2. New features

2.1. Sigflow detection engine

2.1.1. Update of detection engine

The detection engine Sigflow was updated.
This update includes security fixes for critical vulnerabilities published recently.

2.1.2. Adding new event type « flow »

The generation of « flow » event is now available for Sigflow detection engine.

2.1.3. Multitenant configuration

The multitenant configuration was improved to offer the possibility to configure specific network variables (network port and IP addresses) for each tenant.

2.1.4. Adding of network fingerprint HASSH

A new field « hassh » is available for SSH events, in order to record client and server SSH fingerprints, when a transaction using this protocol is analyzed by Sigflow engine.

2.1.5. Recording of certificat fields

It's now possible to select the certificat fields that we want to record when a TLS transaction is analyzed (handshake).

2.1.6. Adding new keyword for detection rules

`dns.query.name` keyword was added to Sigflow detection engine and it can be used in detection rules related to DNS protocol.
It's a sticky buffer that is used to look at the name field and supports both DNS requests and responses.

2.1.7. Pcap files for test

Two new pcap files were added for testing ransomware-detect and beacon-detect engines (GCenter v2.3.5.103).

2.2. Virtualization of the sensor

2.2.1. VMware support

GCap is officially supported on ESXi hypervisor from VMware.

2.2.2. AWS support

GCap is officially supported on AWS Cloud infrastructure.

2.3. Network configuration of the sensor

2.3.1. Presentation

  • Network interfaces are now identified by their system name as in the example above with the commande `show interfaces`:

_images/show-interfaces.png

  • Network interfaces gcpX were removed.

  • Concept of role and label is introduced in this release.

    • Following is the list of roles:

      • capture to define an interface for capturing the flow

      • tunnel to define an interface used to IPsec communication between GCap and GCenter

      • management to define an interface used to manage GCap (via SSH)

      • management-tunnel to define an interface which carry the two previous roles (management and tunnel)

      • capture-cluster to define an interface for capturing the flow in cluster mode

      • inactive to disable an interface

    • Following is the list of labels:

      • Management*

      • Tunnel

      • MonX

2.3.2. Associated command

To assign a specific role to an interface, the following command must be used:

`set interfaces assign-role {management|tunnel|management-tunnel|capture|capture-cluster|inactive}`

2.4. Update process

A rollback functionality was implemented in case of issue during the system update process.
It will be possible to revert to the previous version when the GCap start menu is displayed.

2.5. Hardware support

2.5.1. Support of DELL servers

This release is compatible with DELL servers gen 16 th.

2.5.2. UEFI support

This release introduced the support of UEFI.