NetFort Advertising

Release notes 14.6 – 3rd July 2019

LANGuardian 14.6 is a security and maintenance release and we recommend all users update to this version.

LANGuardian 14.6 contains the following:
Updated Linux kernel and CentOS packages and other security updates including the OpenSSL fix for CVE-2018-5407
Updated GeoIP database
Various internal updates and changes

 


 

Release notes 14.5 – 5th February 2019

LANGuardian Version 14.5 contains the following updates.

Suricata 4.1.0 IDS replaces Snort IDS 2.9
Suricata is a free and open source, mature, fast and robust network threat detection engine.
Suricata’s fast-paced, community-driven development focuses on security, usability, and
efficiency.
LANGuardian’s Suricata deployment continues to support the Emerging Threat Open and
Pro rulesets, but with increased efficiency.
LANGuardian’s update mechanism transitions all existing Snort configuration to new
Suricata configuration, without any user intervention being required.
Learn more at suricata-ids.org

Identity Module support RADIUS ‘off the wire’
LANGuardian 14.5 includes a new RADIUS decoder that analyse RADIUS authentication
and accounting message to extract user logon events, matching usernames to client IP
addresses.
Use this to generate security and usage reports based on usernames, without having to
configure queries to the RADIUS servers.

AWS VPC Flow Log Monitoring/Public Cloud Monitoring
AWS VPC Flow Logs now allow LANGuardian to monitor network traffic to your Public Cloud
server deployments.
VPC Flow Logs is an AWS feature that enables you to capture information about the IP
traffic going to and from network interfaces in your AWS VPC.
By creating a new sensor type (AWS VPC), LANGuardian interrogates AWS Cloudwatch for
VPC Flow Logs. VPC Flow Logs provide flow summary data for accepted and rejected
connections to the monitored network interfaces in your VPC. A new set of AWS VPC
reports and filters is also provided.

Traffic Analysis update

NFS filesystem access failed events

LANGuardian now records failed NFS events (mount, read etc) for NFS3 and NFS4
Filesystem protocol. Use this to detect changes in numbers of failed actions that may
indicate attempted data exfiltration or lateral movement.

HL7 detection
The Application Identification module is updated to detect HL7 traffic. Use this to monitor
HL7 potentially sensitive data movement.

GUI updates

PCAP files
The PCAP full packet capture and analysis controls have been updated, merged, and simplified.
Use this new page to capture, upload, download and analyze full packet capture PCAP files

IDS Signature management
The IDS configuration page has been updated to allow enabling/disabling of multiple
signatures in a single operation.

Integration/Syslog export
The Syslog export destination port is now configured via the web GUI, simplifying
integration with 3rd party systems.

 


 

Release notes 14.4.4 – 13th December 2018

This maintenance release includes some essential updates and some new minor features.

Updated Inventory Classification Databases
The GeoIP database and Vendor MAC OUI databases have been updated giving more accurate country locations and end device manufacturer information.

Record VLAN tags
VLAN tags are now extracted from packet data and saved for each traffic flow. New reports to display and search for VLAN tags will be released in Version 14.5. If you require immediate access to VLAN tags, please contact the support team.

View SMB credentials
The Network Events (SMB) by user report has been enhanced by adding the user credentials used in the SMB transaction. Use this report to compare the Domain credentials of the logged on user to the credentials used to access SMB fileshares to highlight sharing of passwords, excessive use of Administrator rights etc.

Update Application Recognition
Continuous improvement of the LANGuardian Application Recognition to expand the list of recognized applications and to reduce false positives.

 

 


 

 

Release notes 14.4.3 – 6th October 2018

This maintenance release includes fixes for the following issues:

IDS signature database daily updates failing
A recent change to the Emerging Threats IDS signature database publishing mechanism has caused daily ET Open IDS updates on LANGuardian systems to fail. ET have confirmed that they will revert the change. LANGuardian 14.4.3 IDS signature updates will operate on both the old and new publishing formats. We advise any customers who require daily IDS signature database updates to upgrade to 14.4.3

Portscan detector improvements
LANGuardian supports in-built portscan detector. 14.4.3 contains improvement to the implementation of the detection algorithm that reduces false positives and improves performance, thereby improving overall accuracy.

