3. Patches¶
3.1. Status of the latest updates¶
3.2. Pairing to a GCAP is not possible if there is no gateway set for the VPN interface¶
Can't connect to \<Gcenter IP\>
.3.3. Pairing to a GCAP is not possible after the GCenter network configuration has been changed¶
pairing not established
.3.4. LastInfoSec rules¶
3.5. Machine Learning engine and CIE editing¶
3.6. Netdata Export - Netdata versions higher than 1.19 are not compatible¶
3.7. GScan - Edition Critical Infrastructure Edition (CIE)¶
3.8. DGA - Field not present¶
dga_probability
field in the events will be done if the following conditions are met:
The activation of logging on DNS event types
Activation of the DGA Detection Machine Learning module
A heavy DNS network load
3.9. Third Party - Intelligence¶
3.10. Kibana - Inaccessible tables¶
Elastic did not load properly. Check the server output for more information
3.11. Kibana - “Not ready yet”¶
not ready yet
error message in Kibana.3.12. Malcore Management - GScan Profile¶
Number of files
option in Malcore Management’s GScan profile enables an alert to be issued based on the number of files in the archive.3.13. Malcore - Incorrect healthcheck status in Critical Infrastructure Edition (CIE) license¶
3.14. Malcore - No flow_id¶
flow_id
field of a Malcore alert may not appear.flow_id
is missing, it is set to 0, enabling the export of alerts.3.15. Malcore - Duplicate Analysis¶
3.16. Malcore - Engine crash due to an overload¶
3.17. Malcore - analysis engine saturation¶
3.18. Malcore - Service discontinued due to saturation¶
3.19. Malcore - Disabling an antivirus engine¶
total_found
field of the Malcore logs which is XX/15.3.20. Malcore - Export logs with flow_id=0¶
flow_id
field of Malcore logs is not set, preventing them from being exported.3.21. Malcore - Inconsistent healthcheck webui and update status¶
Updates Status
panel and the Malcore Update Status
panel.
The first does so after a period of time strictly longer than 7 days
While the second one does so for a duration greater than or equal to 7 days
3.22. Malcore enrichment error on the app_proto
field¶
app_proto
field specifies the protocol by which an analysed file was transported.Operator > Gcap profiles > Base variables > File resend interval
):
An initial log replica=false with app_proto=HTTP will be generated
Then a second log with replica=true will be issued. The
app_proto
field will be set to HTTP, when it should have been set to SMTP
3.23. Inconsistency in the Malcore alerts on the total_found
field¶
total_found
field and the engine_id
number are not identical.3.24. API - Authentication parameter¶
API-KEY
keyword to provide the authentication token as a parameter.3.25. API - endpoint /api/alerts not working¶
When using descending date sorting, a 500 error is returned if the
page
parameter is not set or equals 1The
page
parameter determines the number of results returned instead of the specifiedThe
page_size
parameter is not taken into account
3.26. Proxy - Error 500 if unable to resolve name¶
Configuration/Proxy Configuration
cannot be resolved by the DNS server configured for the GCenter, then this produces two errors:
A 500 error in the proxy configuration page (/configuration/proxy_settings/);
An error in the GUM configuration menu (/gum/configuration
3.27. Gcenter-setup - error message¶
`Could not connect to home directory /nonexistent: No such file or directory`.
3.28. LDAP Configuration - TLS¶
Accounts/LDAP.configuration
menu.LDAP interconnection status
configuration panel may indicate an error even though the configuration is operational.`Cannot connect to LDAP with current settings: {'desc': "Can't contact LDAP server",'errno': 115, 'info': '(unknown error code)'}`.
3.29. LDAP with SSL or STARTTLS¶
3.30. Syslog export: no Malcore analysis of “unknown” files¶
3.31. Syslog export: behaviour during saturations¶
3.32. Syslog export - Exceptions in log formats¶
src_port
dest_port
detail_scan_time
“src_port”: “25”
or “src_port”: “25”.
3.33. Syslog export - duplicate sigflow alerts¶
3.34. Redirect Trackwatch Logs to the Syslog dashboard¶
Administrator > Gcenter > Trackwatch logs
, the user is redirected to the Tactical
dashboard instead of the Syslog
dashboard.3.35. Default accounts reactivated¶
3.36. Default activation of the CIP/ENIP protocol¶
3.37. Display bug for adding IPs in the external_net section¶
Operator > Gcap profiles > Netvariables
, if one tries to add an EXTERNAL_NET of the list type with a mask other than /24, a display bug prevents the network from being added.