|
<< Click to Display Table of Contents >> Navigation: »No topics above this level« Microolap EtherSensor Changelog |
2018-09-08 Version 5.1.0.13519
Runtime environment
Windows Server 2008, Windows Server 2012, Windows Server 2016.
Data sources and objects capture
EtherSensor EtherCAP service:
[+] Implemented support for IPv6.
[+] Improved processing of TCP/UDP traffic with various encapsulation depth levels, for example:
eth -> vlan -> ip4 -> ip6 - > ip4 -> gre -> ppp -> ip4 -> tcp/udp -> application data.
[+] The metadata of the events being processed now contains VLAN information.
[+] Interception of FTP over IPv6 is implemented both for active and passive modes.
[+] Implemented the work of IPC channels TCP-SESSIONS and UDP-SESSIONS to deliver the results of the analysis by NETFLOW protocol.
[+] Reduced by 30% consumption of resources for traffic capture.
[-] The error of unpacking socks tunnels has been fixed.
Captured objects analysis:
[+] The internal format of the processed events is changed. On the basis of this, a strong typing of the analysis results is implemented.
Now all the detected events (messages) fit into the following scheme:
registration <- Event of registration in the system.
login <- Logon event.
profile <- Event of changing the profile in the system.
send_msg <- Event of sending a message.
recv_msg <- Event of receiving a message.
send_file <- Event of sending a file.
recv_file <- Event of receiving a file.
conversation <- Event of conversation interception.
contacts <- Event of contacts forwarding.
search_query <- Event of search request.
[+] Reduced by 15% consumption of resources for messages detecting.
Delivering analysis results to consumer system:
[+] Integration with DLP solution FALCONGAZE Secure Tower has been added.
[+] Direct delivery of the analysis results from the IPC channel via the SYSLOG protocol was implemented, including the objects received from the RAW filtering in the analysis service. The analysis results maybe delivered either CEF-HTTP or SQUID ACCESS LOG format, the number of consumers is unlimited. Also, TCP over SSL delivery option for analysis results was implemented.
[+] Direct delivery of analysis results from IPC channel via NETFLOW version 1, 5 and 9 is implemented. Now information about all TCP or UDP sessions processed by EtherSensor can be delivered to NETFLOW servers, the number of consumers is unlimited. TCP over SSL delivery option for analysis results was implemented. Consumers examples: Splunk (NetFlow Analytics for Splunk), McAfee Security Information and Event Management (SIEM), IBM QRadar Security Intelligence Platform, HP ArcSight.
[+] The LUA integration module for sending results via SYSLOG protocol in CEF format has been updated. Consumers examples: Splunk, HP ArcSight, IBM QRadar, LogRhythm, EMC-RSA NetWitness, McAfee Enterprise Security Manager/NitroView, Symantec Security Information Manager (SSIM).
[+] Updated results delivery module for JSON format.
[+] Updated results delivery module for XML format.
[+] Updated results delivery module for EML format.
[+] Results delivery resource consumption was reduced.
Logging:
[+] Added information about processed IPv6 connections.
Configuration console:
[+] Added interface for managing FALCONGAZE delivery profiles.
[+] Added interface for managing SYSLOG delivery profiles for direct work with IPC channel.
[+] Added interface for managing NETFLOW delivery profiles for direct work with IPC channel.
2018-04-25 Version 5.0.3.12929
Runtime environment
Windows Server 2008, Windows Server 2012, Windows Server 2016.
Data sources and objects capture
EtherSensor EtherCAP service:
[+] Updated FTP interception in case the client and/or server are behind NAT.
[+] Improved work with fragmented IP packets.
[+] Integration with the updated IPC at the operating system kernel level.
Captured objects analysis:
[+] Updated detectors: odnoklassniki.ru, !generic.
[+] Added field <PRI> to the CEF log for HTTP requests.
[-] Fixed the composing of the CEF|SquidAccess string. Excess slash in request following "=" was possible: request=/https://r3--.
Delivering analysis results to consumer system:
[+] Updated libraries iwthrift.dll, libcrypto-1_1-x64.dll, libcurl.dll, libssh2.dll, libssl-1_1-x64.dll, libxml2.dll, libxmlsec-openssl.dll, libxmlsec.dll, libxslt.dll, zlib1.dll.
[+] Added download/upload direction for SMB events in the InfoWatch Traffic Monitor.
[+] Added download/upload direction for FTP events in the InfoWatch Traffic Monitor.
[-] Fixed a rarely reproducible error when converting messages to EML: in some cases the line breaks in the headers were not handled correctly.
[-] Fixed a minor error in the calculation of the amount of data sent to the consuming system.
[+] Updated Lua script for SYSLOG transport, included in the distribution.
[-] Fixed a bug in Lua engine for SYSLOG transport: incorrect retrieval of message body content in Lua script.
Logging:
[+] A more accurate calculation and display of performance counters.
Configuration console:
[+] The ability to delete quoted results is added.
[+] Added the ability to empty EtherSensor logs.
[+] The "Apply" button has been added to the service settings: it saves the changes and restarts the service (services).
[+] The logic of controlling the start and stop of services when updating EtherSensor is improved.
Updater
[+] Improved the performance of the update service through a proxy server.
[-] Fixed handling of Russian characters in the update service configuration.
2018-03-20 Version 5.0.2.12765
Data sources and objects capture
EtherSensor EtherCAP service:
[+] Traffic capture engine was updated.
[+] Support for RSS technology. Hardware acceleration support was added for processing traffic in multicore systems using standard equipment.
[+] Integration with the updated IPC at the operating system kernel level was added.
[+] Processing of traffic streams up to 20 Gbit was added.
[+] Resource usage was decreased by a factor of 4.
[+] Capture and processing of WebSocket protocol was added.
[+] Capture and processing of SMB1 and SMB2 protocol was added.
[+] ICQ and MRA protocols were updated.
[+] WEB tunnels decapsulation (CONNECT method, WebSocket) was added.
[+] SOCKS tunnels decapsulation, recognition and processing for protocols in SOCKS was added.
[-] Errors were fixed in IMAP4 processing.
Captured objects analysis:
[+] IPC (Inter Process Communications) engine was updated.
[+] Speed of real time data processing was increased.
[+] Resource usage was decreased by a factor of 2.
[+] HTTP request processing was extended, support for ACL, AJAX, BAN, BASELINE-CONTROL, BCOPY, BDELETE, BIND, BITS_POST, BMOVE, BPROPFIND, BPROPPATCH, CCM_POST, CHECKIN, CHECKOUT, CONNECT, COPY, DELETE, GET, HEAD, HTML, INVOKE, JSON, LABEL, LINK, LOCK, LOG, MERGE, MKACTIVITY, MKCOL, MKREDIRECTREF, MKWORKSPACE, MOVE, M-SEARCH, NETHCMD, NOTIFY, OPTIONS, ORDERPATCH, PATCH, POLL, POST, PROPFIND, PROPPATCH, PURGE, PUT, REBIND, REPORT, REQMOD, RESPMOD, SEARCH, SCRIPT, SOURCE, SUBSCRIBE, TRACE, UNBIND, UNCHECKOUT, UNLINK, UNLOCK, UNSUBSCRIBE, UPDATE, UPDATEREDIRECTREF, VERSION-CONTROL, X-MS-ENUMATTS methods was added.
