - SensorFu Beacon: SensorFu beacon changed output from stderr to stdout [SF-2393] - PortDiff Instrument: Add support for alerting about open ports to portdiff [SF-2392] - PortDiff Instrument: Add information about port groups to portdiff events [SF-2389] - Zeek Instrument: Upgrade zeek to fix build / alpine 3.14 compat [SF-2388] - Recorder Instrument: Upgrade recorder to fix build/alpine 3.14 compat [SF-2386] - UI: Simple UI for portdiff needs to be updated to new portdiff event format [SF-2383] - TrafficGuard Manager: Backport tgmanager to use PostgreSQL 12 [SF-2382] - Rule Manager: Backport rmgr to use PostgreSQL 12 [SF-2380] - PortDiff Instrument: Alternative output format for portdiff [SF-2379] - PassiveDNS: Backport PassiveDNS to use postgresql 12 instead of Alpine's 13.5 [SF-2378] - Suricata instrument: Attach direction, source/destination and protocol information as event metadata [SF-2377] - API: Allow instruments to attach metadata to events [SF-2376] - PortDiff Instrument: Add support for port groups from exposed-services repository [SF-2359] - PassiveDNS: Implement Search UI [SF-2358] - Log Forwarder Instrument: Fix unstable logforwarder build (add gpg keys to git) [SF-2354] - Sensor Orchestrator: Allow instruments to change health check status faster [SF-2346] - Sensor Orchestrator: Implement instrument/sensor restart events [SF-2340] - Sensor Orchestrator: Implement Sensor reboot/shutdown backend [SF-2329] - PortDiff Instrument: Add support for reading banners from listening ports [SF-2328] - PortDiff Instrument: Update portdiff to use new version of pscan [SF-2321] - PortDiff Instrument: Pscan updates [SF-2308] - PassiveDNS: Implement error reporting for Suricata augmentation handler [SF-2305] - Cowrie Instrument: Add unit tests to cowrie instrument [SF-2303] - PassiveDNS: Support turning off PassiveDNS augmentation events [SF-2302] - Fleet Tool: Fleet Tool: Enable/disable user management [SF-2301] - PortDiff Instrument: PortDiff: Add scanned hosts and ports counts to event [SF-2294] - Replay Instrument: Update datasheet [SF-2293] - UI: Sensor-UI: Events backend for Simple UI [SF-2289] - Replay Instrument: Update tcpreplay to version 4.3.4 [SF-2283] - Kernel: Mellanox mlx4/mlx5 support for kernel [SF-2273] - API: Update pymongo to latest version and fix API usage [SF-2267] - Suricata instrument: Allow suricata eve-log base settings to be overridden [SF-2266] - Capco: Update to newest PF_RING library version [SF-2265] - Kernel: Update kernel to 5.4.143 [SF-2256] - API, Sensor Orchestrator: Users config for sensor & FM [SF-2253] - Suricata instrument: Update suricata to version 6.0.3 [SF-2239] - Recorder Instrument: Remove unnecessary configuration options for context recording [SF-2233] - API: Add permission checks for multicast messages [SF-2232] - Suricata instrument: Send capability_use messages for alerts etc. requiring recording [SF-2231] - Recorder Instrument: Implement recording data according to capability_use message [SF-2230] - API: Handle capability_use message [SF-2209] - Rule Manager: Support classification.config in rule manager [SF-2182] - Ansible: mongodb_wiredtiger_cache_size_gb should have some default value [SF-2169] - UI: User management support [SF-2146] - UI: Instrument interface selector rewrite [SF-2123] - UI: Sensor-UI should indicate the used software release branch in Sensor UI System page [SF-1834] - Instruments: Update to Alpine 3.14, rewrite build tooling, venv path changes etc [SF-1723] - API, Sensor Orchestrator: Support for Instrument restarting [SF-677] - UI: UI doesn't display an error when configuring a sensor that is timeouting 2.3.12: stable 2021-12-17 Notes on log4shell patches: According to Elastic's updated Security Advisory, Logstash is not affected by the newer CVE-2021-45046. Just to be sure, we decided to remove the potentially flawed Java class anyway. Hence, SF-2406. Also it is not known if Arkime (a main component of Recorder) was affected, but because it contains a vulnerable ElasticSearch component we're patching it anyway. - Bug fixes: [SF-2406] - Log Forwarder: a further CVE-2021-45046 log4shell mitigation (patched Logstash log4j jar to remove affected class) [SF-2401] - Recorder: CVE-2021-44228 & CVE-2021-45046 log4shell fix (patched ElasticSearch log4j jar to remove affected class) 2.3.11: stable 2021-12-14 - Bug fixes: [SF-2396] - Log Forwarder: log4shell fix CVE-2021-44228, upgrade logstash to 7.16.1 2.3.10: published 2021-10-12, beta 2021-10-26 Permanent snapshot name: release-2.3.10 - Bug fixes: [SF-2291] - Rule Manager: Upgrading to release-2.3 may require re-adding Rule Manager (database migration error) 2.3.9: published 2021-09-14 Permanent snapshot name: release-2.3.9 - Bug fixes: [SF-2271] - UI: Zeek Custom Configuration made from UI is invalid 2.3.8: published 2021-09-09 Permanent snapshot name: release-2.3.8 - Bug fixes: [SF-2259] - LogForwarder: Some fields are missing in bundled transient events [SF-2260] - SensorMessageBroker: Complex event subscription term fails with fleet tool 2.3.7: published 2021-08-23, channels release-2.3 