Network Monitor 3.4.2 Release Notes: June 27, 2017
Network Monitor 3.4.2 Release Notes: June 27, 2017
Network Monitor 3.4.2 Release Notes: June 27, 2017
2
Release Notes
June 27, 2017
NetMon-3.4.2-ReleaseNotes_revA
- Network Monitor Release Notes
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use of
this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may
be trademarks, registered trademarks, or service marks of their respective holders.
VMware, ESX, and ESXi, VMware Certified Professional, vCenter, and vSphere are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
Contents
Overview .......................................................................................................................................... 1
Troubleshooting ............................................................................................................................. 17
Elasticsearch Is Unresponsive........................................................................................................... 17
- Network Monitor Release Notes
Overview
This document provides information about new features, known issues, and resolved issues in LogRhythm
Network Monitor.
Use the following to determine your upgrade path. If you have any questions about the upgrade process,
please contact LogRhythm Support.
NOTE: An upgrade path for versions earlier than 2.6.1 is not recommended. To upgrade, perform a new
installation with version 3.4.2.
For more information on specific upgrades, see the upgrade guides available on the Network Monitor page of
the LogRhythm Support Portal or access the Network Monitor Community.
PAGE 1
- Network Monitor Release Notes
Known Issues
IMPORTANT: After installing your Network Monitor appliance or Network Monitor software, DO NOT
update the CentOS operating system using yum or any other method. An update could
leave your Network Monitor system in an unusable state.
If you are using a Network Monitor appliance, you should not access the operating
system for any reason.
• NetMon correctly classifies Address Resolution Protocol (ARP) packets, but all packets appear in a
single session.
• Valid login credentials may sometimes be rejected when using Chrome on OS X. If this issue occurs,
clear your cache/browsing history and try to log in again.
• If you encounter the following error when trying to select a NetMon license, clear your cache/browsing
history and try to select the license again:
Error: There was a problem during the upload of your license file. Please try again.
• After you perform a fresh install of NetMon, go to the Configuration > Time page, and then verify that
your time is updated with a valid NTP server. In some environments, the default public NTP services
are blocked, and you have to use a valid internal NTP service.
• When performing the two-step LRP upgrade from NetMon versions 2.8.2–3.1.2 to version 3.2.2 or
3.2.3, the following conditions occur:
o System DPA rules are disabled, though custom DPA rules remain enabled.
o Login credentials for the Web Management interface revert to their default values (login
admin, password changeme) and need to be changed upon next login.
o Configuration settings reset to their default values.
o All created non-admin users are removed and need to be recreated.
o Some dashboard visualizations do not display until a new day’s Elasticsearch index is created.
While it is possible to delete the current (i.e., today’s) index and resolve this issue
immediately, doing so would also delete the current day’s data.
• When upgrading from version 3.2.2 to version 3.2.3, the Web Management interface may report
success even when the upgrade fails. If your NetMon system is still running version 3.2.2 after the
upgrade completes, re-download the upgrade file and check its SHA-256 hash against the SHA file.
• On the Configuration > Engine page, setting Enable Basic DPI Mode to ON significantly reduces the
amount of available metadata. Most system rules become disabled when running in DPI mode. Custom
rules may also become disabled if they rely on metadata that is not generated through Basic DPI. Do
not set this value to ON without the help of LogRhythm Support.
• Users may need to refresh the Kibana index if they see errors on dashboards.
o To refresh the Kibana index, navigate to Error! Hyperlink reference not valid, select the
index pattern [network_]YYYY_MM_DD, and then click refresh.
• After enabling the Flow_IdentifyTrafficDirection system rule, it takes a few minutes to see results on
the Ingress Egress Traffic Dashboard. Note that some errors may be thrown in the meantime.
• After enabling the Flow_TopLevelDomain system rule, it takes a few minutes to see results on the Top
Level Domain Dashboard. Note that some errors may be thrown in the meantime.
• Known interface issues:
o Moving the management or recovery interface without reassigning the former master/recovery
interface leaves the system in a bad state. For the management interface, if you are using
DHCP, this will leave you with two management ports. If you are using a static IP, then the
new management/recovery interface will fail to load.