[+] A possibility to generate an HTTP request log in CEF format to deliver to SIEM systems was added to HTTP filter.
[+] Detection of WebSocket based chats (Skype, Mobile Applications, Web Chats) was added.
[+] Web WhatsUp (contact lists, user identification) events processing was added.
[+] Detection of Google Protobuf (Gmail) based messages was added.
[+] Detection of Web Skype messages was added.
[+] Detection of Web ICQ, MRA (Mail.ru Group) messages was added.
[+] Detection of file transfer via SMB1 and SMB2 protocols was added.
[+] Web detectors were updated: !generic,!fileupload, accounts, facebook.com, google.com, mail.ru, mamba.ru, odnoklassniki.ru, vkontakte.ru, yandex.ru.
Delivering analysis results to consumer system:
[+] IPC integration was added.
[+] Resource usage was decreased by a factor of 2.
[+] Message delivery via SYSLOG protocol. Forming messages for SYSLOG protocol was customized via the integration with Lua script language. A possibility to form messages in custom formats was added.
[+] Message delivery via SYSLOG protocol using TCP was added, SSL support was implemented.
[+] A module of LUA integration was added to send via SYSLOG protocol in CEF format. Example consumers: Splunk, HP ArcSight, IBM QRadar, LogRhythm, EMC-RSA NetWitness, McAfee Enterprise Security Manager/NitroView, Symantec Security Information Manager (SSIM).
Logging:
[+] EtherSensor log records were translated and are now being logged in English.
[+] HTTP request log in CEF format was added.
Configuration console:
[+] Update service was integrated into Ethersensor installation package.
2016-09-16 Version 4.5.6.10479
Data sources and objects capture
EtherSensor EtherCAP service:
[+]Protocol parser was added for httpv2.
[+]Protocol parser was added for skype: interception and transfer of files, text messages, contact lists.
[-]An error was fixed in http, ftp, and pop3 protocol processing.
[-]An error was fixed in the processing of the old version configuration.
EtherSensor ICAP service:
[+]The X-Sensor-Net-Interface-Id header value now includes the port being listened, e.g: icap-000-1344.
[-]An error was fixed in ICAP protocol header processing which resulted in incorrect message generation.
Captured objects analysis:
[+]The X-Sensor-Httpv2: Microolap EtherSensor header was added to distinguish HTTP query filter processing results during the processing of messages transmitted over the httpv2 protocol.
[+]Processing of messages transmitted over the skype protocol.
[+]The "Check network interface ID (X-Sensor-Net-Interface-Id)" rule was added to the HTTP filter.
[+]The "Remove message attachment by name" action was added to the message filter.
[+]The following detectors were updated: !generic,!fileupload,cv (careerist.ru, hh.ru, job.ru, job50.ru, job-mo.ru, jobsmarket.ru, rabotavia.ru, rabota.by, rabota.ru, rosrabota.ru, superjob.ru, zarplata.ru), facebook.com, google.com, gorod55, ipboard, linkedin.com, livejournal.com, loveplanet.ru, mail.ru, mamba.ru, mfd.ru, my.mail.ru, mybb, odnoklassniki.ru, phpBB, pochta.ru (qip.ru), rambler.ru, smsmms (skylink.ru, megafon.ru, mts.ru, tele2.ru), twitter.com, vbulletinboard, vkontakte.ru, wordpress.com, yandex.ru, xmpp
[-]An error was fixed in search query processing.
[-]An error was fixed in MIME part processing.
Delivering analysis results to consumer system:
[+]DeviceLock Enterprise Server (DLES) transport was added. It can be used to deliver messages natively to the DeviceLock Enterprise Server.
[-]An error was fixed in message translation to the EML.
[-]An error was fixed in message attachment encoding into base64.
[-]An error was fixed in sending chats to the INFOWATCH Traffic Monitor.
Logging:
[+]Debug counter logging was added.
Configuration console:
[+]The "Check network interface ID (X-Sensor-Net-Interface-Id)" rule was added to the HTTP filter.
[+]The "Remove message attachment by name" action was added to the message filter.
[+]Message transport profile was added to DeviceLock Enterprise Server.
2016-05-11 Version 4.5.5.10199
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Code profiling; EtherSensor EtherCAP service performance increased by 20%.
[-]The protocol parser plug-in system was removed.
Captured objects analysis:
[*]Code profiling; EtherSensor Analyser service performance increased by 50%.
[+]Intercepted messages can now be saved in JSON format.
[+]Message encoding detection reliability was increased.
[+]Message detection reliability was increased.
[+]The following detectors were updated: !generic, accounts, chanboard, cv (careerist.ru, hh.ru, hotjob.ru, jobsmarket.ru, job.ru, rabotamedikam.ru, rabotavgorode.ru, rabota.mail.ru, rabota.ru, rosrabota.ru, superjob.ru, zarplata.ru), hotmail.com, facebook.com, google.com, gorod55, icq, ipboard, linkedin.com, livejournal.com, loveplanet.ru, lync, mail.ru, mamba.ru, my.mail.ru, mybb, myspace.com, newmail.ru, nextmail.ru, odnoklassniki.ru, phpBB, pochta.ru (qip.ru), rambler.ru, smsmms (beeline.ru, megafone.ru, mts.ru, tele2.ru), twitter.com, vbulletinboard, vkontakte.ru, ukr.net, wordpress.com, yandex.ru, yahoo.com.
[-]Message detector plug-in system was removed.
[-]A rarely reproduced error was fixed which resulted in memory leaks.
[-]An error was fixed in temporary file processing which resulted in disk space leaks.
[-]An error was fixed in processing Microsoft Skype for Business messages.
Delivering analysis results to consumer system:
[+]The INFOWATCH Traffic Monitor transport profile was added.
[-]An error was fixed in message translation to EML.
[-]A rarely reproduced error was fixed which resulted in memory leaks during EML envelope generation.
[-]A rarely reproduced error was fixed: sometimes the transport service crashed when configuration was being read.
Configuration console:
[+]The INFOWATCH Traffic Monitor message transport profile was added.
[+]The configuration file last updated time was added to Microolap EtherSensor diagnostic reports.
[-]An error was fixed in rule attribute processing in message filters.
2016-02-09 Version 4.5.4.9893
Data sources and objects capture
EtherSensor EtherCAP service:
[*]ICQ protocol parser was updated.
[*]ICAP protocol parser was updated for integration with ICAP clients via passive traffic listening.
EtherSensor ICAP service:
[-]An error was fixed with writing to logs.
Captured objects analysis:
[+]Attachment translation to EML is now faster.
[+]A mechanism was added to bypass the disk subsystem when passing messages to the transport service.
[+]Message detection reliability was increased.
