Release notes

v1.4.1

Bug fixes

  • Fixed an issue where empty options were written to Suricata rules.

  • Fixed an issue where an empty “If-Modified-Since” header is used during file downloads.

v1.4.0

Enhancements

  • Added a new integration for Mandiant Threat Intelligence.

  • If Fleet Manager details are configured, and a matching policy exists, the Fleet Manager policy will be updated even if no sensors are assigned to it.

  • Added the following new CLI options:
    • add -policy and add -policies are interchangeable.

    • remove -policy and remove -policies are interchangeable.

    • -file and -path are interchangeable on all relevant CLI commands.

    • Most of the Global configuration settings can now be updated directly from the CLI:
      • update -global-setting [setting1=value1 setting2=value2 ... settingN=valueN]

      • update -global-settings [setting1=value1 setting2=value2 ... settingN=valueN]

  • Added “basic” auth support for sources.

  • Added support for pulling Global Suricata config files from remote sources.
    • Includes support for no auth, basic auth, and token auth.

  • Added support for pulling Policy Suricata config files from remote sources.
    • Includes support for no auth, basic auth, and token auth.

  • Added the ability to append content to the Metadata and Other fields using modify.conf.

  • Added the ability to identify rules with Metadata contains string.

  • Added the option to include disabled Suricata rules in the ruleset file.

  • Simplified the global configuration by removing the global integration table. Each integration is now enabled using its own settings.

  • The update -policy command now uses a transaction. If any part of the update fails, the update is not applied.

  • Removed the config templates (obsolete). The import -policy <policy name> -file <path to config file> can be used to the same config to different policies.

  • Removed the policy backup functions (obsolete). The show -policy <policy name> -file <path to save config file> can be used to save a backup.

Bug fixes

  • Fixed an issue where package bundles were not created with other:read permissions on all files, causing packages not to load on sensors.

  • Pushing package bundles now updates a Fleet Policy instead of trying (and failing) to push through Fleet to the sensors.

v1.3.0

Enhancements

  • Fleet managed sensors no longer have to be listed in the inventory section of the policy. The list will automatically be pulled from Fleet Manager.

  • Added support for AlienVault OTX.

  • Added configurable URL for ICANNTLD.

  • The Integration table has been removed, each integration is now enabled within it’s configuration.

v1.2.1

Enhancements

  • Added a basic web menu to the root of the webservice.

Bug fixes

  • Fixed a bug that would cause a policy to fail if no intel files were present.

  • Added a redirect to the webservice if the trailing slash is missing for \docs\ or \files\.

v1.2.0

Enhancements

  • Added support for global cache and policy level Intel sources that can be downloaded in Zeek format, like ThreatQ.

  • Added support for Token authenticated Suricata and intel sources like MISP.

  • Updated the web service to use TLS version 1.2+ and removed outdated cipher suites.

Bug fixes

  • Improved error handling with TenableSC.

  • TenableSC was not reading the keys from the policy in the database.

  • Moved the home directory for the corelight-update service account to /var/corelight-update/

  • Removed the requirement for experimental features to be enabled to upload Suricata rules to Fleet.

v1.1.0

Enhancements

  • Support for encrypted passwords for inventory items.

  • Corelight-update now uses a umask of 0007 when creating files and directories.

Bug fixes

  • The before-install and before-upgrade scripts will not attempt to create the system user if it already exists.

  • Downloading content will now use the https_proxy or HTTPS_PROXY environment variables.

v1.0.1

Enhancements

  • Policies are stored in a Sqlite3 DB”.

  • The Corelight-update service now runs as corelight-update and not root.

  • After install or upgrade, all files are owned by system user corelight-update:corelight-update.

  • All users must belong to the corelight-update user group to run Corelight-update.

  • Global configuration can be updated from either a yaml or json config file.

  • Policies configurations can be imported or updated from either a yaml or json config file.

  • Sources that do not require authentication can be added as type “suricata” or “intel”.

  • A Global Source Cache is automatically created.

  • Integration intervals are now referenced in hours See Third-party Integrations Settings for details.

  • The interval for processing policies is now referenced in minutes See Global Configuration and Policy Settings for details.

  • The web Service no longer requires root privileges to enable ports below 1024.

  • Pushing Suricata rulesets to Fleet managed sensors no longer proxies that push through Fleet.

    It uploads the ruleset to Fleet and updates the Fleet policy to use the new ruleset.

  • When pushing content to sensors, an inventory file is no longer used.

    The sensor details are part of the policy config.

  • Missing configuration files are automatically recreated.

Bug fixes

  • Set http.Transport idelConnTimeout for Fleet to 90 seconds.