Version v24.10
v24.10 adds the Overview page, bulk changes to protection policies, routing
rules disabling and group named lists, syslog sending for test mode drops,
global soft stop.
Enhanced functionality of countermeasures WL, WL6, TBL, FRAG, GEO, ACL, ACLI,
FACL, LACL, FRB, RETR, SLOB, DNS, USF, and also BGP, Incidents, PCAP, Collector,
Logan and Active Sync.
Multiple UX changes have been made.
Changes in v24.10.1
Incidents. Added automatic sending of incident report.
The “Reports” tab has been added to the “User” page, where you can set options for automatically sending an incident report when it is completed.
We remind you of the need to specify the correct values for the Incidents.*
autodetection thresholds.
System. Added load measurement by elements.
The “Resources” tab of the “System State” page now lets you run a load measurement to see how much CPU time was spent processing packets by different system elements. This information can be useful for diagnostics.
System. The element for downloading information about RAM usage has been changed.
The element that allows to obtain information about the use of RAM is placed on a separate panel.
DNS. Added learning for automatic generation of a allowed domains list.
Added learning mode. If learning is enabled, the countermeasure remembers which domain names received DNS requests before the attack. As a result, an analogue of the allowed domains list will be automatically generated. Learning can work even when the countermeasure itself is disabled.
DNS. The mechanism for limiting the number of requests for second-level domains has been changed.
The logic of the limiter on the number of second-level domain requests has been changed to counter DNS Laundering attacks.
USF. The maximum value of idle connection timeout increased.
Changes in v24.10
Dashboard. Added "Overview" page.
The “Overview” page has been added to the “Dashboard” section of the main menu. The page is similar in appearance to “Flow Analysis” and allows you to configure the simultaneous display of data from various sections of the web interface, summarized in one or more dashboards. Each dashboard is set on a separate tab. The tab name can be changed to correspond the composition of the data being displayed. For each tab, an arbitrary number of widgets with data can be set, their size and position on the screen can be determined. Switching between tabs allows you to quickly switch between several sets of widgets to solve various problems.
Most widgets are graph areas from various sections of the web interface. For ease of addition, widgets are divided into semantic categories.
You can also add event log widgets, a list of incidents, and an indication of threshold exceedances for all policies or only for selected ones to the page.
Policy. Added mass changes to protection policies.
Now, on the protection policy list page, you can apply the same action to several selected protection policies at once. Currently, the actions of enabling and disabling individual countermeasures, as well as adding autodetection thresholds, are supported.
Policy. Added information about the policy's RAM usage.
Now in the protection policy settings you can download a csv file with information about RAM consumption.
Similar information can also be obtained from the “System State” page, under the “Resources” tab.
Routing Rules. Added disabling of routing rules.
You can now disable a routing rule in edit mode without deleting it.
Rights. Added the right to view graphs by instances for group users.
BGP. Added IPv6 support.
The IPv6 policy page now has BGP announcement controls: a “BGP announcement” switch, blackhole and signaling threshold controls, autodetection thresholds, and more, similar to the IPv4 policy page.
Lists of prefixes and flowspec rules for IPv4 and IPv6 have been moved to separate tabs. The names of all lists have been changed. Now the name indicates the IP version they belong to.
In the BGP neighbor announcement policy, both IPv4 and IPv6 lists can be specified simultaneously.
BGP. Added the ability to advertise aggregated prefixes.
The BGP neighbor has been given the “Aggregated prefixes source” property.
Added new prefix list system.ipv4.aggregated.prefixes.
All prefix lists now have the “Refill” property.
If the property is set, then such a list participates
in system.ipv4.aggregated.prefixes filling.
The list is filled with aggregates for which an occurrence was found.
Example:
The aggregate prefixes source reports prefixes 1.1.1.0/24 and 2.2.2.0/24.
The system list system.ipv4.policy.prefixes and the user list test1
have the “Refill” property.
test1 has manually set value 1.1.1.1/32.
It matches one of the values in the aggregated list.
system.ipv4.policy.prefixes has the value 192.168.0.0/16 from
the routing rule dst IP.
It does not match any of the values in the aggregate list.
As a result, the value 1.1.1.0/24 will be added to the
system.ipv4.aggregated.prefixes list, since it is reported by the source
and there is an match for it.
There is no match for the value 2.2.2.0/24, so this prefix will not be
included in the list.
The value 192.168.0.0/16 has no effect on system.ipv4.policy.prefixes,
since it is not included in any prefix of the aggregated list.
Softstop. Added global "Soft stop".
Now, if SPLI is used in multiple protection policies, before removing traffic from MITIGATOR, you can activate the global “Soft Stop” so as not to break active sessions. “Soft Stop” will be activated in SPLI of all policies in which the checkbox of the same name is set.
WL. Added the ability to pass traffic to dst IP.
Now WL in general protection and policy can pass without processing by subsequent countermeasures not only traffic from the specified src IP, but also to the specified dst IP.
Destination whitelist supports:
- prefixes;
- IPs;
- AS numbers;
- domains;
- named lists;
- bypass for individual countermeasures.
WL6. Added the ability to pass traffic to dst IP.
TBL. Added graph for adding IPs by the synchronization mechanism.
Added a graph of the number of IP addresses added to the TBL by the table synchronization mechanism between instances from the block lists of other instances in 5 seconds.
ACL. Added the ability to specify IP address ranges for src and dst in filtering rules.
Now src and dst prefixes in ACL rules can be specified as ranges. Example:
DROP src (175.180.90.0-175.180.90.21)
ACLI. Added the ability to specify IP address ranges for src and dst in filtering rules.
LACL. Added the ability to specify IP address ranges for src and dst in filtering rules.
FRB. Added the ability to specify IP address ranges for src and dst in filtering rules.