PAGE 2
- Network Monitor Release Notes
o If you change the management interface IP in NetMon, you will also need to change the IP
address used by the SIEM for API endpoints. The changed IP address will affect the SIEM’s
entity record.
o When you finish making configuration changes and click Apply Changes, the double dare
modal is passed and the config change happens. Users must then move the cable. After the
cable is moved, users must log in to the Linux server and run sudo systemctl restart
network. If network services are not restarted, the new interface will not be active.
• When installing Network Monitor on an ESXi virtual machine (VM), you need to run the AddEth.pl
script to ensure the correct management and capture interfaces are detected and interface selection
works as expected. To install Network Monitor on an ESXi VM:
1. Run a normal install.
2. Log in to the console.
3. Run the AddEth.pl script:
If you are using DHCP, type: sudo /usr/local/probe/scripts/AddEth.pl
If you are using a Static IP, type: sudo /usr/local/probe/scripts/AddEth.pl
<staticIP> <netmask> <gatewayIP>
PAGE 3
- Network Monitor Release Notes
Version 3.4.2
Features and Enhancements
The following features and enhancements are included in the 3.4.2 release:
New metadata The JSONSize metadata field is This field helps isolate data problems that
field named available on all flows. cause failures in Elastic Search.
JSONSize
DPA Rule Editor The DPA Rule Editor window is now Writing DPA rules is easier and less prone
Window Improved easier to use. to accidental loss of content.
Updates to More interface name patterns are Non-hardware based network interfaces
Network recognized. (e.g., from virtual systems) are now
Interfaces recognized and supported in the Network
Configuration page.
Resolved Issues
The following issues were resolved in the 3.4.2 release:
Bug # Description
NM-753 The Authentication Required popup no longer displays on the login page.
NM-759 A DPA rule uploaded as an LRL can now be re-uploaded after deleting the rule.
NM-764 Hexidecimal DNS flags correctly convert to 16-bit values in Network Monitor.
NM-766 A possible memory corruption issue on system startup has been resolved.
NM-769 A possible race condition causing system failure has been resolved.
NM-775 The Download Diagnostics .zip file now opens properly on Windows systems.
NM-776 The Flow_PrivateKeyExtensions rule now works correctly for mapi protocol.
NM-758 ISO install script is no longer hardcoded to be installed on the SDA drive.
PAGE 4
- Network Monitor Release Notes
Version 3.4.1
Features and Enhancements
The following features and enhancements are included in the 3.4.1 release:
Validate an The official hash of the upgrade file Visually comparing the hash of the .lrp file
Upgrade now prompts you to verify the with LogRhythm’s published hash value
upgrade before uploading and provides a human-interaction guarantee
installing the updated version of that the upgrade file is legitimate and
Network Monitor. officially from LogRhythm.
Set Up a Secure Through the Configuration > Syslog Network data is highly valuable. By
Syslog user interface, you can now configure securing the connection between the
a secure TCP Syslog connection. Network Monitor and the SIEM, this data
can be transported securely for further
analysis and correlation.
Improved The Configuration > Network user Setting up a Network Monitor is now
Interface interface now includes an interface easier than ever. Instead of guessing
Configuration selector with the ability to see all which cryptically named port (for instance,
recognized interfaces, including data enp0s02) is your incoming tap data, you
received and IP addresses. can see which port is receiving data and
select it. You also do not have to guess
which interfaces are part of a bond. You
can simply select the interfaces you want
to capture.
New Help Tab From the Help tab of the top LogRhythm’s Community is a great
navigation bar, you can now access resource for Network Monitor information
the Network Monitor online Help and and support, and the embedded link
Community forum, as well as makes it easier than ever to connect. The
download diagnostics files. Diagnostics .zip file contains rich
information that is useful for
understanding Network Monitor’s
configuration and performance.
Resolved Issues
The following issues were resolved in the 3.4.1 release:
Bug # Description
NM-614 If a PCAP download request times out, the message is no longer “retrying download” when the
download does not actually retry.
NM-757 The Login dialog is no longer available when the rest of the services have not yet started.
