Warning

Clients with equipment having one of the serial numbers available on this link are affected by the update referenced in the table. Other serial numbers are not affected.

Warning

For performance reasons, it is strongly recommanded to directly install version 2.5.3.104 of GCap

2. New features¶

2.1. Aggregating the monitoring interfaces¶

The system for aggregating monitoring interfaces (interface clusters) was revised to improve its reliability. It is now possible to connect a GCap to a broadband TAP dividing the upstream and downstream flows. A cluster is made up of exactly two monitoring interfaces. These clusters can be configured by means of the GCap configuration interfaces.

2.2. Detection rules per monitoring interface and per VLAN (multi-tenancy)¶

Support for separate detection rule sets was added. These rulesets may be applied to monitoring interfaces or to specific VLANs. This configuration is performed from a compatible GCenter (see GCenter release notes). For the time being, support for per-interface detection rules is limited in combination with interface clusters.

2.3. Detection engine¶

The start-up and shutdown procedure of the detection engine was revised in order to improve controls on the integrity of its components. At every start-up, it checks the connectivity of the monitoring interfaces linked to the GCap. It must have at least one active interface or cluster to launch. It also ensures that the filtering rules are applied on the relevant monitoring interfaces. The detection engine logs were consolidated for simplicity. The strengthening of the detection engine was carried out, creating an environment with more constrained resources and more restrictive permissions.

2.4. Command Line Interface (CLI)¶

It is now possible to modify the GCap configuration via a command line interface (CLI). The CLI is now the default GCap configuration interface for all users. Each user can decide to reset the graphical user interface as their default interface. This interface will adapt to the current state of the GCap and the user’s privileges. This aims to present the user with only relevant commands. Configuring local detection rules as well as packet filtering (XDP) is only possible through the graphical interface.

2.5. User account and password¶

As of GCap version 2.5.3.103, it is possible to change user passwords at any time, even if the detection engine is running. This modification enables forcing the change of passwords upon the first connection. This also enabled adding the notion of a maximum life span in the password policy. In addition, a maximum connection duration for a session was added. After this time limit, the session is automatically closed. This duration is configurable and optional. A warning is included regarding the use of the ‘root’ account that invalidates the support.

2.6. Criticality levels of application logs¶

The consistency of application log criticality levels was improved.

2.8. Text editor for the input of local detection rules¶

The interface for entering local detection rules was improved. It is now performed in a more advanced text editor.

2.9. System strengthening¶

Protection against program corruption is now provided as soon as the GCap is started.

2.10. Protocol and logging management¶

The detection engine is now capable of analysing new protocols: — Kerberos — DHCP — TFTP — IKEv2 — NFS — NTP By default, all these new protocols are analysed and their metadata is logged. The management of selected protocols such as FTP, DNS, and SMB was also improved. For security reasons, reconstructing the SMB and FTP flows was limited to 10MB. DNS eve-log management was improved.

2.11. New compatibility mode with the GCenter¶

UA new compatibility mode named “GCenter v101+” was added to the GCap. With this mode, it is possible to delegate the configuration of the new protocols (see Protocol and logging management) to GCenter versions 2.5.3.101 or higher. In the other possible compatibility modes, the activation/deactivation of these new protocols is made through the GCap configuration interfaces.

2.12. Replaying flow in PCAP format¶

It is possible to replay a flow in PCAP format. This enables emulating network traffic, in order to perform functional tests of the probe. This feature can only be activated when used in combination with a compatible GCenter.

2.13. Improved system logging¶

The system logs were expanded to include information regarding the success and failure of file transfers to the GCenter.

2.14. Bruteforce protection¶

Protection against SSH password bruteforce was added to the GCap. It is possible to configure the number of attempts and the lockout time.

2.15. Pre-filtering of eve-logs¶

Fileinfo events for files not saved for later analysis can now be deleted by GCap. This prevents the GCenter from being overloaded with potentially unnecessary information. This pre-filtering can be enabled or disabled.

2.16. Log compression¶

It is now possible to compress logs pending submission to the GCenter. It is advisable to enable this feature in situations of intermittent connectivity, or any other problem that prevents logs from being sent to the GCenter. It is disabled by default for performance considerations.

2.17. Reducing the attack surface on the GCap¶

The software component securing container applications was replaced by a lighter and more configurable application. This enables reducing the attack surface and refining the security checks performed on the containers.

2.18. GCap 1000 series¶

Version 2.5.3.103 supports the GCaps 1000 series.