RETR. Added the ability to specify IP address ranges for src and dst in filtering rules.
PCAP. Added the ability to specify IP address ranges for src and dst in filtering rules.
FRAG. Added actions for ACL rules in FRAG.
The previous version introduced the ability to send only packets that match specified rules for reassembly, but in some scenarios this was not enough.
The PASS and DROP actions are now supported in rules.
This allows you to more clearly specify which traffic should be passed for
reassembly and which should be dropped.
Example:
drop fragment IsF dst 10.10.10.0/24
passThese rules mean that fragmented traffic to 10.10.10.0/24 will be dropped, and all other traffic will be reassembled and processed by subsequent countermeasures.
SLOB. Added pass for unknown connections traffic.
It is now possible to activate an operating mode in which packets of connections that the countermeasure has not previously seen are passed directly to the countermeasure output without checks.
GEO. Added action to block src by GEO-significance.
“Block” action has been added to put IPs from specified countries or AS to TBL.
GeoIP. Added the ability to download the GeoIP database from MITIGATOR.
The user can now download the GeoIP database, including changes made to the country and ASN databases.
Syslog. Added the ability to select policies and countermeasures for which drops require sending syslog messages.
Syslog. Added the ability to send messages about test mode drops.
To differ test drops on the receiving side, they are sent with debug priority. The message starts with the characters “<15>” (USER.DEBUG), instead of “<14>” (USER.INFO).
LOGAN. Added the ability to specify multiple rules with the same metric.
Logan now allows you to specify multiple rules with request, referer, and user-agent. This allows to apply different blocking or notification logic depending on the content of the request headers.
Example:
block 600 request ^ST|^T
block 1000 request /ajax/sendSmsCodeToUser/ limit 8 period 10It has also become possible to specify the same metric with different actions:
alert src.rps limit 10 period 10
block 300 src.rps limit 100 period 10It should be noted that the forbiddance on specifying the same metrics with the same action remains. If the policy processes logs with several tokens, and for tokens should be set different trigger thresholds, then all rules with a repeating metric must specify the belonging to a specific token.
It means that instead of:
token sometoken
token 2.2.2.2
alert src.rps limit 100 period 300 for sometoken
alert src.rps limit 100 period 200you need to specify:
token sometoken
token 2.2.2.2
alert src.rps limit 100 period 300 for sometoken
alert src.rps limit 100 period 200 for 2.2.2.2LOGAN. Added logging of the reason for alert.
Now the custom field of the event log and syslog messages indicate the rule that was triggered.
IPList. Added the ability to create and manage named lists in a group.
Now on the Group page, in the Named IP Lists submenu item, group users can create named IP lists and independently manage their contents.
The maximum number of lists in a group can be limited in the group settings.
Active Sync. Added countermeasure selection for synchronization.
Active sync settings now allow you to specify which countermeasure data should be synchronized between packet processors.
Collector. Changed the collection point selection in Flow Analysis.
Now, on the “Dashboard” tab of the “Flow Analysis” page and the “Flow Analysis” tab of the protection policy, the flow collection point is selected when a specific widget is added, rather than affecting the entire dashboard.
Collector. Added the ability to set a license key and band for Collector via the web interface.
Starting with v24.10, Collector requires a license key and bandwidth to be specified, as well as a permanent connection to the license server.
Collector. Added interaction with flow sources via SNMPv3.
Collector. Added filtering by TCP flags.
You can now specify TCP flags in the Dashboard filter on the “Flow Analysis” page
and in the “Flow Analysis” tab of the protection policy using the tcp-flags keyword.
The flag values are set in the same way as the ACL countermeasure.
Collector. Added geodata for downloaded statistics
On the “Flow Analysis” page and in the “Flow Analysis” tab of the protection policy the “Source IP addresses” and “Stats by src_ip” downloads are enriched with geodata.
Incidents. Added a summary of the TLS blocking reasons log.
Now, similar to the IP address summary listed in the TBL, the incident information displays statistics on the reasons for blocking by ATLS and DTLS countermeasures. The same changes have been made to the exported incident report.
UX. Visual settings of the web interface are placed on a separate tab.
Now you can manage the design theme, graph fill, and content layout on a separate tab in the user profile settings.
UX. Added content alignment setting.
Now you can customize the placement of cards on the page, in the center of the screen or offset to the main menu.
UX. Added system theme.
The system theme is now selected by default. Depending on your preferred color scheme in the OS, a suitable design theme will be automatically selected.
UX. The main menu in the collapsed state has been changed.
Now if the main menu is collapsed, it opens when you hover over it with the cursor.
UX. The "Groups" page changed.
Now the sections of the “Groups” page are moved to a submenu.
UX. Added icon for filling from TBL for named list with type "Input".
Now, if a named list has the “Input” type and is filled from TBL, it is marked with the corresponding icon.
UX. Added group display in policy settings.
The protection policy settings now display the name of the group to which the policy belongs.
UX. Added indication of Logan operation on the policy list page.
The Logan status is now displayed on the Protection Policy List page.
UX. Added selection of time interval to the event log.
UX. Added headers for all graph areas when expanding the general graph tabs.
UX. The character limit in the group name prefix increased.
The group name prefix can now contain up to 10 characters.
UX. Added human-readable datepicker format when copying to clipboard.
Now, the selected time interval is copied to the clipboard in human-readable form.
UX. Added navigation to events in the policy event log.
If the “Jump to events” switch is enabled in the protection policy event log, hovering over the policy graph will navigate to events that occurred at the time specified on the graph.
UX. Added switching between applied filters in Flow Analysis.
A button has been added to the Dashboard filter on the “Flow Analysis” page and the “Flow Analysis” tab of the protection policy that allows to switch between previously entered filters.
