Version v26.04

Now the Host Protection Detector can mark traffic to IP addresses for which a threshold exceedance has been detected on the Collector. To enable this, set the flag “Use collector detection based activation” in the HPD panel and configure traffic collection rules on the “Detection Rules” page.

Now the Host Activation Log stores not only the fact of activation of the mechanism for a specific IP address, but also the reason for activation and the rule, if present.

instance_id,instance_name,created_at,action,dst_ip,reason,rule
1,Mitigator0,2022-09-02 10:44:31.53622 +0000 UTC,added,10.0.2.254,LimitBps,BITS 200 ACL udp
1,Mitigator0,2022-09-02 10:44:41.51245 +0000 UTC,added,10.0.2.254,UntrustedSource,

Added <element>.TestMode.* thresholds that control the countermeasure’s test mode operation. The logic of their operation is identical to that of thresholds without TestMode in the name, except for naming nuances:

• For bidirectional thresholds, the relationship Xxx.TestMode.Yyy.On < Xxx.TestMode.Yyy.Off typically holds, because it makes sense to turn off test mode when the threshold is exceeded, and turn it on when traffic drops below a certain mark.
• In Diff threshold sets for absolute change per cycle, OnFactor and OnMin* are present instead of OffFactor and OffMin*, having the same meaning but applicable to enabling test mode.
• In Ratio threshold sets for relative change per cycle, Xxx.TestMode.Yyy.Ratio.On < Xxx.TestMode.Yyy.Ratio.Off, because it makes sense to turn off test mode when traffic grows sharply.

Automatic packet capture has been added to General Protection IPv4 and IPv6, similar to auto-capture in protection policies.

Now on protection policy graphs you can see curves for traffic from internal network, associated with this policy.

Enabling counting of traffic from internal network for display on graphs is done on the “Common Settings” page in system settings and affects all protection policies.

Now when checking SYN+ACK packets, you can select processing mode without taking Timestamp into account.

Since not all servers send Timestamp, the check can be disabled by setting the flag “No timestamp” in the session parameter synchronization settings for a specific server. The parameter applies to all servers listed in the line. If you need to apply it to only one server, you need to move it to a separate entry. If the synchronization agent is used in multiple protection policies, and in at least one of them the “No timestamp” parameter is set, it will be applied in all policies.

VLAN ID functions have been removed from the public API of BPF programs. If these functions were used in your BPF programs, when rebuilding them with the new mitigator_bpf.h header, you need to add these functions to the program source code:

#define VLAN_ID_MASK 0x0fff

/** @brief Get VLAN ID from 802.1q header. */
LOCAL uint16_t
vlan_get_id(const struct VlanHeader* vlan) {
    return bswap16(vlan->control) & VLAN_ID_MASK;
}

/**
 * @brief Set VLAN ID in 802.1q header.
 *
 * If you don't need to keep rarely used DEI and PRI, a faster alternative is:
 * @code
 * vlan->control = bswap16(id);
 * @endcode
 */
LOCAL void
vlan_set_id(struct VlanHeader* vlan, uint16_t id) {
    uint16_t bits = vlan->control & ~bswap16(VLAN_ID_MASK);
    vlan->control = bswap16(bswap16(bits) | id);
}

Now the countermeasure graphs display the number of sessions observed both inside and outside the recent session ignore depth window:

• USF Allowed sessions — number of tracked sessions that were observed outside the recent session ignore depth window;

• USF Ignored sessions — number of tracked sessions that were observed only inside the recent session ignore depth window.

Now you can set different sFlow sampling values for different traffic rates. When the set rate threshold is exceeded, the sampling value changes automatically. You can set up to four sampling values for different traffic rate ranges.

A “Flow/SNMP Ratio” tab has been added to the “Flow Exporters” page, displaying traffic statistics on all source interfaces obtained via Flow and SNMP.

The tab also specifies the “Allowable deviation”, which determines how much the ratio of the average traffic rate obtained via Flow to that obtained via SNMP can deviate from one. For example, with a tolerance of 10%, a ratio between 0.9 and 1.1 is considered normal.

If the deviation in the ratio of average traffic rate values ​​received via Flow to those received via SNMP exceeds the acceptable limit, this may indicate that the system is configured incorrectly or that data is not being received. For such interfaces, appropriate indication appears in the row.

Now in the “Status” column of the Flow source interfaces table, the interface displays one of three statuses based on SNMP data:

• interface status UP;
• interface status DOWN;
• interface status unknown.

Now in rules for request, referer and user-agent components you can specify negation using the “not” keyword.

Examples:

# Block IP address for 300 seconds that requested any URI from web-server except
# `/api/some/magic/uri`:

block 300 not request /api/some/magic/uri

# Block IP address for 600 seconds that received
# request containing any value other than 123 in User-Agent header:

block 600 not user-agent 123

# Create entry in event log when receiving from IP address
# request containing any value other than "^https://domain" in Referer header:

alert not referer "^https://domain"

When activating the “GRE Tunnel with External Service” function in instance settings, GRE traffic processing is by default performed on a single CPU core. If the flag is set, balancing across all cores will be performed. The setting is applicable only when using Mellanox network cards, for other network cards the setting is ignored.

Previously, pgfailover parameters were set in the command: of the pgfailover service in docker-compose.failover.yml. When updating the file, user changes had to be migrated manually.

Now pgfailover parameters are set via environment variables in .env, and a non-standard server list — in docker-compose.override.yml. For future updates, simply download the latest docker-compose.failover.yml.

You can now specify custom HTTP headers and their values in named list parameters, for example, for authentication when fetching data from an HTTP-type source.

Previously tabs were sorted alphabetically, now by clicking the “Change tab order” button, you can move tabs.

To improve convenience of setting thresholds and simplify perception of already set ones, the ability to change decimal prefixes when specifying values has been added.

As an experiment, currently the functionality has been added to HPD, BPF, LIM and TAP interface, we plan to extend this change to all other mechanisms and countermeasures in the future.

Now in all interface elements where date and time of action execution were specified, the order is identical: yyyy-mm-dd HH:MM:SS.