NM-760 The validation message for changing a hostname now mentions that lowercase is required for a
valid hostname.
NM-761 API download routes now properly report HTTP status on error conditions.
PAGE 5
- Network Monitor Release Notes
Bug # Description
NM-763 Improvements to Elasticsearch tuning and data truncation have been made to prevent crashes
under specific large loads.
NM-765 The download library now properly streams for very large files.
NM-770 A fix has been implemented for a vulnerability exposed via Metasploit.
NM-771 Backup .ifcfg.old files are now ignored and not considered valid interfaces.
Version 3.3.2
Features and Enhancements
The following features and enhancements are included in the 3.3.2 release:
Additional NetMon now classifies 3,061 unique Customers can now identify even more
Classifications applications. Shutterstock, Layer 7+ applications and more reliably
SolarWinds, Microsoft Docs Online, differentiate known good traffic from
and many ICS/SCADA protocols were suspicious traffic.
added in this release.
New API Methods Additional API methods have been Customers can continue integrating with
exposed for managing Query Rules, NetMon and automating management
downloading DPA rules, examining functions.
service status, downloading logs, and
changing the hostname of the system.
API Security All API methods have been updated Customers can trust that the API layer is
Improvements with increased client and server-side not a security vulnerability.
validation, stronger authentication,
improved auditing, and other related
security changes.
Additional Audit Additional Audit messages are now Customers can trust that NetMon fully
Records created for upgrade success and tracks user actions and provides a clear
failure, several API routes, and consistent audit trail.
downloading DPA rules, and user
logouts.
Change Hostname You can now change the hostname of Customers can now easily manage
the NetMon instance through either multiple NetMon devices and bring NetMon
the Configuration > Engine user devices into compliance with Linux host
interface or an API method. naming standards.
Change Syslog Through the Configuration > Syslog Customers can now adjust NetMon output
Port user interface, you can now change to target Syslog receivers listening on
the Syslog sender port from 514 to non-standard (514) ports. This is a
601 or to any port larger than 1000. precursor to support full TLS-encrypted
Syslog output.
PAGE 6
- Network Monitor Release Notes
Resolved Issues
The following issues were resolved in the 3.3.2 release:
Bug # Description
NM-741 A banner indicating that only some data is forwarded has been re-implemented on the Syslog
page in NetMon Freemium mode.
NM-745 The various “Delta” fields have been corrected for long-running flows.
NM-747 Double JSON error reports on certain API methods have been fixed.
NM-748 All previously installed versions now appear in the /systemInfo command.
NM-750 The Flow_DetectPrivateKey rule has been updated and corrected for current DPI fields.
NM-751 A non-meaningful “fatal” error has been removed from logs when DPA rules are
enabled/disabled.
N/A Email validation now functions properly. For example, RoB@MyCompany.com is no longer
considered an invalid email address.
N/A Various improvements have been made to an API that gathers version information and
upgrade history.
N/A On install, NetMon now presets the number of processing threads based on the underlying
architecture.
PAGE 7
- Network Monitor Release Notes
Version 3.3.1
Features and Enhancements
The following enhancements are included in the 3.3.1 release:
New API Methods Public API calls have been added for Customers can start automating
restarting services and changing management of Network Monitors and
capture settings. improving integration with other systems,
such as the SIEM’s Web Console.
Initial Passwords On initial installation, all default This simplifies deployment and
Changed passwords are now set to changeme. encourages customers to follow good
security practices by changing NetMon’s
default password.
Sharing Usage LogRhythm now collects basic license LogRhythm’s development efforts and
Statistics level, version information, and upgrade schedule will be based on actual
anonymous usage statistics. No actual usage patterns.
customer data is sent to LogRhythm.
Customers using an enterprise license
can opt out.
Audit Log Additional audit log messages are Administrators evaluating NetMon usage
Improvements stored and include the user who now have richer data about system
triggered the message. access.
Resolved Issues
The following issues were resolved in the 3.3.1 release:
Bug # Description
NM-712 The DPA audit log now notes the user who made changes.
NM-730 The configuration and feature associated with “SIEM Logging” in the Syslog Configuration has
been removed.