Permanent snapshot name: release-2.3.7 - Bug fixes: [SF-2240] - Recorder Instrument: packets are not written in required time during very low traffic 2.3.6, staging 2021-07-14, beta 2021-08-09: Permanent snapshot name: staging-2.3.6-70223 NOTE: Release has some breaking changes: - Sensor UI API path has changed. Affects only if you have integrated the UI backend API, e.g. for sensor health monitoring. - Bug fixes: [SF-2217] - Fleet Tool: CLI breaks when used from the fleet shell and a command times out [SF-2219] - SensorMessageBroker: Broken debug logging - New features and other improvements: [SF-1542] - Sensor UI: Add versioning to Sensor UI API 2.3.5, staging 2021-07-13: Permanent snapshot name: staging-2.3.5-69834 NOTE: Release has some breaking changes: - Cowrie event type changed (instruments.cowrie.session_event -> e.g. instruments.cowrie.login.success) - Log Forwarder configuration needs editing, if a previous version was used. - Bug fixes: [SF-2195] - Zeek Instrument: Zeek stdout parser fails when too much data [SF-2184] - Replay Instrument: replay instrument creates adoptions directory [SF-2183] - Fleet Tool: Fix --bundle-expand fleet tool argument [SF-2180] - API: Bundled events do not have some fields present [SF-2170] - Recorder Instrument: Moloch overrides are not set from config [SF-2165] - Sensor Orchestrator: Long-running event deletes cause MongoDB connection starvation [SF-2159] - API: instrument config version not bumped in first save [SF-2157] - UI: Any offline sensor seems to block installation of instruments (to different sensor) [SF-2156] - Log Forwarder Instrument: Logforwarder does not convert "bson compatible" dots back to actual dots [SF-2153] - Customscan instrument: Customscan instrument should support physical interfaces [SF-2135] - Zeek Instrument: Zeek stays in "Instrument initializing" status when configuration is invalid [SF-2129] - Recorder Instrument: Changing interface configuration will not restart moloch-capture [SF-2128] - Recorder Instrument: Misconfiguring elastic search RAM options will cause instrument to become non-configurable [SF-2111] - Fleet Tool: fleet tool should report errors to stderr instead of stdout [SF-2083] - Rule Manager: IoC feed import does not report errors [SF-2075] - Recorder Instrument: New recorder (Arkime) python process eats a lot of RAM when doing startup [SF-1651] - Rule Manager: rmgr should ping zeek first before attempting validation [SF-2208] - Installer: Installer does not support 24-disk wide raid10 [SF-2211] - UI: Greyed buttons are not really disabled [SF-2210] - UI: Long Sensor name overflows to other elements in Overview page - New features and other improvements: [SF-2198] - API: Implement congestion control for bundled events [SF-2196] - Zeek Instrument: zeek instrument logic should have a process name [SF-2167] - Recorder Instrument: Recorder capture-plugin should write packets to moloch from consumer thread [SF-2164] - Cowrie Instrument: Improve cowrie error reporting [SF-2163] - Cowrie Instrument: Implement overridable cowrie settings [SF-2154] - UI: Display Platform instruments (2) even if they are hidden [SF-2150] - Cowrie Instrument: Same cowrie session should have the same context_uuid [SF-2127] - Replay Instrument: Replay instrument support for Mbps/PPS PCAP rate limiting [SF-2126] - Replay Instrument: Replay instrument should start loop pcaps automatically [SF-2124] - Replay Instrument: Flood of INFO log messages from inotify [SF-2117] - Log Forwarder Instrument: Typo in config schema (JVM RAM) [SF-2114] - Fleet Tool: config show: support for --missing-ok flag [SF-2113] - Fleet Tool: config edit should allow retrying if validation fails [SF-2112] - Fleet Tool: fleet config read/show should show default values if possible [SF-2110] - Log Forwarder Instrument: Optimize Log Forwarder event pipeline [SF-2109] - Zeek Instrument: Optimize zeek event pipeline for connection log usage (fastpath support) [SF-2105] - Log Forwarder User Manual [SF-2094] - Cowrie Instrument: Change cowrie event type to contain more information [SF-1918] - Fleet Tool: glob match for fleet sensor health command [SF-1466] - UI: Handle offline sensors better 2.3.4, staging 2021-05-31: Permanent snapshot name: staging-2.3.4-66091 - Bug fixes: [SF-2142] - Increase priority for sensorfleet-base package to prevent uninstall of SF packages 2.1.4, backported 2021-05-31: Permanent snapshot name: sf2140_backport - Bug fixes: [SF-2142] - Increase priority for sensorfleet-base package to prevent uninstall of SF packages 2.3.3, staging 2021-05-28: Permanent snapshot name: staging-2.3.3-66046 - Bug fixes: [SF-2140] - Workaround an EFI boot issue caused by Ubuntu update 2.1.3, backported 2021-05-28: - Bug fixes: [SF-2140] - Workaround an EFI boot issue caused by Ubuntu update 2.3.2, devel 2021-05-12: - Bug fixes: [SF-2100] - Log Forwarder Instrument: Logstash does not always give enough stacktrace from Logstash crash [SF-2098] - Rule Manager: IoC feed Enabled checkbox is broken [SF-2092] - Rule Manager: Fix PostgreSQL database autovacuum [SF-2090] - Rule Manager: rmgr does not cleanup downloads [SF-2087] - Rule Manager: IoC feed: rules are duplicated [SF-2086] - Rule Manager: IoC feed: deleting does not trigger page/list reload [SF-2085] - IoC feeds, Rule Manager: Rule Manager does not indicate that it's loading IoC feeds and it may take long [SF-2074] - UI: Event paginator hidden when there are events if going past the last page [SF-2073] - Rule Manager: Typo in Rule Manager UI (entires) [SF-2072] - UI: Sensor UI: Rename 'Show all Instruments' in Overview [SF-2068] - Rule Manager: Adding a file:// rulesource does not work [SF-2066] - Rule Manager: Clicking Commit difficult when disabling/enabling a large ruleset [SF-2064] - Rule Manager: Rule Manager does not process IoCs rules to Suricata [SF-2042] - Ansible: Fix ansible-playbook regression caused by SF-1976 [SF-2018] - Rule Manager: Rule Manager UI can sometimes timeout (use background processing) [SF-1996] - UI: Instrument interface list shows IP even if DHCP is in use [SF-1855] - Sensor Orchestrator: Instrument Upgrade stops containers uncleanly [SF-1752] - Rule Manager: rmgr says "Unknown download type" [SF-1740] - UI: Removing custom HTTP header not possible [SF-1623] - UI: UI tweak: Add interface says Create [SF-1613] - Capco: Fix memory exhaustion caused by capco upgrade/stop/start [SF-1294] - UI: Manually checking version does not update UI [SF-994] - Rule Manager: Some Rule manager rule links does not work [SF-940] - Rule Manager: Rule manager throws stack trace if suricata is not running [SF-867] - UI: Events do not work if sensor is offline [SF-747] - Rule Manager: Rule Manager suricata import tab displays "host test" [SF-738] - Rule Manager: rmgr does not report startup errors - New features and other improvements: [SF-2107] - Rule Manager: Celery+redis should use unix sockets instead of TCP [SF-2104] - Rule Manager: Rule manager should show summary of changes instead of full diff by default [SF-2103] - Suricata instrument: Update Suricata to 6.0.2 [SF-2101] - Log Forwarder Instrument: Logstash offline installable module support [SF-2099] - Log Forwarder Instrument: Enable syslog output module by default [SF-2095] - Ansible: Support global defaults for variables which are used in multiple roles [SF-2093] - Ansible: Also reload EB domain on custom ferm rules change [SF-2082] - Rule Manager: Rule Manager UI tweaks [SF-2077] - Ansible: Support VPN-pushed routes [SF-2069] - Rule Manager: Rule Manager should have a "local rulesource file" type instead of external + file://... [SF-2067] - Rule Manager: rmgr's suricata_ruleset_sent event should include the number of rules [SF-2065] - Rule Manager: When creating rulelist/rules in Rule Manager, good default options should be set [SF-2061] - Rule Manager: Rule Manager depends on Suricata instrument [SF-2060] - UI: Sensor-UI: Move "Upgrade" to System page from Settings [SF-2059] - Replay Instrument: Initial version of replay instrument [SF-2050] - UI: Do not require clicking Add button when adding new static routes or DNS servers [SF-2047] - Rule Manager: MISP feed input support (suricata export from MISP) [SF-2046] - Fleet Tool: Implement --traceback option [SF-2043] - PortDiff Instrument: Implement "whitelist all ports" functionality for triggered scan whitelist [SF-2041] - Cowrie Instrument: Cowrie ssh+telnet ports should be customizable [SF-2036] - Log Forwarder Instrument: Logstash jvm options should be configurable [SF-2032] - PortDiff Instrument: Add whitelist support for portdiff instruments [SF-2015] - UI: Sensor UI should warn user when unsaved settings and leaving page without saving [SF-2014] - UI: Homenet configuration in Sensor UI is confusing [SF-2012] - Ansible: Bash fleet command completion should work out of the box in installed Sensors [SF-1993] - Log Forwarder Instrument: Support for microsoft-logstash-output-azure-loganalytics output plugin (aka. Sentinel support) [SF-1982] - PortDiff Instrument: Scan parameters should be delivered through configuration file to pscan [SF-1976] - Ansible: Support CA-provided keys when using external VPN certificate [SF-1960] - PortDiff Instrument: Improve data retention on Portdiff [SF-1940] - UI: Support markdown in instrument schema description [SF-1768] - UI: Grouping and/or hiding system Instruments [SF-1741] - UI: HTTP header is not saved unless you click Add and no warning [SF-1382] - Rule Manager: Rmgr frontend support for adding IOC feeds from a preset [SF-1088] - Sensor Orchestrator: When instrument is removed, instrument config should be removed as well [SF-1030] - Rule Manager: Rule Manager should detect downloads automatically 2.3.1, staging 2021-04-21: Permanent snapshot name: staging-2.3.1-64012 - Bug fixes: [SF-2030] - Capture Engine: crash with "NoneType object has no attribute items" error with broken network config - New features and other improvements: [SF-2029] - Recorder Instrument: Update to Arkime: Elastic 7.12.0, Arkime 2.7.1 2.3.0, devel 2021-03-29, staging 2021-04-19: Permanent snapshot name: staging-2.3.0-56771 Notes: more IoC related features coming for 2.3 release. - Bug fixes: [SF-641] - UI: sensor-ui does not handle errors from get_physical_interfaces [SF-784] - UI: physical interface edit is broken [SF-795] - Sensor Orchestrator: Calling get_physical_interfaces at the wrong time can fail [SF-899] - API, UI: get_my_id error if running task with messaging calls straight after startup [SF-1011] - UI: Long event message causes horizontal scrollbar and hides event type [SF-1039] - UI: RuntimeError raised in _get_interface_type() is not handled [SF-1121] - Sensor Orchestrator, UI: Sensor UI crashes if metadata missing for an instrument [SF-1333] - UI: Broken event causes stack trace in UI backend [SF-1394] - UI: messaging produce_config does not handle bson special chars correctly in all cases [SF-1530] - Recorder Instrument: Recorder data retention cleans too much data with low traffic amounts [SF-1556] - Downloader Instrument: TypeError after updating downloads for instrument via messaging [SF-1566] - Sensor Orchestrator: Orchestrator cannot restart instrument when socket bind-unmount fails [SF-1606] - UI: FM UI cannot view events with binary data [SF-1624] - UI: Ui tweak: Default selected interface type is second from the list [SF-1646] - UI: UI does not display an error when event search times out [SF-1659] - UI, Zeek Instrument: UI displays some extra fields with multi-level schemas [SF-1690] - UI: /instruments gives 500 when sensor is unreachable [SF-1746] - UI: Hide paginator if there's 25 or less events in search [SF-1799] - Ansible, Downloader Instrument, Sensor Orchestrator: Download fails in new Sensor if Instrument is not yet running [SF-1842] - Sensor Orchestrator: Failed unmounting of log bind mount can leave instrument logger device broken [SF-1843] - UI: Stopping Sensor-UI backend is slow [SF-1847] - UI: Fix order of sensors when using generated names [SF-1852] - Ansible: Ansible allows configuring Sensor/FM with broken FQDN hostname [ansible] [SF-1866] - Ansible: Fix broken sshd_additional_config in Ansible playbook [ansible] [SF-1913] - Sensor Image: Fix fleetcert signing race condition [ansible] [SF-1917] - UI: Sensor/FM UI breaks when Sensor configuration is missing [SF-1920] - UI: Sensor/FM UI may never refresh available instruments due to race bug [SF-1925] - API: configs.py makes wrong assumptions about instrument schema location [SF-1939] - Fleet Tool: Fleet Tool: Handle config save errors properly [SF-1953] - Recorder Instrument: Recorder: Fix health-check fail regression [SF-1955] - Log Forwarder Instrument: Log Forwarder: Fix random logstash API not responding error [SF-1967] - Fleet Tool: All fleet-tool commands should have proper error handlers [SF-1970] - UI: Listing physical interfaces can take a long time [SF-1974] - UI: Error saving FM's config using UI [SF-1975] - Log Forwarder Instrument: LogForwarder says "Logstash has crashed" with default configuration [SF-1981] - Log Forwarder Instrument: Force logstash shutdown (stalled plugins) [SF-1983] - API: Data retention event deletes can delay event insert too much [SF-2000] - UI: Events page vue crash if event types are missing [SF-2004] - Fleet Tool: bash completion exception [SF-2028] - UI: Same physical interface could be added to two different Instrument interfaces [SF-2044] - Cowrie Instrument: Fix low port number binding (e.g. 22 for ssh) [SF-1867] - Fleet Tool: fleet-tool does not return error code on validation error [SF-1817] - Instrument resolv.conf contains some development settings by default [SF-1811] - Ansible: sshd is missing 'UseDNS no' [SF-1810] - Ansible: PasswordAuthentication setting (default unchanged) - New features and other improvements: [SF-518] - UI: Validate sensorconfig before attempting to save [SF-570] - UI: Data retention UI tweaks [SF-889] - UI: Sensor health should display instrument names [SF-930] - Downloader Instrument: Downloader can take a lot of time after reboot for first successful download [SF-1471] - UI: UI does not display if connection to backend fails [SF-1668] - IoC feeds, Rule Manager: IoC feed support for .tar.gz suricata rulelists [SF-1681] - PortDiff Instrument: Integrate pscan to portdiff instrument [SF-1738] - UI: UI should try to reload license when license limit is reached [SF-1767] - UI: Matrix view for easier overall status check [SF-1772] - UI: Support filtering sensors by name [SF-1773] - UI: Display fleet overall health [SF-1805] - Rule Manager: Preconfigured ioc feed support [SF-1846] - Installer: Installer root password does not apply correctly [SF-1850] - Customscan instrument: Implement Custom scan instrument [SF-1862] - Downloader Instrument: Use a temporary file name in downloader [SF-1863] - Rule Manager: Ioc feeds propagation to instruments [SF-1864] - Downloader Instrument: Make download failures warnings instead of errors [SF-1865] - Downloader Instrument: Downloader should require an interface [SF-1869] - Ansible: restart fm-ui after modifying fleetgram config [SF-1870] - Ansible: support for additional SSH listen ports [SF-1872] - Sensor Orchestrator: Sort worst health messages to first [SF-1873] - API, Sensor Orchestrator: Sortable HealthStatus