[+]The following detectors were updated: !generic, accounts, chanboard, cv (careerist.ru, hh.ru, hotjob.ru, jobsmarket.ru, job.ru, rabotamedikam.ru, rabotavgorode.ru, rabota.mail.ru, rabota.ru, rosrabota.ru, superjob.ru, zarplata.ru), hotmail.com, facebook.com, google.com, gorod55, icq, ipboard, linkedin.com, livejournal.com, loveplanet.ru, mail.ru, mamba.ru, my.mail.ru, mybb, myspace.com, newmail.ru, nextmail.ru, odnoklassniki.ru, phpBB, pochta.ru (qip.ru, borda.ru, pochta.com), plaxo.com, rambler.ru, search-query, smsmms (beeline.ru, megafone.ru, mts.ru, mysmsbox.ru, tele2.ru), twitter.com, vbulletinboard, vkontakte.ru, wordpress.com, yandex.ru, yahoo.com.
[-]A rarely reproduced error was fixed which resulted in memory leaks.
[-]A rarely reproduced error was fixed with message filtering.
Delivering analysis results to consumer system:
[*]DNS Round Robin is now used to distribute the load over consumers of the results of analysis of reconstructed objects.
[+]Error counters were added for the transport service cache.
[-]An error was fixed with EML envelope generation.
Logging:
[+]Counters of the results delivery service cache are now logged to counters.log.
Configuration console:
[*]Separate threads are now used for starting, stopping, pausing and restarting.
[*]User interface of the message filter editor was changed.
[+]Counter descriptions were clarified.
2015-12-16 Version 4.5.3.9707
Configuration console:
[+]Module names in the licensing system were updated.
2015-12-15 Version 4.5.2.9700
Data sources and objects capture
EtherSensor EtherCAP service:
[*]GRE protocol processing was improved.
[*]PCAP file processing was improved.
[+]Support was added for Windows 10 (Windows Server 2016 Preview).
[+]When the service is stopped threads are now forced to close after the 10-second timeout (to make service restart more responsive).
EtherSensor ICAP service:
[+]Reports can now be created when the service crashes.
[+]When the service is stopped threads are now forced to close after the 10-second timeout (to make service restart more responsive).
[-]An error was fixed in the Windows Server 2003 environment.
[-]An error was fixed in interoperation with Allow 204.
[-]An error with the incorrect month in file and folder names for the ICAP Raw dump was fixed.
Captured objects analysis:
[+]When the service is stopped threads are now forced to close after the 10-second timeout (to make service restart more responsive).
[+]The "This is a multipart message in MIME format." body is now forcibly moved to the end of the message body list.
[+]Reports can now be created when the service crashes.
[+]The error log for message detection context initialization was made more detailed.
[-]An error was fixed with the "Write to log" action of the message filter.
[-]An error was fixed in processing data from data\replay directory.
[-]An error was fixed in data processing from EtherSensor agents.
[-]An error was fixed in XML file processing.
[-]An error was fixed in RFC822 EML address parsing.
Delivering analysis results to consumer system:
[+]When the service is stopped threads are now forced to close after the 10-second timeout (to make service restart more responsive).
[-]An error was fixed with sending results from a group profile - a thread using a group profile could go on an infinite loop.
[-]An error was fixed with EML envelope generation.
Logging:
[+]When the service is stopped threads are now forced to close after the 10-second timeout (to make service restart more responsive).
Configuration console:
[+]Counter display was clarified.
[-]An error was fixed with losing focus when tree nodes in the "Performance" tab are switched.
2015-11-11 Version 4.5.1.9623
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Memory loss during traffic capture was significantly reduced.
[*]TCP connection reconstruction performance is now higher in the Packet Sniffer SDK traffic capture library.
[+]VLAN 802.1Q packet processing was added to the Packet Sniffer SDK traffic capture library.
[+]The maximum number of packets held per a TCP thread can not be set in the Packet Sniffer SDK traffic capture library.
[+]Protocol parsers were added for SOCKS4 and SOCKS5. They can be used to monitor and intercept messages tunneled over SOCKS.
[+]ICAP parser was added. It can be used to passively monitor ICAP connections without any changes to the existing architecture.
EtherSensor ICAP service:
[+]SECURE ICAP operating mode was added. The ICAP server can now use SSL to create secure connections to ICAP clients.
[+]LYNC messages on Microsoft Lync (Microsoft Skype for Business) servers can now be intercepted. This feature is integrated with the Microolap LYNC agent which operates over the ICAP protocol.
Captured objects analysis:
[*]Memory consumption during message detection and analysis is now significantly lower.
[+]Message filters can now send arbitrary (compound) messages to SYSLOG servers for integration with SIEM systems.
[+]Detected search queries for search engines (google.com, rambler.ru, yandex.ru, mail.ru, aport.ru, bing.com, yahoo.com, wikipedia.org) can now be sent over the SYSLOG protocol.
[+]The following message detectors were updated: blogger.com, cv (careerist.ru, hh.ru, job50.ru, job.ru, rabota.ru, superjob.ru, zarpalata.ru), facebook.com, hotmail.com, linkedin.com, livejournal.com, loveplanet.ru, mamba.ru, mail.ru, my.mail.ru, moikrug.ru, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms (beeline.ru, megafon.ru, mts.ru, skylink.ru, tele2.ru, wsms.ru), ukr.net, vkontakte.ru (reading incoming messages was added), wordpress.com.
Delivering analysis results to consumer system:
[*]Memory consumption during message sending is now significantly lower.
[+]The new SFTP transport protocol was added to send messages over SSH.
Configuration console:
[+]SFTP transport profile was added.
2015-10-01 Version 4.5.0.9505
Data sources and objects capture
EtherSensor EtherCAP service:
[+]Protocol parsers were added for ICAP and SOCKS.
EtherSensor ICAP service:
[+]The ICAP server now supports Secure ICAP (SSL) secured connections.
[+]LYNC messages on Microsoft Lync servers can now be intercepted. This feature works in combination with the Microolap LYNC agent.
[+]Detected search queries can now be sent over the SYSLOG protocol.
Captured objects analysis:
[*]Memory consumption was significantly reduced.
[+]Protocol detectors were updated.
[+]Incoming vkontakte.ru messages can now be intercepted.
Delivering analysis results to consumer system:
[+]The new SFTP transport protocol was added.
Logging:
[+]Channel names can now be assigned to messages sent over the SYSLOG protocol.
Configuration console:
[+]Statistics can now be sent over the SYSLOG protocol.
2014-07-08 Version 4.4.1.8036
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated: TCP connection reconstruction performance is now higher.
[*]POP3 parser was improved:
Added support for AUTH extension with a multipage response
The situation when Login and Password are not provided is handled correctly.
[+]IMAP4 protocol parser was added.
[+]Protocol parsers were added for NMDC and ADC (DC++).
[+]TORRENT protocol detector for TCP connections was added.
[+]SSL protocol detector was improved (support was added for TLS 1.1 and TLS 1.2).
[-]An error was fixed in the SSL protocol detector which sometimes resulted in insignificant memory leaks.
[-]An error was fixed in calculation of sessions closed by timeout.
[-]An error was fixed in PCAP file processing: "hard" session reset after the end of PCAP file processing was removed; connections are now closed by timeout.
