Corelight-update Release Notes

v1.7.3

Enhancements

  • Added additional fields to the CrowdStrike Hosts integration.

v1.7.2

Enhancements

  • Added a network timeout variable for waiting on a status from a sensor after a file upload.

Bug fixes

  • Fixed a bug that caused an exit if the icannTLD integration had an error.

v1.7.1

Enhancements

  • Added a bash_completion script.

Bug fixes

  • Fixed a bug so checking the status of an uploaded file through Fleet Manager uses a bearer token.

  • Adding a new user in RPM based OS’s adds a ‘/sbin/nologin’ shell

v1.7.0

Enhancements

  • Added a new integration for Crowdstrike Spotlight CVE.

  • Added a new integration for Crowdstrike Spotlight Hosts.

v1.6.3

Bug fixes

  • Fixed missing network settings after upgrade issue.

v1.6.2

Enhancements

  • Improved logging output to log when a download attempt is intercepted by an external proxy.

  • Added support to configure network settings for sensor communications.

  • Added the following new CLI options:
    • show -network

    • update -network-setting [setting1=value1 setting2=value2 ... settingN=valueN]

    • update -network-settings [setting1=value1 setting2=value2 ... settingN=valueN]

Bug fixes

  • Fixed a bug that caused sensor traffic to use the same proxy configuration as download traffic.

  • Improved error output when updating policy configurations.

  • Fixed a bug that compared suricata config files before they are downloaded.

v1.6.1

Enhancements

  • Added support to prevent policies from being created if the name begins with a -.

Bug fixes

  • Fixed an issue that prevented downloading intel sources for a policy without any suricata sources.

v1.6.0

Enhancements

  • Added a global option to auto-update policies each time the service runs.

  • Added a global setting to push content to sensors in parallel (defaults to 10).

v1.5.0

Enhancements

  • Added support for uploading Suricata configurations to all sensors.

  • Added support for pushing signed package bundles to all sensors, except Software Sensor v1.x systems.

  • Added support for the new CSRF requirement in the Fleet Manager v27.3 API.

v1.4.1

Bug fixes

  • Fixed an issue where empty options were written to Suricata rules.

  • Fixed an issue where an empty “If-Modified-Since” header is used during file downloads.

v1.4.0

Enhancements

  • Added a new integration for Mandiant Threat Intelligence.

  • If Fleet Manager details are configured, and a matching policy exists, the Fleet Manager policy will be updated even if no sensors are assigned to it.

  • Added the following new CLI options:
    • add -policy and add -policies are interchangeable.

    • remove -policy and remove -policies are interchangeable.

    • -file and -path are interchangeable on all relevant CLI commands.

    • Most of the Global configuration settings can be updated directly from the CLI:
      • update -global-setting [setting1=value1 setting2=value2 ... settingN=valueN]

      • update -global-settings [setting1=value1 setting2=value2 ... settingN=valueN]

  • Added “basic” auth support for sources.

  • Added support for pulling Global Suricata config files from remote sources.
    • Includes support for no auth, basic auth, and token auth.

  • Added support for pulling Policy Suricata config files from remote sources.
    • Includes support for no auth, basic auth, and token auth.

  • Added the ability to append content to the Metadata and Other fields using modify.conf.

  • Added the ability to identify rules with Metadata contains string.

  • Added the option to include disabled Suricata rules in the ruleset file.

  • Simplified the global configuration by removing the global integration table. Each integration is now enabled using its own settings.

  • The update -policy command now uses a transaction. If any part of the update fails, the update is not applied.

  • Removed the config templates (obsolete). The import -policy <policy name> -file <path to config file> can be used to the same config to different policies.

  • Removed the policy backup functions (obsolete). The show -policy <policy name> -file <path to save config file> can be used to save a backup.

Bug fixes

  • Fixed a issue where package bundles were not created with other:read permissions on all files, causing packages not to load on sensors.

  • Pushing package bundles now updates a Fleet Policy instead of trying (and failing) to push through Fleet to the sensors.

v1.3.0

Enhancements

  • Fleet managed sensors no longer have to be listed in the inventory section of the policy. The list will automatically be pulled from Fleet Manager.

  • Added support for AlienVault OTX.

  • Added configurable URL for ICANNTLD.

  • The Integration table has been removed, each integration is now enabled within it’s configuration.

v1.2.1

Enhancements

  • Added a basic web menu to the root of the webservice.

Bug fixes

  • Fixed a bug that would cause a policy to fail if no intel files were present.

  • Added a redirect to the webservice if the trailing slash is missing for \docs\ or \files\.

v1.2.0

Enhancements

  • Added support for global cache and policy level Intel sources that can be downloaded in Zeek format, like ThreatQ.

  • Added support for Token authenticated Suricata and intel sources like MISP.

  • Updated the web service to use TLS version 1.2+ and removed outdated cipher suites.

Bug fixes

  • Improved error handling with TenableSC.

  • TenableSC was not reading the keys from the policy in the database.

  • Moved the home directory for the corelight-update service account to /var/corelight-update/

  • Removed the requirement for experimental features to be enabled to upload Suricata rules to Fleet.

v1.1.0

Enhancements

  • Support for encrypted passwords for inventory items.

  • Corelight-update now uses a umask of 0007 when creating files and directories.

Bug fixes

  • The before-install and before-upgrade scripts will not attempt to create the system user if it already exists.

  • Downloading content will now use the https_proxy or HTTPS_PROXY environment variables.

v1.0.1

Enhancements

  • Policies are stored in a Sqlite3 DB”.

  • The Corelight-update service now runs as corelight-update and not root.

  • After install or upgrade, all files are owned by system user corelight-update:corelight-update.

  • All users must belong to the corelight-update user group to run Corelight-update.

  • Global configuration can be updated from either a yaml or json config file.

  • Policies configurations can be imported or updated from either a yaml or json config file.

  • Sources that do not require authentication can be added as type “suricata” or “intel”.

  • A Global Source Cache is automatically created.

  • Integration intervals are now referenced in hours See Third-party integrations settings for details.

  • The interval for processing policies is now referenced in minutes See Global configuration and policy settings for details.

  • The web Service no longer requires root privileges to enable ports below 1024.

  • Pushing Suricata rulesets to Fleet managed sensors no longer proxies that push through Fleet.

    It uploads the ruleset to Fleet and updates the Fleet policy to use the new ruleset.

  • When pushing content to sensors, an inventory file is no longer used.

    The sensor details are part of the policy config.

  • Missing configuration files are automatically recreated.

Bug fixes

  • Set http.Transport idelConnTimeout for Fleet to 90 seconds.