N/A The warning color for downloading PCAPs or files has changed from bright red to yellow, and
the icon has been fixed.
N/A A non-harmful, “fatal” warning that appeared in /var/log/messages has been removed.
PAGE 8
- Network Monitor Release Notes
Version 3.2.3
Features and Enhancements
The following enhancements are included in the 3.2.3 release:
New DPI Forty-five new application New application classifications enrich the
Classifications classifications have been added, ability to identify normal operational traffic
including Oracle Real Application for enterprise systems, reducing the
Clusters (RAC), Elasticsearch, Citrix “noise” in searching for threats.
PVS, Zoom video conferencing, and
Pokémon GO.
Continued UI Additional changes have been made to These changes bring NetMon even more in
Improvements the styling of the user interface. line with the SIEM Web Console, providing
a seamless visual experience for analysts.
Additional small changes help streamline
the user experience, reducing the effort
needed to learn and use NetMon features.
Resolved Issues
The following issues were resolved in the 3.2.3 release:
Bug # Description
NM-700, Previously unknown/unidentified UDP traffic in PCAPs is now correctly identified as the Oracle
NM-714 RAC protocol.
NM-729 Data with fields longer than 32,766 bytes are now automatically truncated (HTTP cookie only).
NM-733 Error messages now notify users if an .lrp configuration upgrade is unsuccessful.
NM-734 NetMon now runs properly on certain VMware and hardware systems that use non-sequential
core numbering.
NM-737 Settings have been changed to prevent syslogd and journald from impeding Syslog messages.
NM-739 A patch was applied to address the critical “Dirty Cow” Linux kernel vulnerability (CVE-2016-
5195).
PAGE 9
- Network Monitor Release Notes
Version 3.2.2
Features and Enhancements
The following enhancements are included in the 3.2.2 release:
Improved Styling The look and feel of NetMon has Users familiar with LogRhythm will have an
been updated to more closely match easier time transitioning to the NetMon
the LogRhythm Web Console. interface.
Main Menu Bar Among other changes, Rules and More prominent access to Deep Packet
Changes Alarms have been given a more Analytics rules and Query Alerts leads to
prominent place in the top increased usage of automated analytics.
navigation menu.
Alarms Dashboard A new dashboard has been created The Alarms Dashboard makes it easier to
specifically to show alarms. evaluate alarms generated by DPA rules and
saved searches, and also to determine
investigation priorities, reducing time to
detection and time to response.
Server Server management functions have Analysts will have an easier time finding
Management been grouped in a new menu icon. server maintenance functions such as
restart, reboot, and shutdown.
Deep Packet The DPI engine has been updated About 200 new applications are classified,
Inspection Update and can now classify 2,952 including Uber, Slack, LogMeIn, and more
applications. cloud hosts.
HTTPS Version The HTTPS protocol version is now You can easily detect less secure
stored as metadata in the connections that use deprecated encryption
ProtocolVersion field. by viewing or detecting the version in use.
DPA Rule Checking DPA rules are now checked at Developers of DPA rules now know if they’ve
runtime for access to invalid or tried to access invalid metadata fields.
missing metadata fields.
In-Place CentOS Customers on NetMon versions Customers who are still using a NetMon
Upgrade 2.8.1–3.1.2 have an upgrade path to version based on CentOS 6 have an in-place
3.2.2. (LRP-based) upgrade path to NetMon 3.2.2
and CentOS 7.2, which provides improved
security, reliability, and sustainability.
PAGE 10
- Network Monitor Release Notes
Resolved Issues
The following issues were resolved in the 3.2.2 release:
Bug # Description
NM-659 Searches run from the Alarms page now properly appear in NetMon’s Search History log.
NM-720 The License page now refreshes and displays the upgraded product license correctly after
upgrading or installing a new license.
NM-723 Cassandra heap size has been increased to prevent it from running out of memory in
conditions of high flow rate.
NM-726 A default PHP file that uses the “phpInfo()” command was deleted to fortify NetMon against a
PHPInfo disclosure vulnerability.
NM-728 Changed Ingress/Egress Dashboard text to clarify that direction is determined not only by
source IP and destination IP locations, but also by the number of srcBytes and dstBytes.