EtherSensor ICAP service:
[-]An error was fixed with X-Sensor-Icap-Authenticated-User and X-Sensor-Icap-Authenticated-Group header transcoding.
[-]An error was fixed in passing requests to the analysis service: in rare cases requests had not been passed for further processing.
Captured objects analysis:
[*]Recognition validity and processing efficiency in the !generic detector are now higher.
[*]Recognition validity for file uploading (downloading) in the !file-upload detector is now higher. URL-based file name generation (when the HTTP query contains no explicit file name) was made more logical.
[+]The following detectors were updated: blogger.com, cv (careerist.ru, hh.ru, job50.ru, job.ru, job-mo.ru, job.ws, jobsmarket.ru, rabotamedikam.ru, rabotavgorode.ru, rabota.mail.ru, rabota.ru, superjob.ru, zarpalata.ru), diary.ru, google.com, gorod55, facebook.com, hotmail.com, linkedin.com, livejournal.com, loveplanet.ru, mamba.ru, mail.ru, my.mail.ru, mfd.ru, moikrug.ru, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms (beeline.ru, megafon.ru, mts.ru, skylink.ru, tele2.ru, wsms.ru), twitter.com, yandex.ru, yahoo.com, ukr.net, vkontakte.ru, wordpress.com.
[+]The OWA (Outlook Web Access) detector was added. It detects messages sent, edited and viewed in the Outlook Web Access system.
[-]An error with message filter condition processing was fixed which affected filtering message duplicates by the Message-ID field or the MD5 hash of the message (CHECK-MESSAGE-ID, CHECK-MD5). These actions sometimes resulted in errors.
[-]Corrected the error in processing email messages with empty TO field. Sometimes such processing threw an error.
[-]An error was fixed with file name processing in the FTP detector. Processing such messages resulted in failure sometimes.
[-]An error was fixed with HTTP query decoding; sometimes HTTP parameters were left not decoded.
[-]An error was fixed with IM detector: decoding BASE64 data sometimes resulted in errors.
Delivering analysis results to consumer system:
[*]SMTP transport performance was improved.
Logging:
[*]Resource consumption of the Microolap EtherSensor counter value collection and storage process was reduced.
[+]Transport service log entry format was extended: number IDs of sending threads were added to logged messages, allowing to track the event sequence of a given sending thread.
Configuration console:
[+]Functionality check was added for transport profiles (SMTP, FTP, FILEDROP, SMB). You can now bypass message interception and processing and check how the transport profile operates directly after changing its settings.
[+]ipconfig /all output was added to the Microolap EtherSensor operation report.
[+]HTTP query filter and message filter editors were added. You can now use the graphic environment to manage filters.
[+]Editing of quotas for processed results is now done in the quotas.xml file.
2013-11-12 Version 4.4.0.7340
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The pssdk6.sys traffic interception driver was changed. The old version sometimes resulted in BSOD.
[*]URI parsing logic was changed in the HTTP protocol parser.
[*]FTP protocol parser was updated: sometimes it resulted in the crash of the ethcapsvc.exe service.
[*]SMTP protocol parser was updated: multiline server responses for the WELCOME and other commands had been processed incorrectly.
[*]TCP connections without proper ending according to RFC are now logged with the "warning" status.
Captured objects analysis:
[*]Recognition validity and processing efficiency for Lotus Notes messages are now higher.
[*]The (CHECK-MESSAGE-ID) message filter condition for message duplicate filtering by the Message-ID field was updated.
[+]The X-Sensor-Lotus-MessageId header is now checked for the LOTUS protocol.
[*]The message filter condition for message filtering by IP addresses was updated. The address check type for "any" addresses was added.
<rule enabled="true">
<match>
<c name="ip"
address="any"
value="10.64.40.24" />
</match>
<action name="drop" />
</rule>
[+]The SAVE RAW DATA action was added to the message filter. This message can be used to save source (original) data of the message.
[+]You can now attach source data to the message:
<rule enabled="1">
<comment>For all HTTP objects save original data.</comment>
<match>
<c name="protocol" value="http" />
</match>
<action name="save-raw-data" value="true" />
</rule>
[+]The following detectors were updated: CV (hh.ru, job50.ru, job.ru, job.ws, jobsmarket.ru, rabotamedikam.ru, rabotavgorode.ru, rabota.mail.ru, rabota.ru, rabota.by, superjob.ru), diary.ru, google.com (Google Hangouts web message interception was added), gorod55, facebook.com, linkedin.com, livejournal.com, loveplanet.ru, mamba.ru, mail.ru, my.mail.ru, mfd.ru, moikrug.ru, pochta.ru, smsmms (mysmsbox.ru, megafon.ru, mts.ru, skylink.ru, tele2.ru, wsms.ru), yandex.ru, yahoo.com, ukr.net, vkontakte.ru, wordpress.com.
[+]Reconstruction of files downloaded in parts over the HTTP protocol was added.
[+]An error was fixed with accidentally switching to demo mode with an active license: module license expiration dates were checked incorrectly.
Delivering analysis results to consumer system:
[+]Message headers now include the current Microolap EtherSensor UHID: the X-Sensor-UHID header.
[-]An error was fixed in SMTP transport. Sometimes closed connections were used to send messages to archive.
Logging:
[*]Incorrectly closed TCP connections are now logged with the "warning" status. A special rule is created in the default configuration of the watcher service which logs such messages to a separate file.
<LogRule output="file://capstrange.log"
maxsize="10Mb"
encoding="utf-8"
endline="CR,LF">
<Channel name="CAPMAIN" loglevels="error, warning, criterr" />
</LogRule>
[-]An error was fixed with the calculation of module expiration time in the logging system messages.
[-]An error was fixed with getting the full path to the message log file.
[-]An error was fixed with saving statistics which sometimes resulted in memory leaks.
Configuration console:
[*]mconsole.exe, kppsreport.exe, perfmonitor.exe utilities were integrated into a single Microolap EtherSensor management application - mconsole.exe.
[+]The Ctrl+S hotkey was added to save a modified configuration.
[+]All Microolap EtherSensor services can now be stopped, started and restarted at once.
[+]A Microolap EtherSensor diagnostic report can now be unpacked to a separate directory.
[+]Message and HTTP query filters can now be re-formatted to improve filter readability.
[-]An error was fixed with filter display (incorrect filter encoding).
[-]An error was fixed with getting the full path to the message log file.
[-]An error was fixed with performance counter update.
[-]An error was fixed with license load and display. Sometimes the application crashed.
[-]An error was fixed with saving filefrop profile settings.
2013-07-10 Version 4.3.9.7149
Data sources and objects capture
EtherSensor EtherCAP service:
[-]An error was fixed in the SSL protocol parser. Sometimes its incorrect operation resulted in the crash of the ethcapsvc.exe service.
[-]An error was fixed with counting recognized connections by protocol parsers.
Captured objects analysis:
[*]The algorithm of directory spool index recovery was updated. The System.Data.SQLite.dll library (version 1.0.86.0) was updated.
[+]Support for anonymizers was added: if the anonymizer list is not empty then service detectors process traffic for domains from this list. EtherSensor Analyser service configuration was updated.