 

 


 

 

Release Notes 14.4.2 – 22nd August 2018

This maintenance release includes fixes for the following issues:

NGR-2112 – Support disks > 2TB

NGR-2107 – Drilldowns in reports 49 and 450 are inconsistent

NGR-2105 – Enable DNS decoding by default

NGR-2091 – Report 203 fails due to size of total field

NGR-2084 – Include portscan target in email

NGR-2083 – Incorrect IP ranges in netscan alerts

NGR-2072 – Support unmount version 3 events on NFS reports

 

 


 

 

Release Notes 14.4.1 – 27th March 2018

This release introduces some changes and new features to help with compliance monitoring, including:

A new compliance section presents reports for monitoring technical security compliance with CIS CSC 20 and GDPR.

Use these reports as templates with report variables to build custom reports to demonstrate compliance, for example, to identify when outdated TLS/SSL versions are in use.

The following reports have been renamed in order to create these new report sections:

Old Name New Name Report ID
Top MS SQL Database SQL Databases 169
Top File Share Servers Windows File Share Servers 212
Top SSL Servers SSL Servers 474
Top DNS Servers DNS Servers 498
Network Events (New MAC Addresses) New Machines Detected on Network 119
Top Servers All Servers 103
Top Clients All Clients 45
Top Protocols Applications in Use 456
Network Events (IDS) Network Security Events (IDS) 87
Clients using the DNSChanger name servers Clients associated with DNSChanger name servers 426
Network Event (Conficker) Conficker 152
Top Proxy Sessions Users Accessing External Proxy 109
DNS Lookups Associated with Malware Domains Systems Accessing Malware Domains 39
Top Countries by Server Location Countries by Server Location 521
Top Countries by Client Location Countries by Client Location 520
Top Server Ports Ports, Services and Protocols 49
Protocols on non-standard ports Protocols on Non-standard Ports 497
Network Events (IDS) Network Security Events (IDS) 87
Top Protocols Network Traffic Protocols in Use on the Network 428
Protocols on non-standard ports Protocols on Non-standard Ports 497
Clients using the DNSChanger name servers Clients associated with DNSChanger name servers 426
Top Proxy Sessions Users Accessing External Proxy 109
Network Events (MS SQL) by User Users Accessing SQL Databases 182
Top Fileservers :: By User Users Accessing Windows File Shares 467
SMTP Events (Emails with Attachments) SMTP Emails Sent with Attachments 495
Top Protocols by User All Users and Their Activity 466

SMB fileshare alerts on failed attempts to map network shares, create or read files and folders. Use these alerts for early warning of potential lateral movement or data exfiltration attempts. See the “Network Events (SMB)” report.

Encrypted sessions analysis of SSL/TLS/QUIC versions and ciphers used. Use the new “TLS/SSL:: Encryption Protocols in Use (TLS/SSL)” report to validate that servers are using up to date and secure protocols and ciphers.

New Server Port detection alert. Use the new “Network Events (New Sever Ports)” report to alert when a new server port is created and to track changes in server inventory.

New Applications in use black/whitelist. The new “Applications in Use” report (was “Top Protocols”) has a powerful new filter for Encryption Protocol to build approved applications blacklists and whitelists.

 

 


 

 

Release Notes 14.4 – 15th January 2018

NetFort are delighted to announce the availability of the latest major LANGuardian release, V14.4. It includes a number of major enhancements including GeoIP traffic reporting, improvements to the alerting engine and the ability to capture network traffic and generate a PCAP via any LANGuardian sensor on the network.
New GeoIP filtering and displays, enables you to report and alert on the countries where traffic and data on your network comes from and goes to. Use this for improving your network security or to meet data export compliance regulations, such as GDPR.

