LANGuardian V12.3 – New features:
LANGuardian 12.3 introduces 4 new customization features to allow users to apply custom labels to reporting variables, host-names and traffic flows.
The 4 new customization features are brought together on a new customization page, which is accessed via a new drop down menu.
CBAR Local Rules
LANGuardian Content Based Application (CBAR) engine fingerprints each traffic flow on the network to identify the application protocol in use (HTTP, SMB, SMTP etc). The new (see later) Top Protocols report is the summary report for viewing network usage by each application protocol. Some protocols cannot be fingerprinted by LANGuardian , such as custom/in house applications, encrypted protocols, or protocols which LANGuardian does not recognise. The Custom Flow classification settings allow the user to apply a custom label to all traffic flows matching particular attributes, such as source and destination IP address, source and destination port number etc. The flow is then saved in the database with that custom flow label. An example usage would be to label all backup traffic as such, as this traffic typically cannot be fingerprinted by application recognition engines.
Create Report Variables to identify subnets or server port groups in your network. For example, label the subnet 192.168.127.0/24 as ‘Local Network’, or a port group ‘80, 8080, 3128’ as “Common Web Ports”. These values are then available for use us in report drop down filters.
LANGuardian automatically displays DNS/NetBIOS resolutions beside IP addresses in all reports. However, sometimes systems do not have a DNS record associated with them, or the DNS name may not be suitable for use in reports. This features allows the user to create a custom label in the LANGuardian database, for any IP address. This label is then used in reports, instead of any other DNS resolution.
Server Port Labels
LANGuardian automatically displays labels for well know IANA ports beside port numbers in all reports, such as port 22 (ssh), port 53 (DNS). However, frequently server ports do not have an IANA name associated with them, or the IANA value may not be suitable for use in reports. This features allows the user to create a custom label in the LANGuardian database, for any server port number. This label is then used in reports, instead of any IANA value.
Changes to report categories
There has been some reorganisation of the reports menu, with the following changes:
A new category CBAR Applications has been added for reports derived from the LANGuardian Content Based Application Recognition (CBAR) engine. The top level report CBAR :: Top Protocols, is a replacement for the old report IP :: Top Applications, which has been discontinued.
A new category Bandwidth has been introduced to replace the discontinued IP and IP Actively categories. Reports from the IP and IP activity categories are now available in the Bandwidth category.
Changes to menus
The configuration menu (under the gearwheel) has been modified in the following way.
- New links
- Pcap File Reader. This allows for quick import and analysis of pcap files that have been created using other applications such as TCPDump or Wireshark
- Customisation: Link to a new page to create custom variables, lablels and flow classifications
- Settings: the old Configuration link has been rename to Settings
- Removed links:
- View trends, Configure Trends and Bandwidth Quota Manager are now all available under the Settings link.
Netflow V9 support
Support for Netflow V9 has been added. See the Create Senor menu. Netflow V9
Internal performance optimisations
A number of optimisations have been made to speedup reports such as Top Website Domains and Top Fileservers.
LANGuardian V12.3 includes the following bug fixes:
3219 – Destination filter dropped in drilldown to Top Applications from Inbound TCP Traffic report
3225 – Console CLI does not display correct IP address configured by ESX wizard
3175 – Snort IDS add rule GUI, can add broken rule, with ^M
3162 – ?in regexp doesn’t work in report filter
3208 – Netfort alert plugin performance bug
3220 – Webserver should detect browser disconnect and terminate any running reports
3042 – SNMP monitor is not enabled on probes
3214 – Error running report
3217 – Some alerts from probes (New Mac, Trend alert) may be dropped on Central Managers
3216 – Postman daily does not run
3195 – LANGuardian reports are not displayed in Orion if using HTTP API with Orion running as HTTPS
3211 – Top Talkers report fails, error with sdb table path, subnet filter
3209 – Netflow sensor cannot be edited
3118 – If a new set of IDS rules/reports/etc cannot be updated when first downloaded, it will never be
3188 – Multiple alerts can corrupt db table
3183 – Negated subnets handled incorrectly
2896 – Snoopy SMB Fileshare decoder mixes up client and server
3198 – Time Filter on Top Domains
3197 – Some youtube links cannot be resolved
3191 – Error: malformed string
3186/3185 – Delete link on sysadm/local_hostnames.cgi does not work
3175 – Adding snort signatures broken up into multiple lines breaks the ID.
3181 Adding a new network card messes up the sensor interface list.
3177 – Issues with trends
3178 – Duplications in Web Browsers reports