[+]Detector was added for the gorod55.ru service.
Delivering analysis results to consumer system:
[+]SMB transport profile was added. You can use this profile to write messages to network shares.
[+]GROUP transport profile was added. This profile is used to reserve transport profiles and balance the load on message consumers.
[+]The keep-connection flag was added to the SMTP transport profile algorithm, which can be used to enable/disable connection keeping to an SMTP server.
[+]The profile-fail-timeout option was added to all transport profiles, which can be used to set the time in seconds after which the profile will be locked if messages cannot be sent to that receiver.
[+]The pgo-profile-reserve option was added to all profiles, which can be used to set the profile reserve flag. This setting is only applicable in a group profile.
[+]The profile-fail-timeout option was added to all profiles, which can be used to set profile weight. This setting is only applicable in a group profile.
Logging:
[-]An error was fixed in archiving the Microolap EtherSensor statistics.
Configuration console:
[+]Anonymizer domain list management was added.
[+]The profile-fail-timeout, pgo-profile-reserve, profile-fail-timeout options were added to all transport profiles.
[+]SMB and GROUP transport profile management was added.
2013-05-30 Version 4.3.8.6986
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK (pssdk.dll) library was updated. The EtherSensor EtherCAP service sometimes crashed with the previous version of this library when intercepted traffic was processed.
EtherSensor ICAP service:
[+]Support was added for the new "ICAP integration" licensing option.
Captured objects analysis:
[*]The following detectors were updated: CV (hh.ru, jobsmarket.ru, job.ru, rabota.ru, superjob.ru, zarpalata.ru), blogger.com, chanboard, facebook.com, linkedin.com, livejournal.com, loveplanet.ru, mail.ru, mamba.ru, my.mail.ru, pochta.ru, rambler.ru, twitter.com, vkontakte.ru, yahoo.com, yandex.ru, ukr.net, wordpress.com.
[+]A new condition for the Message-ID header was added to message filters.
[+]A new action was added to message filters which adds or modifies a certain header in the message (except for From, To, Cc, Bcc, Subject, Date headers).
Delivering analysis results to consumer system:
[*]Service configuration was updated: the save-xheaders option was replaced with the save-headers option in all transport profiles in order to save message headers to a separate attachment named microolap_msis_headers.txt.
[*]SMTP transport performance was improved: now multiple messages can be sent over an existing connection.
Logging:
[*]EtherSensor Watcher service configuration was updated: the gathering of Microolap EtherSensor statistics can now be controlled.
[*]The performance of Microolap EtherSensor log and statistics archiving was improved, required disk space was reduced.
Configuration console:
[*]The visual appearance of counters was modified.
[+]Added the option to save headers in a separate save-headers attachment to all delivery profile types
[+]The gathering of Microolap EtherSensor statistics can now be controlled.
2013-04-08 Version 4.3.7.6840
Captured objects analysis:
[*]E-mail address detection algorithm (From, To, Cc, Bcc) was updated.
[*]The code was profiled to reduce memory usage.
[+]The following detectors were updated: CV (careerist.ru, hh.ru, job-mo.ru, job50.ru, jobsmarket.ru, job.ru, rabotavgorode.ru, rabota.mail.ru, rabota.ru, superjob.ru, zarpalata.ru), blogger.com, facebook.com, linkedin.com, livejournal.com, loveplanet.ru, mail.ru, mamba.ru, my.mail.ru, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms (beeline.ru, megafon.ru, mts.ru, smste.ru, tele2.ru), twitter.com, vkontakte.ru, yahoo.com, yandex.ru, wordpress.com.
Delivering analysis results to consumer system:
[+]The number of sending threads in the EtherSensor Transfer service can now be managed.
[+]The save-xheaders option was added to all transport profiles in the EtherSensor Transfer service in order to save X-Sensor, X-Sensor headers to a separate message body.
Configuration console:
[*]The visual appearance of counters was modified in the "Performance", "Network adapters", "Intercepted object cache", "Disk quotas" nodes.
[+]Sensor ID can now be edited in the EtherSensor Transfer service configuration.
[+]The number of sending threads of the EtherSensor Transfer service can now be managed depending on the sensor hardware (it can be in the range from 1 to CPU * 2).
[+]The save-xheaders option was added to all transport profiles in order to save X-Sensor headers to a separate message body.
2013-03-11 Version 4.3.6.6714
Data sources and objects capture
[-]An error was fixed in the crashreport.dll exception processing module.
Captured objects analysis:
[*]E-mail address detection reliability (From, To, Cc, Bcc) was improved.
[*]The code was profiled to reduce memory usage.
Configuration console:
[*]Collection of data about PCAP files and minidumps was restricted: up to 50 in a list.
2013-02-21 Version 4.3.5.6608
Captured objects analysis:
[+]The following detectors were updated: blogger.com, hotmail.com, myspace.com, moikrug.ru, rambler.com, twitter.com, ukr.net, yahoo.com.
[-]An error was fixed with analyzing HTTP queries from the Microolap EtherSensor ICAP server.
2013-02-14 Version 4.3.4.6584
Data sources and objects capture
EtherSensor EtherCAP service:
[+]The service is now forced to restart in case of exceptions. Previously it attempted to continue operation which resulted in uncontrolled memory consumption and other failures (such as a great number of service process dumps).
[-]An error was fixed in the traffic interception driver, which sometimes resulted in the OS (Win2008/Win7/Win2012/Win8) restarting during uninstallation.
Captured objects analysis:
[*]Memory and CPU resource consumption was reduced for reconstructed object processing.
[+]The following detectors were updated: yahoo.com, yandex.com.
[+]To enable support of Microolap EtherSensor agents, the Microolap EtherSensor license must now have the option for Microolap EtherSensor agents.
[-]An error was fixed with the analysis of HTTP query form parameters.
Configuration console:
[-]An error was fixed with diagnostic report generation: sometimes the management console could consume too much memory when the Microolap EtherSensor operation report was being generated.
[-]An error was fixed with checking the version.xml file in the Microolap EtherSensor update system.
2013-02-01 Version 4.3.3.6536
Captured objects analysis:
[+]Support was added for the new Microolap EtherSensor agent message, which allows you to add X-Sensor-UID-AdapterType, X-Sensor-UID-MacAddress headers to interception results.
[+]The following detectors were updated: !generic.
Configuration console:
[*]The application now loads faster.
[*]Corrections were made to bulk filter editing.
2012-12-26 Version 4.3.2.6488
Data sources and objects capture
EtherSensor EtherCAP service:
[+]Support was added for a new traffic interception driver. The new driver is now used for installations on Windows Vista and later (up to and including Windows 8/Windows 2012);
[-]An error was fixed with TCP connection reconstruction. Now the ECE and CWR flags (RFC 3168) are supported.
2012-12-07 Version 4.3.1.6448
Data sources and objects capture
EtherSensor LotusTXN service:
[+]Message sent time can now be retrieved.
[-]An error was fixed which occurred when a network share with Lotus Notes Transaction Log files was being closed.