New MetaData alerting GUI and rules support, to alert on a wide range of conditions and events that LANGuardian monitors for, such as authorized applications, unknown DNS servers, inter-subnet access attempts and much more. Use this to implement network usage policy alerting for security and compliance. This is a upgrade on the previous version and further enhancements are planned in the next LANGuardian version.
New user credentials from SMB sessions.Identify sharing of credentials to comply with Identity and Access Management (IAM) for GDPR.

New Windows Services (DCERPC) decoder. Analyse what Microsoft traffic on port 445 and 139 is doing and passively build an accurate inventory of Windows systems and versions.
New full packet capture mechanism to save PCAPs from any LANGuardian sensor on your network from a centralized GUI. Leverage your LANGuardian installation to get complete coverage for troubleshooting or forensics. Improved accuracy of Google QUIC fingerprinting so you can identify, for example, YouTube traffic in Chrome. Understand how your bandwidth and network resources are being used. New PDF format option for scheduled reports. Keep up to date with network status and performance from your inbox.

 

 


 

 

Release Notes 14.3.2 – 12th October 2017

LANGuardian 14.3.2 is a maintenance release for LANGuardian version 14.3.

NGR-1686: Improved performance of BitTorrent decoder.

NGR-1674: Updated AD integration help

NGR-1671: Added support for Berkley Packet Filter (BPF) for PCAP file reader sensor types.

NGR-1635: Appended youtube.com onto googlevideo.com domain

NGR-1046: Improved Application Identification for Google QUIC network protocol.

NGR-1674: Updated help and documentation for Identity Module Active Directory configuration

NGR-1658: Fixed PDF export for reports with () in the name.

 

 


 

 

Release Notes 14.3.1 – 17th August 2017

LANGuardian 14.3.1 is a maintenance release for LANGuardian version 14.3.

HP Smart Array RAID controllers support

Fixed an issue with trends based on netflow data

 

 


 

 

Release Notes 14.3 – 26th July 2017

A significant release with in excess of 300 individual updates and modifications.

It is mostly under the covers work that users will benefit from, but there are some visible changes too.

Improved Performance of Data Acquisition and Reporting
LANGuardian has been rebased to CentOS 7, offering better peripheral support, improved performance and an up to date, more secure platform. NetFort applications including traffic analysis, traffic database, and reporting have had significant modifications to boost performance too. Traffic acquisition is now possible at full 10G rates, consult support@netfort.com for configuration details.

GEO IP
We’ve added a GEO IP database to LANGuardian, with information presented via a country flag displayed with IP addresses.
This helps administrators to know the origin and destination of traffic and data flows in and out of the network. If this is useful, we’ll extend this in subsequent releases with query by country/region, let us know.

Improved Active Directory Integration
Active Directory integration for monitoring User Activity has enjoyed a refresh.
Changes include a more efficient and secure interrogation of Domain Controllers, with better informational and error messages to aid configuration. Some reconfiguration of your LANGuardian is required to benefit from this. Details on NetFort Forum or contact support@netfort.com

Enhanced GUI and Usability
Continued improvements to the GUI in this release include new notification messages, new scrolling, new layouts in the Configuration and Settings menus, improved mobile version and new tool tips.

Improved Reporting and Alerting
GUI reporting has been improved with updated drill downs, improved PDF export (especially for ‘wide’ reports), updated MAC Vendor database, new filters for SSL inventory, fixed rendering of non-ASCII characters and more. Email reports and syslog alerts updated with better sorting and more information (e.g port numbers for IDS alerts, Bit Torrent info hash etc). To avoid sending excessively large emails when similar alerts go beyond a certain limit within the email interval, only the extra total is shown, rather than repeating the detail of each alert in the body of the email.

Continued Development of MetaData Alerting Engine
LANGuardian includes a metadata alerting engine, allowing Administrators to create rules that operate on LANGuardian metadata keywords.
Alert on access to specific websites, files or folder names, source or destination IP address etc.
While we’re developing the engine we’ve provided a rudimentary GUI interface.