Corelight-update Release Notes¶
v1.7.3¶
Enhancements¶
Added additional fields to the CrowdStrike Hosts integration.
v1.7.2¶
Enhancements¶
Added a network timeout variable for waiting on a status from a sensor after a file upload.
Bug fixes¶
Fixed a bug that caused an exit if the icannTLD integration had an error.
v1.7.1¶
Enhancements¶
Added a bash_completion script.
Bug fixes¶
Fixed a bug so checking the status of an uploaded file through Fleet Manager uses a bearer token.
Adding a new user in RPM based OS’s adds a ‘/sbin/nologin’ shell
v1.7.0¶
Enhancements¶
Added a new integration for Crowdstrike Spotlight CVE.
Added a new integration for Crowdstrike Spotlight Hosts.
v1.6.3¶
Bug fixes¶
Fixed missing network settings after upgrade issue.
v1.6.2¶
Enhancements¶
Improved logging output to log when a download attempt is intercepted by an external proxy.
Added support to configure network settings for sensor communications.
- Added the following new CLI options:
show -network
update -network-setting [setting1=value1 setting2=value2 ... settingN=valueN]
update -network-settings [setting1=value1 setting2=value2 ... settingN=valueN]
Bug fixes¶
Fixed a bug that caused sensor traffic to use the same proxy configuration as download traffic.
Improved error output when updating policy configurations.
Fixed a bug that compared suricata config files before they are downloaded.
v1.6.1¶
Enhancements¶
Added support to prevent policies from being created if the name begins with a -.
Bug fixes¶
Fixed an issue that prevented downloading intel sources for a policy without any suricata sources.
v1.6.0¶
Enhancements¶
Added a global option to auto-update policies each time the service runs.
Added a global setting to push content to sensors in parallel (defaults to 10).
v1.5.0¶
Enhancements¶
Added support for uploading Suricata configurations to all sensors.
Added support for pushing signed package bundles to all sensors, except Software Sensor v1.x systems.
Added support for the new CSRF requirement in the Fleet Manager v27.3 API.
v1.4.1¶
Bug fixes¶
Fixed an issue where empty options were written to Suricata rules.
Fixed an issue where an empty “If-Modified-Since” header is used during file downloads.
v1.4.0¶
Enhancements¶
Added a new integration for Mandiant Threat Intelligence.
If Fleet Manager details are configured, and a matching policy exists, the Fleet Manager policy will be updated even if no sensors are assigned to it.
- Added the following new CLI options:
add -policy
andadd -policies
are interchangeable.remove -policy
andremove -policies
are interchangeable.-file
and-path
are interchangeable on all relevant CLI commands.- Most of the Global configuration settings can be updated directly from the CLI:
update -global-setting [setting1=value1 setting2=value2 ... settingN=valueN]
update -global-settings [setting1=value1 setting2=value2 ... settingN=valueN]
Added “basic” auth support for sources.
- Added support for pulling Global Suricata config files from remote sources.
Includes support for no auth, basic auth, and token auth.
- Added support for pulling Policy Suricata config files from remote sources.
Includes support for no auth, basic auth, and token auth.
Added the ability to append content to the Metadata and Other fields using modify.conf.
Added the ability to identify rules with Metadata contains string.
Added the option to include disabled Suricata rules in the ruleset file.
Simplified the global configuration by removing the global integration table. Each integration is now enabled using its own settings.
The
update -policy
command now uses a transaction. If any part of the update fails, the update is not applied.Removed the config templates (obsolete). The
import -policy <policy name> -file <path to config file>
can be used to the same config to different policies.Removed the policy backup functions (obsolete). The
show -policy <policy name> -file <path to save config file>
can be used to save a backup.
Bug fixes¶
Fixed a issue where package bundles were not created with
other:read
permissions on all files, causing packages not to load on sensors.Pushing package bundles now updates a Fleet Policy instead of trying (and failing) to push through Fleet to the sensors.
v1.3.0¶
Enhancements¶
Fleet managed sensors no longer have to be listed in the inventory section of the policy. The list will automatically be pulled from Fleet Manager.
Added support for AlienVault OTX.
Added configurable URL for ICANNTLD.
The Integration table has been removed, each integration is now enabled within it’s configuration.
v1.2.1¶
Enhancements¶
Added a basic web menu to the root of the webservice.
Bug fixes¶
Fixed a bug that would cause a policy to fail if no intel files were present.
Added a redirect to the webservice if the trailing slash is missing for
\docs\
or\files\
.
v1.2.0¶
Enhancements¶
Added support for global cache and policy level Intel sources that can be downloaded in Zeek format, like ThreatQ.
Added support for Token authenticated Suricata and intel sources like MISP.
Updated the web service to use TLS version 1.2+ and removed outdated cipher suites.
Bug fixes¶
Improved error handling with TenableSC.
TenableSC was not reading the keys from the policy in the database.
Moved the home directory for the corelight-update service account to
/var/corelight-update/
Removed the requirement for experimental features to be enabled to upload Suricata rules to Fleet.
v1.1.0¶
Enhancements¶
Support for encrypted passwords for inventory items.
Corelight-update now uses a umask of
0007
when creating files and directories.
Bug fixes¶
The before-install and before-upgrade scripts will not attempt to create the system user if it already exists.
Downloading content will now use the
https_proxy
orHTTPS_PROXY
environment variables.
v1.0.1¶
Enhancements¶
Policies are stored in a Sqlite3 DB”.
The Corelight-update service now runs as corelight-update and not root.
After install or upgrade, all files are owned by system user corelight-update:corelight-update.
All users must belong to the
corelight-update
user group to run Corelight-update.Global configuration can be updated from either a
yaml
orjson
config file.Policies configurations can be imported or updated from either a
yaml
orjson
config file.Sources that do not require authentication can be added as type “suricata” or “intel”.
A Global Source Cache is automatically created.
Integration intervals are now referenced in
hours
See Third-party integrations settings for details.The interval for processing policies is now referenced in
minutes
See Global configuration and policy settings for details.The web Service no longer requires root privileges to enable ports below 1024.
- Pushing Suricata rulesets to Fleet managed sensors no longer proxies that push through Fleet.
It uploads the ruleset to Fleet and updates the Fleet policy to use the new ruleset.
- When pushing content to sensors, an inventory file is no longer used.
The sensor details are part of the policy config.
Missing configuration files are automatically recreated.
Bug fixes¶
Set http.Transport idelConnTimeout for Fleet to 90 seconds.