Captured objects analysis:
[+]The following detectors were updated: blogger.com, CV (hh.ru, job-mo.ru, job.ru, rabota.ru, rabota.mail.ru, superjob.ru), facebook.com, livejournal.com, linkedin.com, mail.ru, mamba.ru, my.mail.ru, myspace.com, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms (megafon, mts), twitter.com, vkontakte.ru, yahoo.com, yandex.ru.
[-]An error was fixed with email address detection.
Configuration console:
[+]SMTP port setting was added to the SMTP profile.
[-]Errors were fixed with adding logging rules.
2012-11-21 Version 4.3.0.6413
Data sources and objects capture
[+]Release of the EtherSensor LotusTXN, which extracts messages from Lotus Notes Transaction Log.
Captured objects analysis:
[+]Analysis of objects provided by the EtherSensor LotusTXN service
2012-11-15 Version 4.2.3.6399
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated. TCP connection reconstruction performance is now higher, memory consumption was reduced.
[*]The visual appearance of traffic capture performance counters was modified.
EtherSensor LotusTXN service:
[*]Pre-release of the EtherSensor LotusTXN service.
Captured objects analysis:
[*]A separate queue was implemented for analysis of big raw interception data. Now all cached objects which are dumped to disk due to their size are analyzed in a separate queue in order to save memory.
[+]The following detectors were updated: blogger.com, CV (hh.ru, job-mo.ru, job.ru, rabota.ru, rabota.mail.ru, superjob.ru), facebook.com (210 new urls were added), google.com, hotmail.com, livejournal.com, linkedin.com, mail.ru, mamba.ru, my.mail.ru, moikrug.ru, myspace.com, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms (megafon, mts, skylink, tele2), taba.ru, twitter.com, vkontakte.ru, ukr.net, wordpress.com, yahoo.com, yandex.ru.
Configuration console:
[-]Errors were fixed in Microolap EtherSensor service startup, stop and restart configuration.
[-]An error was fixed in the display of TCP connection detection counters.
[-]An error was fixed with display of logs.
2012-08-22 Version 4.2.2.6219
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated. TCP connection reconstruction performance is now higher, memory consumption was significantly reduced.
[+]Comments can now be added to individual packet filter rules.
Captured objects analysis:
[+]Added the check for physical memory availability. If the amount of available memory is below 50 MB, the cache with the capture results is step by step written to the disk.
[-]An error was fixed with unpacking large archives which resulted in increased memory consumption (the error with unpacking GZIP data in HTTP queries).
Delivering analysis results to consumer system:
[-]An error was fixed with the format of exception messages.
Configuration console:
[-]Errors were fixed in Microolap EtherSensor service startup, stop and restart configuration.
2012-08-14 Version 4.2.1.6196
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated: TCP connection reconstruction performance is now higher.
[*]Protocol parsing is now faster. Detected TCP sessions for each monitored network adapter are now analyzed in multiple threads simultaneously (the number of threads is equal to the number of CPU * 2).
[*]XMPP protocol parsing algorithm was updated.
[-]An error was fixed which resulted in an exception during the processing of SSL connections.
[-]An error was fixed with unpacking LZ1 attachments in Lotus Notes.
[-]An error was fixed in the processing of PCAP files with packets larger than 1514 bytes.
[-]An error was fixed in BPF filter generation.
Captured objects analysis:
[*]Disk quotas at EtherSensor Analyser startup are now analyzed faster.
[*]The transmission channel for reconstructed objects between the EtherSensor EtherCAP and EtherSensor Analyser services was made 4 times wider.
Please note:
This increases the bandwidth and makes message detection and analysis faster, but hardware requirements to Microolap EtherSensor have also increased: 1 GB of RAM is now required. Take this into account when deploying Microolap EtherSensor to virtual machines.
[+]Added processing the scheme (GET/PUT/POST) ftp://xxx.xx.xx/, which allows to process/capture files sent/received via FTP OVER HTTP
[+]The following detectors were updated: CV (hh.ru, job-mo.ru, job.ru, rabota.ru, job50.ru, jobsmarket.ru, rabota.mail.ru, rosrabota.ru, superjob.ru), facebook.com, hotmail.com, linkedin.com, livejournal.com, livejournal.ru, loveplanet.ru, mail.ru, my.mail.ru, mamba.ru, meebo.com, moikrug.ru, myspace.com, odnoklassniki.ru, phpbb, pochta.ru, rambler.ru, smsmms, twitter.com, vkontakte.ru, yahoo.com, yandex.ru.
[+]The \data\temp directory for temporary files is now forced to purge at Microolap EtherSensor startup.
[-]An error was fixed in the MIME parser: there was a problem with finding boundaries made of '-' characters.
[-]An error was fixed with unpacking data in HTTP queries and responses.
Delivering analysis results to consumer system:
[+]The save-zip option was added to the FTP and FileDrop transport profiles which can be used to compress objects to ZIP files.
Logging:
[+]Functions were added to monitor health and operation of the EtherSensor LotusTXN service.
Configuration console:
[+]The Lotus Notes Transaction Log message extraction service (EtherSensor LotusTXN) can now be managed.
[+]Microolap EtherSensor license and version files can now be added to diagnostic reports.
[+]EtherSensor LotusTXN service performance counters are now displayed.
[+]Yahoo protocol counters are now displayed.
[-]An error was fixed which resulted in memory leaks.
[-]Errors were fixed in Microolap EtherSensor service startup, stop and restart configuration.
2012-06-20 Version 4.2.0.6046
Data sources and objects capture
EtherSensor EtherCAP service:
[+]Protocol parsing was added for Yahoo.
EtherSensor LotusTXN service:
[+]Limited testing was started for the Lotus Notes Transaction Log message extraction service (EtherSensor LotusTXN). This service can be used to monitor and extract messages from the Lotus Notes Transaction Log and pass them for further analysis to the EtherSensor Analyser message detection and analysis service.
Please note:
The service has not been tested for full compatibility with the Lotus Notes Transaction Log "linear" transaction log style.
2012-04-19 Version 4.1.5.5923
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated. TCP connection reconstruction performance is now higher.
2012-04-16 Version 4.1.4.5917
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated. TCP connection reconstruction performance is now higher.
[-]An error was fixed with the interception of proxied connections which use the CONNECT HTTP method. Connections were processed incorrectly when the proxy server required authentication.
EtherSensor ICAP service:
[-]An error was fixed with unpacking compressed (GZIP) queries.
Captured objects analysis:
[*]Interaction protocol was updated for the Microolap EtherSensor agent.
[*]Analysis service configuration was updated (interaction settings for Microolap EtherSensor agents).
[*]Email address detection algorithm was modified for web messages.
[+]The following detectors were updated: CV (hh.ru, job-mo.ru, rabota.mail.ru, zarplata.ru), google.com (Web GTalk support was added), facebook.com, myspace.com, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms, ukr.net, vbulletinboard, vkontakte.ru, yandex.ru.
Logging:
[-]An error was fixed with log archiving.
Configuration console:
[*]Display of web message processing counters was updated.