to Instrument lib [SF-1875] - Recorder Instrument: Maintenance worker for recorder [SF-1876] - Customscan instrument: Add support for gpg signed binaries for custom scan instrument [SF-1879] - Cowrie Instrument: Update Cowrie, remove version restrictions from Sensorfleet requirements [SF-1886] - Customscan instrument: Refactor custom scanning running a bit [SF-1894] - Log Forwarder Instrument: Implement EventForwader instrument v1 [SF-1907] - Customscan instrument: Fix handling of portdiff full events in customscan instrument [SF-1908] - Customscan instrument: Add retention for downloaded artefacts in customscan [SF-1910] - Rule Manager: UI for instruments propagation status [SF-1911] - Rule Manager: Generate suricata rules from ioc feeds [SF-1912] - Rule Manager: UI / Backend for preconfigured feeds [SF-1921] - PortDiff Instrument: Restart port scanning if instrument configuration is changed [SF-1922] - Recorder Instrument: Reduce excessive logging for recorder retention-related operations [SF-1923] - Sensor Orchestrator, UI: Prevent editing downloads directly for instruments with allow_modify_downloads:true [SF-1924] - Log Forwarder Instrument: Write unit tests for EventForwarder [SF-1926] - Ansible: External VPN certificate functionality [SF-1937] - Kernel: Add common USB ethernet devices to supported devices [SF-1943] - PortDiff Instrument: Update portdiff autoconfiguration to use pyroute2 NDB [SF-1944] - Suricata instrument: Suricata: Instrument name instead of GID in rule receiver / saving [SF-1945] - Log Forwarder Instrument: Implement logstash process and pipeline monitoring for EventForwarder [SF-1951] - PortDiff Instrument: Add triggered mode for portdiff [SF-1961] - Ansible: Support buffering syslog messages during outages [SF-1964] - Rule Importer: Rule Importer: GID migration [SF-1966] - Fleet Tool: fleet-tool config read, show, edit: use human friendly YAML formatting [SF-1968] - UI: get event types using message instead of file read [SF-1984] - Log Forwarder Instrument: Allow binding syslog port [SF-2005] - Suricata instrument: Migration to remove old rules (dynamic_([0-9]+).rules) [SF-2046] - Fleet Tool: Implement --traceback option [SF-2043] - PortDiff Instrument: Implement "whitelist all ports" functionality for triggered scan whitelist [SF-2041] - Cowrie Instrument: Cowrie ssh+telnet ports should be customizable [SF-2036] - Log Forwarder Instrument: Logstash jvm options should be configurable [SF-2015] - UI: Sensor UI should warn user when unsaved settings and leaving page without saving [SF-2012] - Ansible: Bash fleet command completion should work out of the box in installed Sensors [SF-1982] - PortDiff Instrument: Scan parameters should be delivered through configuration file to pscan [SF-1960] - PortDiff Instrument: Improve data retention on Portdiff [SF-1768] - UI: Grouping and/or hiding system Instruments 2.2.3, staging 2020-12-10, stable 2021-04-19: Permanent snapshot name: staging-2.2.3-54897 - Bug fixes: [SF-1849] - Add missing squashfs-tools dependency on sensorfleet-lxd [SF-1848] - Performance regression using mirror-bridges with grsec kernels [SF-1669] - Adding/removing rulesource in rmgr can result in empty ruleset - New features and other improvements: [SF-1841] - Update kernel to 5.4.81 [SF-1840] - Update capture engine for new kernel version [SF-1838] - Support for RealTek 8169 ethernet chip family [SF-1833] - Messaging: Improve Instrument API and config helpers 2.2.2, staging 2020-11-30: Permanent snapshot name: staging-2.2.2-53145 - Bug fixes: [SF-1797] - sensorfleet-lxd: UID-remap subuid/subgid entries are not always automatically created (existed only in staging release) [SF-1795] - Orchestrator package may have old version of dep (existed only in staging release) [SF-1796] - LXD needs to depend on xz-utils and lxcfs (existed only in staging release) [SF-1808] - Manually reinstalling sensorfleet-lxd 4.7 or later can fail (existed only in staging release) [SF-1800] - Allow to set byte limit for buffered bytes on capture_plugin [SF-1586] - moloch-capture process gets oomkilled on some environments [SF-1831] - PassiveDNS API endpoint does not properly parse limit as integer [SF-1794] - Orchestrator handles any exception in config as "extra variable" (existed only in staging release) [SF-1753] - Opening rmgr ui briefly shows a page without css (existed only in staging release) - New features and other improvements: [SF-1830] - Messaging API: optimize config schema handling [SF-1788] - Improve recorder capture_plugin performance by running consumers in their own threads [SF-1827] - Recorder capture plugin should be able to show configuration errors to users [SF-1829] - Messaging API: remove deprecated methods 2.2.1, staging 2020-11-17: Permanent snapshot name: staging-2.2.1-50846 - Bug fixes: [SF-1782] - Ansible sensor playbook might fail due to dpkg lock [ansible] [SF-1784] - Sensor install: lxd storage creation might sometimes fail - New features and other improvements: [SF-1806] - Downloader: Add size and SHA512 to download event [SF-1793] - HFWrapper prometheus stats