v4.8.1

What's Changed

• Fix install error (#821) due to Zeek configuration incompatibility (#820)

v4.8.0

What's Changed

Improvements:

• Change show-long-connections to sort by total duration instead of longest duration by @Zalgo2462 in #790
• Removal of connection count portion of beacon scoring and adjustment of skew by @lisaSW in #792
• Duration Scoring Update by @lisaSW in #793
• Update to bimodal portion of the histogram score by @lisaSW in #794

Bug Fixes:

• Improve useragent aggregation runtime for datasets with many useragents by @Zalgo2462 in #785
• Fix SSL and DNS log filtering by @Zalgo2462 in #788
• Prevent crashing due to malformed IP addresses in Zeek logs by @lisaSW in #791
• Don't filter internal -> internal DNS traffic by @Zalgo2462 in #797
• Disable SNI connection analysis if SNI beacon analysis is disabled by @Zalgo2462 in #798
• Only maintain one cid's worth of max scores in the host collection by @Zalgo2462 in #801

Full Changelog: v4.7.0...v4.8.0

v4.7.0

Changes:

• Improved beacon scoring algorithms by filtering out bursty connections (#773, #774)
• Deployed the beaconing algorithm introduced in the IP beacons module in v4.6.0 to the Web beacons module (#774)
• Deployed the beaconing algorithm introduced in the IP beacons module in v4.6.0 to the Proxy beacons module (#778)
• Added filter to drop proxied traffic which is entirely on the internal network (#765)
• Added rita clean command to remove RITA datasets without MetaDB entries (#763, #780)
• Removed FQDN Beacons module due to poor performance (#771)
• Removed per-host DNS command and control analysis due to overflowing document sizes (#762)
• Added better error reporting to the install script. Removed support for Ubuntu 18 and Debian 10. (#776)

Bug Fixes:

• Stop host aggregation phase if there aren't any local hosts (#761)
• Check if a max analysis subdocument has already been inserted into the target host's dat collection before updating or inserting (#764)
• Fix strobes from overflooding database documents when strobing is cumulative (#767)
• Ensure bulk writes don't break 16MB limit (#770)

v4.6.0

Changes:

• Add support for Ubuntu 20.04 to the installer (#732, #734)
• Write DB Updates in Bulk; Summarize Internal Hosts After Analysis; Documentation Updates (#737)
• Implement FQDN Beaconing using TLS SNI and HTTP Host (#739)
• Change host summarizer to record max total duration instead of max individual duration found in the uconn collection (#741)
• Implement new IP beacon scoring algorithm (#742, #743, #745)
• Store all connection timestamps. Do not de-duplicate connections happening in the same second (#744, #749)
• Remove MalwareDomains as a threat intel source (#746)
• Filter external to internal traffic by default (#753)

v4.5.1

Changes:

• Add support for Debian to the installer (#718)

v4.5.0

Changes:

• Update Docker GoLang version to 1.17 (#712 )

Bug Fixes:

• Fixed issue where import would freeze on FQDN Beacon analysis if there were no DNS records present (#700)
• Fixed issue in Proxy Beacon analysis where traffic was filtered in the case of an internal system communicating through an internal proxy server (#706)

v4.4.0

Changes:

• Add timestamp to HTML report templates (#662)
• Use the past 24 hours of data to analyze proxy beacons rather than just the last hour (#690)
• The RITA parser has been updated with a number of performance tweaks (#654, #695)
• Gather IPs for FQDN beacon analysis using DNS lookups from the past 24 hours of data rather than just the last hour (#676, #700)
• Drop stobe limit down to 86400 (#697)
• Add option to configuration file which filters out connections from external hosts to internal hosts (#655)

Bug Fixes:

• Add unique indexes to beaconFQDN and beaconProxy collections (#689)
• Add additional indexes to host collection (#687)
• Prevented duplicate threat intel records from being created in the host collection (#683)
• Fixed a bug where threat intel records in the host collection were not being updated when using rolling imports (#683)
• Fixed a bug where the max beacon score listed in the host collection for a pair of hosts would never decrease when using rolling imports (#683)
• Fixed a bug where rare signature entries might not be added to the host collection due to a race condition (#683)
• Fixed a bug where the connection counts for each host in the host collection were under-counted when using rolling imports (#683)
• Removed unused/ broken code in max duration analysis (#683)

v4.3.1

Changes:

• Extend Zeek TCP inactivity timeout (#660)
• Remove Need for Users to Specify Proxy Servers, Fix Filter Bugs (#665)

Dev changes:

• Clean up TODO and NOTE markers. Remove old ip index in host collection. (#622)
• Update references from Mongo 3.6 to 4.2 (#661)

v4.3.0

Changes in v4.3.0

• Handle Processing Long Connections that Haven't Closed (#647)
• Update Mongo Version to 4.2 (#652)

Bug Fixes:

• Fixed missing </td> in report-beacons.go and report-beaconsfqdn.go (#644)
• Speed up beaconFQDN analysis (#638)

Documentation:

• Fixed typo in docker compose documentation (#650)

Changes from v4.2.1 (pre-release):

• Make --config a global option on rita command (#631)
• Add support for detecting beacons behind HTTP proxies (#632)

Bug Fixes:

• Remove invalid certificates from old chunks when using the rolling importer (#634)

v4.2.1

Changes:

• Make --config a global option on rita command (#631)
• Add support for detecting beacons behind HTTP proxies (#632)

Bug Fixes:

• Remove invalid certificates from old chunks when using the rolling importer (#634)