2012-03-27 Version 4.1.3.5862
[-]The installer for the previous version contained an incorrect version of agent.server.dll.
2012-03-26 Version 4.1.2.5859
Data sources and objects capture
EtherSensor ICAP service:
[-]An error was fixed in the processing of HTTP queries with non-transparent proxying. Sometimes it resulted in a failure to process queries with attachments.
Captured objects analysis:
[-]An error was fixed in the processing of HTTP queries with non-transparent proxying. Sometimes it resulted in queries with attachments failing to be processed.
Configuration console:
[*]Analysis service configuration was updated: the Microolap EtherSensor agent server can now be enabled or disabled. The agent server is disabled by default.
[-]An error was fixed with the display of ICAP server counters in the configurator (performance monitor).
2012-03-19 Version 4.1.1.9899
Data sources and objects capture
EtherSensor EtherCAP service:
[-]An error was fixed with Lotus Notes message processing. Sometimes message and metadata strings were processed incorrectly.
EtherSensor ICAP service:
[+]An "ICAP protocol synchronous" mode was added. In this mode, the ICAP server first receives the entire request from the ICAP client, and sends the response only after it is received, even in case of large requests (for example, a an ISO image or another large file download/upload). If the synchronous mode is disabled, the ICAP server works in a streaming mode.
This means that the server does not wait until the entire request is received, but starts sending the response as soon as possible. From a user viewpoint, this means no delay in a file transfer. This is important if multimedia traffic (such as video streaming) is passed via ICAP.
Before that, a video stream would be sent from the ICAP proxy to a user only after it was fully downloaded to the ICAP proxy, then to the ICAP server, and then fully received back from the ICAP server. The use of the synchronous mode is required by some ICAP clients that mostly use ICAP to work with antiviruses: to make a decision on what response they send to the ICAP client, antiviruses normally need to receive the entire object (irrespective of its size) first.
Captured objects analysis:
[+]Built in a UDP server to process messages from Microolap EtherSensor agents. If Microolap EtherSensor agents are installed and working on the workstation in the organization network, they can deliver the information on user-created connections to the sensor.
The EtherSensor Analyser service uses this information to identify the user during message interception, and to add message owner attributes to messages with the help of headers:
X-Sensor-UID: 0e515c8c-61eb-11e1-a529-000c29ff0707
X-Sensor-UID-UserName: CN=Administrator,CN=Users,DC=bigbrother,DC=foo
X-Sensor-UID-ComputerName: WS325-LOCK.bigbrother.foo
[+]Support for a new license was added. Versions 4.1 and higher of Microolap EtherSensor support licenses with subscription to updates.
[-]An error was fixed with Lotus Notes message processing. Sometimes message and metadata strings were processed incorrectly.
Logging:
[*]The performance of Microolap EtherSensor log archiving was improved, required disk space was reduced.
[+]Lotus Notes message processing statistics can now be saved.
[+]Support for a new license was added. Versions 4.1 and higher of Microolap EtherSensor support licenses with subscription to updates.
Configuration console:
[*]EtherSensor ICAP service configuration functions were updated.
[*]EtherSensor Analyser service configuration functions were updated.
2012-01-25 Version 4.0.14.9561
Data sources and objects capture
EtherSensor EtherCAP service:
[+]An algorithm was added to calculate connection timeout based on the number of monitored connections.
[+]Network adapter can now be reconnected if it was disabled and then enabled again (e.g. via the Windows management console) during EtherSensor EtherCAP operation.
Captured objects analysis:
[*]Email address parsing algorithm was updated.
[*]Detectors are now loaded faster.
[+]LZH attachments (IBM Lotus Notes format) can now be unpacked.
[+]Counters were added for messages removed by the license unit.
[+]The following detectors were updated: CV (careerist.ru, hh.ru, job-mo.ru, job50.ru, rabota.mail.ru, rabota.ru, rosrabota.ru, zarplata.ru), facebook.com, hotmail.com, linkedin.com, livejournal.com, mail.ru, mamba.ru, my.mail.ru, rambler.ru, pochta.ru, smsmms (beeline.ru, mts.ru, skylink.ru), vkontakte.ru.
[-]An error was fixed with Lotus Notes message processing.
Configuration console:
[+]A validator was added for HTTP object filters and message filters. The filter can now be checked for errors.
[+]Functions were added for loading and saving individual logs.
[+]Functions were added to view log contents (as plain text).
[+]You can now search the log for data (in plain text mode).
[+]You can now go to a certain log line (in plain text mode).
[+]Display of Lotus Notes message statistics was added.
[+]Counters were added for messages removed by the license unit.
[-]A diagnostics error was fixed which occurred during log loading and display.
2011-12-23 Version 4.0.13.9421
Captured objects analysis:
[*]The processing algorithm for large HTTP queries was updated. The HTTP filter now processes large queries without loading them into memory. Previously it could result in overconsumption of memory. This change is closely related to the use of filters similar to the following:
<?xml version="1.0" encoding="utf-8"?>
<filter name="HTTP filter" version="1.0">
<table name="main">
<rule enabled="1">
<comment>
The rule stops processing HTTP objects whose
request or response size is greater than 100 megabytes.
</comment>
<match>
<c name="size" op="gt" value="100M"/>
</match>
<action name="drop" />
</rule>
<rule enabled="true">
<action name="accept" />
</rule>
</table>
</filter>
[+]The following detectors were updated: yandex.ru.
2011-12-19 Version 4.0.12.9403
Captured objects analysis:
[+]Large attachments to Lotus Notes messages packed with the LZ1 algorithm can now be unpacked.
2011-12-19 Version 4.0.11.9393
Data sources and objects capture
EtherSensor EtherCAP service:
[*]MRA protocol processing efficiency was improved.
[*]MSN protocol processing efficiency was improved.
[*]Saving problem traffic to PCAP files was made more efficient.
EtherSensor ICAP service:
[-]An error was fixed in IsTag header processing.
Delivering analysis results to consumer system:
[*]The algorithm of processing locked transport profiles was updated.
Logging:
[*]Names were changed for directories where Microolap EtherSensor statistics is accumulated.
Configuration console:
[*]Encoding is now specified explicitly in HTML files of the configurator console.
[-]Errors were fixed in the perfmon utility.
[-]An error was fixed in the bugreport utility which resulted in the utility freezing.
2011-11-29 Version 4.0.10.9285
Captured objects analysis:
[+]The following detectors were updated: facebook.com, mail.ru, pochta.ru, rambler.ru, smsmms (mts.ru), yandex.ru (incoming and outgoing messages of the WEB agent are now detected), CV (rabota.ru).
Configuration console:
[-]Errors were fixed in the perfmon utility.
2011-11-25 Version 4.0.9.9249
Data sources and objects capture
EtherSensor EtherCAP service:
[-]An error was fixed in the service stopping process which sometimes resulted in freezing.
[-]An error was fixed with MSN protocol detection.
Captured objects analysis:
[+]The following detectors were updated: mail.ru (incoming and outgoing messages of the MRA WEB agent are now detected), my.mail.ru, odnoklassniki.ru, vkontakte.ru, CV (job-mo.ru).