endpoint support for new recorder 2.2.0, staging 2020-11-11: Permanent snapshot name: staging-2.2.0-44368 - Bug fixes: [SF-1617] - Downloader does not handle Invalid URL properly [SF-1621] - Sensor Orchestrator does not respect data retention message timeout [SF-1625] - Zeek Instrument does not work with IPv6 homenets [SF-1628] - Sensor is configured to use i386 repositories as well by default [ansible] [SF-1631] - ansible fails with missing /etc/default/motd-news [ansible] [SF-1635] - Recorder JSON schema does not allow changing some values using the UI [SF-1636] - Zeek process is not restarted on configuration change [SF-1637] - PassiveDNS purge_data can slow down sensor [SF-1638] - PassiveDNS should batch send aggregate answers [SF-1649] - Zeek error reporting does not work for fatal errors [SF-1650] - Zeek instrument exits when reading invalid JSON from zeek [SF-1593] - Recorder takes a long time to start when many events are stored [SF-1599] - messaging: msgid flush is not safe if multiple processes try to write the file [SF-1600] - PassiveDNS: restart via init script is broken [SF-1614] - Recorder instrument does not handle homenets being removed from sensor config properly [SF-1634] - Instrument Config UI displays wrong values with sub-object with default values [SF-1656] - Moloch-capture does not wait for elasticsearch to be ready [SF-1657] - Capture Engine shutdown may cause kernel panic with pre 5.4 kernels [SF-1663] - Opening Rule Manager Zeek blacklist editor loses previously set type field [SF-1671] - Restart softflowd and log error on failure [SF-1685] - SMB can rarely become stuck on FM (Queue full error) [SF-1688] - PassiveDNS startup fails on timeout error if database needs to perform recovery [SF-1689] - PassiveDNS automatic database maintenance does not work and causes performance to degrade [SF-1692] - PassiveDNS configuration change does not apply without manual restart [SF-1696] - Recorder python module uses unexpectedly high amount of memory [SF-1699] - Rule Manager: data retention purge_data may hang up in some cases [SF-1702] - Rule Manager: some rule functions points to wrong api endpoints [SF-1711] - Rule Manager: comments in rule displays epoch time instead of date+time [SF-1713] - Rule Manager: downgrading to an older version might fail [SF-1714] - Rule Manager: Rule search "show more" is not working [SF-1716] - Minify Rule Manager ui resources (js/css) using webpack [SF-1717] - Force cache refresh in Rule Manager [SF-1725] - PassiveDNS interprets querier/responder incorrectly from Suricata events [SF-1731] - fleet tool does not print validation error when editing configuration [SF-1732] - fleet-tool: event produce --interval is broken [SF-1745] - Software upgrade may halt if snapd is upgraded along with instruments (also see SF-1729) [SF-1748] - Rule Manager tries to send rules to deleted Zeek instrument * New features and other improvements: [SF-1380] - Initial IOC feed support in Rule Manager [SF-1381] - Rule Manager can now manage it's downloads via API (if allowed by permissions). Single UI for configuring downloads. [SF-1575] - Improve sysctl defaults for production environment: socket limits for bursts [ansible] [SF-1626] - Zeek base scripts can be enabled/disabled from Instrument configuration UI [SF-1639] - Access MongoDB using more threads for better performance [SF-1647] - Sensor UI event search is slow with tens of millions of events [SF-931] - UI should strip invisible characters from lot of fields [SF-1655] - Zeek should support configurable per-module event suppression [SF-1667] - Sensor UI should get possible event types from instrument's metadata [SF-1670] - Upgrade to 5.4 LTS series Linux kernel [SF-1679] - Integrate tpacketv3 support to Recorder capture plugin [SF-1687] - Improve PassiveDNS database performance on I/O limited scenarios [SF-1707] - fleet-tool: support for send --count [SF-1708] - PassiveDNS optimization: perform aggregation before inserting data [SF-1709] - Sensormessagebroker does not discard events if DB writes are slow [SF-1710] - Change sensormessagebroker DB write warn limit to 0.8 [SF-1719] - Sensor UI: Generate default names for bridges & interfaces [SF-1730] - fleet tool: support for event produce wait_ack=False [SF-1733] - fleet tool: don't print unnecessary messaging log spam without -v [SF-1734] - Suricata 5.0.4 update, include hyperscan support [SF-1735] - PassiveDNS common-output-format support for aggregate events [SF-1737] - Allow Sensor Orchestrator to start even if config has extra fields in it [SF-1760] - Remote logging improvements [ansible] [SF-1729] - Custom built LXD package without snapd (snapd no longer required) [SF-1762] - Upgrade lxd to 4.7 [SF-1759] - Update cowrie to version 2.1.0 [SF-1750] - Change Recorder Rule Hit event type to instruments.recorder.rule_hit_event [SF-1749] - Recorder optimization: Use crossbeam-channel instead of Rust std channel on capture_plugin [SF-1777] - Capture Engine optimization: User configurable capture threads Release notes: * After upgrade, modifying downloads in Rule Menager will erase all other Rule Manager's downloads (that are not set in the Rule Manager UI). * Major upgrade, proceed with caution. Installations with pre-4.3 LXD should proceed with extra caution. 