N/A Implemented a fix for PCAP replay of HTTPS sessions, which were not ending cleanly.
Version 3.2.1
Features and Enhancements
The following enhancements are included in the 3.2.1 release:
Operating System Network Monitor’s base operating CentOS 7.2 provides improved security,
Upgrade system has been upgraded from reliability, and sustainability. It addresses
CentOS 6.5 to CentOS 7.2. numerous vulnerabilities and keeps
Network Monitor on a current version of
CentOS.
Hardened OS Network Monitor’s base operating Many OS-level features have been
system has been hardened to prevent removed or restricted, and account access
malicious access. has been limited to help prevent malicious
activities.
Improved Capture has been increased to 1 Gb Increases the usability of Freemium for a
Freemium per second, and alarms and diagnostic wider variety of customers and use cases,
Experience messages can be sent via syslog. including short term incident response.
User Experience Filters and titles on configuration Network Monitor admin time is minimized
Improvements pages make it easier to find key through a simplified context in user
configuration values. experience.
PAGE 11
- Network Monitor Release Notes
DPA Scanning of DPA rules can now scan the first 500 Allows for deeper analytics of these
FTP and SMTP KB of an FTP transfer or SMTP email protocols, including scenarios like
Session Bodies body. scanning for key words, PII, PHI, or
corporate intellectual property.
Top Level Domain A DPA rule creates metadata to Network Monitor users can quickly
Rule and identify domain names, and the determine the end points for web traffic,
Dashboard resulting data can be visualized in a noting anomalous top level domains.
new dashboard.
Traffic Direction A DPA rule creates metadata Network Monitor users can quickly
Rule and identifying traffic direction, and the evaluate a network to determine ingress,
Dashboard resulting data can be visualized in a egress, and lateral traffic patterns to help
new dashboard. identify anomalous activity.
Canadian SIN DPA New rule detects PII exposure of The new DPA rule can detect accidental or
Rule Canadian Social Insurance Numbers. malicious exposure of PII through
unencrypted channels.
Identify Bank New rule detects exposure of bank The new DPA rule can detect accidental or
Routing Numbers routing numbers. malicious exposure of bank routing
numbers through unencrypted channels.
Improved CCN Existing DPA rule algorithm improved The improved DPA rule accidental or
Detection for detecting credit card numbers. malicious exposure of credit card numbers
through unencrypted channels.
Resolved Issues
The following issues were resolved in the 3.2.1 release:
Bug # Description
NM-697 In deployments having a large number of small flows, NetMon was crashing when trying to
insert data into Elasticsearch.
NM-699 NetMon was displaying ports for ICMP traffic when no ports should have been displayed.
NM-704 The version of PHP used by NetMon has been upgraded to 5.6.22.
PAGE 12
- Network Monitor Release Notes
Version 3.1.2
Features and Enhancements
The following enhancements are included in the 3.1.2 release:
User Interface The UI has been refreshed and updated, There is less visual contrast between
Update aligning it with the look and feel of the SIEM different parts of the LogRhythm
Web Console. solution.
Configurable Network Monitor has a new Client Security Compliance with enterprise security
Security Options page, providing configurable options for: policies.
• a login authorization banner in the UI
and for shell access
• a session timeout period
• a configurable minimum password length
New diagnostic New diagnostic messages are enabled for: Enhances security, troubleshooting
messages • Changing passwords and system reliability, including
• Adding, deleting or changing a user central monitoring and audit control
• Restarting services through SIEM integration.
• Shutting down Network Monitor
• Rebooting Network Monitor
• Changing the license
• Upgrading Network Monitor
• Any configuration change
• File reconstruction or PCAP download via
UI or API call
• Add, edit, enable, disable, upload or
delete DPA rule
• Disk space limit reached
New Ports The Destination Port Dashboard is now New use case dashboard for hunting
Dashboard available, with visualizations to show all for unusual traffic and rogue
traffic by port, application, destination IP, services.
and source IP.
DPI Update – Nagios is now classified properly. Improved ability to ignore or set
Nagios policies for Nagios identified traffic.
