4. Patches

4.1. Eve-logs are automatically truncated if size > 65536 bytes

Up until V2.5.3.104, the detection engine automatically truncates eve-logs that are larger than 65536 bytes and does so in an abrupt manner that corrupts the following eve-log.

From V2.5.3.105 onwards, this truncation is done correctly. As a result, the truncated eve-log is not processable yet it does not corrupt the following eve-log.

4.2. TCP transactions and extracted files (« unknown »)

TCP sessions operating in the following manner prevent the GCap from properly rebuilding a file at the GCenter:

  • Initial 3-way handshake,

  • Sending the entire file with the PUSH flag without intermediate ACK,

  • ACK all segments and close the connection with RST.

This erroneous report disrupts the operation of the GCap and the file is not sent correctly to the GCenter.

A partial fix was present in versions greater than or equal to V2.5.3.104 (file « unknown »).

This problem is completely fixed in V2.5.3.105.

4.3. Using RELP protocol and adding a queue between GCap and GCenter

During a communication problem between GCap and GCenter, sending system logs could be disrupted (loss of information).

Using the RELP protocol and adding a queue for sending these logs enables this problem to be overcome in V2.5.3.105.

4.4. Protection of the authentication mechanism (anti-bruteforce)

The authentication attempt counter is incremented whenever a login attempt is made, even if no password is entered by the user.

This problem is completely fixed in V2.5.3.105.

4.5. HTTP parsing problem

Some HTTP requests analysed by the Sigflow engine are not correctly parsed. This causes a loss of information in the data sent back to the GCenter by the GCap.

The updated parser corrects this problem in V2.5.3.105.

4.6. Problem when replaying some pcap files

In some cases, replay of pcap files through the monvirt interface does not work properly due to an MTU problem.

The ability to configure the MTU of the monvirt interface in V2.5.3.105 fixes this problem.

4.7. Problem replaying pcap files with multi-tenancy enabled

The « replay pcap » function is not operational when multi-tenancy per interface is enabled.

This problem is fixed in V2.5.3.105.

4.8. Display of the GCap status as « undetermined » in the GCenter management interface

Incorrect display of the GCap status in the GCenter interface can be caused by various problems.

One of the causes is the crash of a service (gcap-heartbeat) that is not restarted.

The change in managing GCap services by implementing an automatic restart of services corrects this problem in V2.5.3.105.

4.9. Erroneous status display of the monitoring interfaces

In some cases, the monitoring interface status is not displayed correctly in the configuration utility. This problem is fixed in V2.5.3.105.