2.1.2, staging 2020-09-07, beta 2020-09-23: Permanent snapshot name: staging-2.1.2-42774 - Fixed bugs: [SF-1611] - HFWrapper does not have access to Sensor configuration (hfwrapper update) [SF-1618] - HFWrapper should use new homenet messages 2.1.1, staging 2020-08-28: Permanent snapshot name: staging-2.1.1-42333 - Fixed bugs [SF-1615] - Sensor Orchestrator watchdog needlessly triggers restart too fast after reboot [SF-1595] - PassiveDNS db optimization: data retention timeout in some environments [SF-1596] - passivedns logging tweak: less spam from new suricata dns event format [SF-1598] - SensorFleet TLS role cannot be run in check_mode [ansible] [SF-1601] - Suricata does not batch events properly leading to excess resource usage [SF-1602] - SMB & suricata & passivedns event performance is not enough for some use cases [SF-1608] - Error handling: EventExporter slows down mongo excessively if queries are slow [SF-1611] - HFWrapper does not have access to sensor config (added API for modifying homenets) - Features and other improvements: [SF-1597] - Support for fleet-tool produce loops parameter [SF-1603] - Capture Engine optimization: use in-kernel forwarding path 2.1.0, staging 2020-08-11: Permanent snapshot name: staging-2.1.0-41103 - Fixed bugs [SF-735] - Data age check should try to refresh data age faster after a TimeoutError [SF-1457] - Instrument watchdog does not restart instruments on TimeoutError [SF-1561] - /etc/sensorfleet/ta.key is o+r [ansible] [SF-1594] - Recorder filtering is slow due to debug flags [SF-1587] - DNS blacklist rules remain active for the whole flow [SF-1567] - PassiveDNS logic may throw an exception and cause silent failure of database writer [SF-1489] - Fix PassiveDNS write performance regression - Features and other improvements: [SF-1579] - Hyper-V Support for SensorFleet kernel [SF-1577] - Do not remove serial console with ansible-sensor [ansible] [SF-1576] - Default MongoDB to persistent data partition [SF-1573] - Implement queuing mechanism to suricata component to absorb bursts [SF-1568] - Suricata-instrument could tag context_uuid to eve-log events with same flowid as the ones that triggered alerts [SF-1539] - Make blacklist SID offset configurable for rule importer [SF-1463] - Produce event when sensor-orchestrator has moved a downloaded resource [SF-1465] - Change Rule Importer to use the new download available event [SF-1464] - Change beacon to use the new download available event [SF-666] - Add config version check to UI HTTP API calls [SF-1582] - upgrade lxd to 4.3 2.0.0, internal test release 2020-07-15: - Fixed bugs [SF-220] - Sensor Orchestrator can lock up DPKG if DEB install fails [SF-844] - Reformat "sensor1" to "Sensor 1" in event search view if there is no friendly name for sensor [SF-1049] - sensormessagebroker needing a restart after upgrade [SF-1115] - Ambiguous error when adding instrument not found from license.json [SF-1339] - Edit/remove Zeek Script CSS broken in Rule Manager [SF-1340] - Rule Manager sent ja3s script to zeek, but applying it required manual restart [SF-1348] - Fix sensorfleet-lxd install failure [SF-1352] - sensor-orchestrator runs get_pid every time health is asked [SF-1371] - Rule importer imports same/partial ruleset multiple times [SF-1398] - Beacon Instrument does not move downloaded file with suffix [SF-1421] - FM UI fails to stop [SF-1437] - Restart problems and timeouts in FM UI [SF-1440] - Ruleimporter generated rules may lead into collisions [SF-1472] - PassiveDNS: Fix data retention error when no DNS events in DB [SF-1476] - Sensor Orchestrator might fail to configure DNS for Instruments [SF-1478] - nginx fails to start on FM and Sensor [SF-1480] - SensorMessageBroker sometimes gets stuck when shutting down [SF-1482] - Suricata shutdown sometimes times out, suricataids does not account for this case [SF-1483] - Sensor does not boot / boots slowly (before uninstalling cloud-init) [SF-1484] - Snaps are updated outside of APT updates, breaking sensorfleet-lxd [SF-1502] - Rule delivery timeout triggers infinite delivery loop even when ruleset is delivered [SF-1503] - Nginx does not honor defined ciphers [SF-1507] - Capture Engine starts capture processes before output interface is ready -> segfault [SF-1525] - Sensor-orchestrator crashes on start due to missing configuration key [SF-1527] - Sensor UI sometimes does not ack or timeout HTTP PUT requests [SF-1529] - fleetupgraded control sock too wide permissions [SF-1532] - Fix Recorder regression where pcap data is not always returned when using API [SF-1533] - fleetupgraded blocks shutdown in some cases [SF-1540] - Custom config for suricata generates invalid configuration [SF-1541] - Fix crash with missing homenets [SF-1546] - Recorder moloch_overrides are not applied [SF-1547] - Recorder component capture does not set BPF filters configured in moloch [SF-1559] - Local tcp ports are too open (mongo, nginx) - Features and other improvements [SF-1165] - Initial asset tracking support for Zeek [SF-1175] - IPTables rules are pretty open in Demo sensor [SF-1176] - FM-Sensor config write restrictions [SF-1178] - Memory resource limits (customizable with fleet tool) [SF-1180] - sshd hardening (ansible) [SF-1181] - File system hardenings (ansible) [SF-1182] - OS default CA-certificates are allowed [SF-1183] - syslog remote logging encryption (documentation) [SF-1186] - TLS 1.0 and TLS 1.1 allowed in NGINX server [SF-1187] - Documentation on how the end user should configure HTTPS certificates [SF-1188] - Document LUKS disk encryption usage [SF-1288] - Rename "instrument" to "Instrument" in UI [SF-1323] - Refactor: use raising HTTPError in error handling [SF-1358] - UI now handles messaging timeouts as 504 error instead of 500 [SF-1379] - API and platform changes to allow Rule Manager manage it's downloads [SF-1388] - Support for config monitor in fleet tool [SF-1397] - Drop ZeroMQ in favor of TCP+TLS+MessagePack for FleetGram [SF-1407] - Add nocase to imported DNS blacklist entries [SF-1410] - Ensure that nginx/fleetgram uses accepted ST3 ciphers by default [SF-1416] - TLS support for FleetGram [SF-1420] - Fix DNS blacklist matches being too broad [SF-1438] - Secure TLS by default for FM<->Sensor HTTP reverse proxy [SF-1447] - General way to override metadata configs in sensorconfig [SF-1449] - We should be able to filter encrypted traffic from Recorder (BPF filter) [SF-1475] - Ansible support for fleetgram TLS [SF-1479] - FleetGram should use TLS with proper ciphers [SF-1491] - FM/Sensor UI socket permissions are too wide [SF-1492] - Instrument UI/other socket permissions are too wide [SF-1505] - Ansible should support setting GRUB password [SF-1508] - Sensor does not shut down in a timely manner [SF-1516] - Restrict fleetgram direct message and event produce permissions [SF-1523] - OpenVPN is slow to reconnect after reboot 1.2.1, Instrument bugfix release, staging 2020-06-17 - Fixed an issue where PassiveDNS retention/age checks lead into TimeoutError - Fixed an issue where Suricata generates null interface name to config - Fixed an issue where hardware offloads might cause some traffic to not get mirrored for capture interfaces - Fixed an issue where Suricata fails to start with configuration related NoneType is not iterable exception - Fixes an issue where getting pcaps older than 1 hour from the recorder API was not possible - Feature: Suricata instrument now has AF-packet options configurable - Feature: Make capture-plugin delay configurable - Feature: Include exporter_id API endpoint for Event Exporter Instrument - Optimization: Add debug symbols to suricata instrument - Optimization: Enable SSSE3, SSE4.1, SSE4.2 for suricata instrument - Optimization: Recorder ruleset handling optimizations - Optimization: Raise default Capture Engine threads to 16 from 8 - Optimization: Clear rules from /var/lib/suricata/rules - Optimization: Optimize Recorder Instrument capture-plugin filtering - Upgrade Suricata to 5.0.3 1.2.0, staging 2020-05-08, beta 2020-05-18 - Fixed an issue where LXD daemon would leak memory. High impact on sensors that have low RAM spec. Updated LXD to 4.0. - Fixed an issue where Sensor/FM UI performs slowly on a sensor with lot of instruments - Fixed an issue where Rule importer cannot receive >1MB blacklists via push method - Fixed an issue where Downloader does not start download job when started with existing configuration - Fixed an issue where FM/Sensor configuration goes out of sync (version conflict) - Fixed an issue where watchdog terminates Sensor Orchestrator when installing APT packages on a slow connection - Fixed an issue where pylxd would spam "Not Found" in Sensor Orchestrator logs - Fixed an issue where Zeek displays error status for a moment after starting - Fixed an issue where Zeek binary makes log files in the working directory - Fixed an issue where software upgrade UI stucks if error in getting packagelist - Fixed an issue where UI frontend script crashed: cannot handle null json - Fixed an issue where Software update UI would display "available version: null" - Feature: Sensor Orchestrator enforces rx/tx contracts filtering requirements - Feature: Instrument friendly name defaults to the one from metadata.json - Feature: Zeek events now have messages - Feature: Optimized Capture Engine CPU usage - Feature: Downloader now has support for custom HTTP headers (editable in the UI) - Feature: Sensor/FM UI can now edit instrument configurations (for instruments that have a JSON Schema and editable configuration). UI configurable instruments: Suricata, Zeek, Capture Engine, PortDiff, PassiveDNS, Cowrie - Feature: SensorFu beacon instrument (requires access to SensorFu Home) - Change: Capture Engine binary is no longer configurable in config schema - Other reliablity fixes, internal API changes and features Upgrade notes: - A major upgrade. Proceed with caution on production Sensors. - LXD will be upgraded using canonical Snap repackaged by SensorFleet in a debian package.