Indexing The algorithm used for inserting metadata Eliminates a performance bottleneck
Improvements into Elasticsearch has been further when capturing metadata and
optimized for improved performance. processing short, frequent flows.
PAGE 13
- Network Monitor Release Notes
Resolved Issues
The following issues were resolved in the 3.1.2 release:
Bug # Description
NM-694 Classification Only mode is now a switch on the Engine configuration page.
Version 3.1.1
Features and Enhancements
The following enhancements are included in the 3.1.1 release:
5 Gb/s Sustained The NM5400 platform now With additional license purchases, customers can
License supports data capture up to 5 analyze more network traffic in a single Network
Gb/s sustained. Monitor installation.
UI Update Network Monitor’s UI is Dashboards are now richer, faster and more
updated with a refreshed look responsive. New data aggregations and
and increased functionality. visualizations are possible, dashboards are easier
to create, and analysts will have more power to
quickly find and analyze troublesome network
traffic.
New Metadata TLS version and cipher suite As SSL continues to be replaced by TLS, capturing
Fields ID are now captured as the TLS version and encryption cypher suite helps
metadata. quickly identify security vulnerabilities and
outdated systems.
Improved HTTP DPA rules can now analyze DPA rules can now perform much more efficiently
Processing with HTTPRequest and with simple logic looking at the request versus
Deep Packet HTTPResponse separately. response of HTTP-based protocols. This allows for
Analytics faster and richer analysis of suspicious web based
traffic.
Integration of Network Monitor audit and Separating audit and diagnostic events from other
Diagnostic Events diagnostic messages are now logs makes it easier to report on Network Monitor
with the stored locally in a designated usage and troubleshoot the system’s health.
LogRhythm SIEM audit file. In addition, these Incorporating these logs into the SIEM provides
messages are sent to the additional rich reporting and alarming similar to
SIEM via syslog. other SIEM components.
PAGE 14
- Network Monitor Release Notes
Resolved Issues
The following issues were resolved in the 3.1.1 release:
Bug # Description
Version 2.8.2
Features and Enhancements
The following enhancements are included in the 2.8.2 release:
Thread Affinity Network Monitor will calculate the optimal Ensures you are getting the best
setting for Processing Threads to possible performance out of your
maximize performance based on the Network Monitor system.
number of CPU cores in your Network
Monitor system.
Basic DPI Mode In Basic DPI mode, the packet processing Improves processing efficiency and
path is expedited due to the reduced greatly reduces the potential for
number of data structures that are used in dropped packets.
the packet processing pipeline. In this
mode, 95% of the protocols classified and
attributes extracted remain unchanged.
REST API Network Monitor’s REST API has been Provides programmatic access to
Updates updated with routes to enable the latest features available in
reconstruction and download of file Network Monitor.
attachments from captured sessions
through the API.
New Deep Network Monitor 2.8.2 includes several Provides customers with new
Packet Analytics new and updated system rules for Deep advanced ways to inspect and act
Rules Packet Analytics. Details about new rules on traffic in their network.
can be found in Network Monitor 2.8.2
Release Notes and Network Monitor Deep
Packet Analytics: System Rules.
PAGE 15
- Network Monitor Release Notes
Version 2.8.1
Features and Enhancements
The following enhancements were included in the 2.8.1 release:
File File attachments from a captured SMTP File reconstruction can assist with
Reconstruction session can be reconstructed into their forensic analysis or legal matters.
original format for further investigation. For example, you may need to
review all files sent by and to a
specific user.
PAGE 16
- Network Monitor Release Notes
Troubleshooting
The following topics provide information about how to troubleshoot or address rare but potential issues in
Network Monitor.
Elasticsearch Is Unresponsive
Under certain conditions such as very heavy load or extremely long periods of high CPU and memory
consumption, it is possible that Elasticsearch can crash. This can be quickly verified with the Sessions Sent
to Dispatch and Elastic Search Session Insert Rate charts (both can be found at Diagnostics > System).
If Elasticsearch had crashed, the red line indicating failure in the chart below would spike.
To recover, restart Network Monitor’s core services. On the top navigation bar, click the System icon, and
then click Restart Netmon.
PAGE 17