Version v26.06
Version v26.06 adds: changed mechanism for determining country affiliation of IP addresses, transfer of protection policy settings between clusters via clipboard, graphs of traffic bypassed by WL and TWL countermeasures, handling of host field values in Logan rules, PSG service connection settings, separate permissions for accessing monitoring objects sections, MAX messenger support, widget category for building graphs on passed traffic in flow analysis.
The functionality of FRB and FTLS countermeasures has been expanded.
Changes in v26.06
Dashboard
Added graph areas for tops by WL and TWL bypassed traffic
"Flow Analysis" Page
General Protection
Added graphs of traffic bypassed by WL and TWL countermeasures
General WL + TWL Bypass– rate of traffic bypassed to system output by WL and TWL countermeasures in General Protection;All Policies WL + TWL Bypass– total rate of traffic bypassed to output of all protection policies by WL and TWL countermeasures.
Protection Policy
Added transfer of protection policy settings between clusters via clipboard
A button for copying policy settings via clipboard has been added to the “Settings” tab in the protection policy.
When copying, the scope is selected. You can copy:
- countermeasure parameters;
- countermeasure parameters and autodetection settings;
- all policy parameters and settings.
Settings are saved to clipboard in JSON format and can be applied to another protection policy, for example, on another MITIGATOR cluster. Application will completely replace all current protection policy settings with new ones.
Since different MITIGATOR versions may have different sets of settings, transfer of protection policy settings should be performed between clusters with the same version. Correctness of applying settings when transferring between clusters of different versions is not guaranteed.
Countermeasures
FRB. Added PASS action for rules
Added PASS action that allows excluding traffic matching the filter from countermeasure processing.
For such rules, specifying a limit and period is not required.
Example:
# this set of rules will drop all traffic from an IP address if more than
# 10 packets arrive from it within 3 seconds via TCP on port 80,
# containing the string `\sLOGIN\s[^\n]{100}`, unless it's traffic from IP address 175.180.90.0.
PASS ACL src 175.180.90.0 dport 80
PACKETS 10 PERIOD 3 ACL tcp dport 80 REX \sLOGIN\s[^\n]{100}FTLS. Added PASS action for rules
Added PASS action that allows excluding traffic matching the specified TLS fingerprint
from countermeasure processing.
For example, if the following rule is set:
PASS JA3 771,4866-4867-4865-49191-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2and the checkbox “Apply thresholds for other JA3/JA4” is set with a threshold of 10 packets per second, then when receiving more than 10 ClientHello per second, the FTLS countermeasure will block any ClientHello except those matching the JA3 fingerprint from the PASS rule.
Logan
Added handling of host field values in Logan rules
Now for rules with block and alert actions you can check the value of the $host field.
Regular expressions are supported, which allows describing a pattern that values in the field
should (host) or should not (not host) match.
Also added the keyword host-ip, which allows responding to specification of an IP address
in the $host field.
Examples:
# Block IP address for 300 seconds where the value in the $host field
# matches the pattern `^api\.example\.com$`:
block 300 host ^api\.example\.com$
# Block IP address for 120 seconds where the value in the $host field
# does not match the pattern `^internal\.example\.com$`:
block 120 not host ^internal\.example\.com$
# Create entry in event log when receiving from IP address
# two or more requests within 10 seconds containing an IP address in the $host field:
alert host-ip limit 2 period 10Delivery Channels
Added MAX messenger support
Added support for sending to MAX messenger:
- system event notifications;
- packet capture files;
- incident reports;
- regular reports.
PSG
Core
Changed mechanism for determining country affiliation of IP addresses
The change optimizes resource consumption by the packet handler when there are many protection policies with activated geo-filtering.
In the current implementation, this change affects filtering by autonomous system numbers in the GEO countermeasure. Specifying an autonomous system number in the GEO countermeasure may lead to broader association of IP addresses to the specified AS than the AS actually contains.
If you need to bypass traffic of certain autonomous systems around the GEO countermeasure, use countermeasure bypass in the WL countermeasure, specifying the autonomous system number.
To drop traffic of specified autonomous systems, use the BL countermeasure.
If filtering by autonomous system numbers directly in the GEO countermeasure is critically important for you, do not update to version v26.06. In future versions, correctness of filtering by AS numbers will be restored.