[-]An error was fixed with MSN protocol processing.
Delivering analysis results to consumer system:
[+]Information about the transport profile used to send the message is now logged.
Logging:
[-]An error was fixed in the EtherSensor Transfer service startup process which sometimes resulted in freezing.
Configuration console:
[*]The bugreport utility interface was updated.
[-]Errors were fixed in the bugreport utility.
2011-11-23 Version 4.0.8.9215
Captured objects analysis:
[-]An error was fixed in decoding X-Sensor-Ldap... headers
Delivering analysis results to consumer system:
[*]Log entry format was made more detailed.
Logging:
[*]Log entry format was made more detailed.
Configuration console:
[*]The bugreport utility interface was updated.
[-]Errors were fixed in the bugreport utility.
2011-11-18 Version 4.0.7.9171
Captured objects analysis:
[*]The following detectors were updated: blogger.com, facebook.com, hotmail.com, linkedin.com, mail.ru, my.mail.ru, meebo.com, myspace.com, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms (megafon, mts, skylink), twitter.com, vkontakte.ru, yahoo.com, CV (careerist.ru, hh.ru, job-mo.ru, job50.ru, rabota.mail.ru, rabotavgorode.ru, rabotavia.ru, rosrabota.ru).
[-]Errors were fixed which made the EtherSensor Analyser service crash when interception results were being processed.
Delivering analysis results to consumer system:
[*]Log entry format was made more detailed.
Logging:
[*]Log entry format was made more detailed.
Configuration console:
[*]Now the bugreport utility collects all the active log entries (previously it only collected criterror, error, and warning entries).
2011-11-10 Version 4.0.6.9037
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated. Errors were fixed with TCP connection reconstruction.
Captured objects analysis:
[-]Errors were fixed which made the EtherSensor Transfer service crash (very rarely) when interception results were being processed.
Delivering analysis results to consumer system:
[*]The structure and update algorithm of EtherSensor Transfer service counters were modified.
2011-09-29 Version 4.0.5.8903
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The Packet Sniffer SDK traffic capture library was updated. 64 bit drivers were not signed in the Microolap EtherSensor 4.0.4.8875 distribution, so no traffic was captured in Vista/Win7/Win2008 (x64). This error did not appear in most installations (Win2003 x64).
Captured objects analysis:
[+]Decoding was added for the LMBCS encoding (Lotus Multibyte Character Set). The following encodings are supported: latin-1, greek, hebrew, arabic, cyrillic, latin-2, turkish, thai, unicode-16. Now addresses, subject, body, attachment names and all other headers are decoded completely.
2011-09-22 Version 4.0.4.8875
Data sources and objects capture
EtherSensor EtherCAP service:
[+]Detection and reconstruction of Lotus Notes sessions was added.
Captured objects analysis:
[+]Lotus Notes message detector was added.
2011-09-15 Version 4.0.3.8813
Captured objects analysis:
[+]The following detectors were updated: CV (rabotavgorode.ru, rosrabota.ru, careerist.ru, hh.ru, job-mo.ru, rabota.mail.ru, rabotamedikam.ru, zarplata.ru), facebook.com, my.mail.ru, mail.ru, smsmms (megafon, mts, skylink), yahoo.com (incoming mail).
Logging:
[-]An error was fixed which resulted in memory leaks.
2011-08-18 Version 4.0.2.8709
Data sources and objects capture
EtherSensor EtherCAP service:
[+]Statistical processing of the SSL protocol was added: statistics are accumulated for SSL connections, and results are generated with SSL connection lists. You can disable this feature in the configuration (ethcap.xml file) by doing the following:
<Protocol enable="false" name="ssl" />
[-]An error was fixed which sometimes resulted in exceptions at service startup.
Captured objects analysis:
[+]The following detectors were updated: odnoklassniki.ru, pochta.ru, rambler.ru, smsmms, twitter.com, vkontakte.ru, yahoo.com, yandex.ru.
[+]Now all messages that reach the stage of sending to consumers are marked with the X-Sensor-RawSource-Type header. This is to help the consumer (for example, a message archiving system) to know which initial "raw" captured data were used to get the final message. The following values are currently possible:
HttpGetRequest: The message source is an HTTP GET REQUEST
HttpPostRequest: The message source is an HTTP POST REQUEST
HttpPutRequest: The message source is an HTTP PUT REQUEST
FtpFile: The message source is an FTP file
SmtpEml: The message source is an SMTP EML
Pop3Eml: The message source is a POP3 EML
IcqContactList: The message source is an ICQ Contact List
IcqMessageList: The message source is an ICQ Message List
IcqFile: The message source is an ICQ File
IcqLoginInfo: The message source is the ICQ Login Info
MraUserInfo: The message source is the MRA user info
MraContactList: The message source is an MRA Contact List
MraMessageList: The message source is an MRA Message List
MraFile: The message source is an MRA File
MsnContactList: The message source is an MSN Contact List
MsnMessageList: The message source is an MSN Message List
MsnFile: The message source is an MSN File
XmppContactList: The message source is an XMPP Contact List
XmppMessageList: The message source is an XMPP Message List
XmppFile: The message source is an XMPP File
IrcMessageList: The message source is an IRC Message List
IrcFile: The message source is an IRC File
SkypeVersionRequest: The data source is the Get Last version request to ui.skype.com
SslSessionsList: The data source is a list of SSL sessions
Please note:
Certain mailing systems use POST requests to read incoming mail. In this case, interception result for such message will contain the X-Sensor-RawSource-Type header: HttpPostRequest.
[*]Now all messages which are ready to be transported are labeled with the X-Sensor-LicOption header. This header can have the following values:
WebMail
WebSocial
Email
IM
FT
WebMailRead
[*]From and To format was updated for WebMail, WebSocial, and WebCV messages.
[+]Empty message bodies are now checked for and removed for WebMail, WebSocial, and WebCV messages.
[+]Results are generated to include SSL connection lists.
Delivering analysis results to consumer system:
[*]Memory consumption was optimized for message delivery.
Configuration console:
[*]Management interface user interface was updated.
[*]Integration with the Microolap EtherSensor help system was implemented.
[+]HTTP filter statistics is now displayed.
2011-07-15 Version 4.0.1.8529
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Traffic processing efficiency is now higher. Incoming HTTP traffic can now be intercepted due to lower resource consumption of Microolap EtherSensor and the execution environment.
Captured objects analysis:
[*]Processing of all available HTTP GET requests from Ethernet and ICAP is guaranteed. Explanation: earlier, the analysis was only available for messages sent from the workstations via the web interface, but now we can also analyze all incoming messages.
[*]The server can now monitor logins, passwords and downloaded files for GET requests.
[+]HTTP prefiltering was added to discard obvious junk. This helps to reduce the load on the analysis system. It can also be used for debugging.
Logging:
[+]You can now select encodings for Microolap EtherSensor messages sent to log files or syslog servers; thus, another obstacle to using common log analyzers is removed.
Configuration console:
[*]The configurator was completely rewritten: this is now a standard Windows application (mconsole.exe file from the distribution kit) instead of an MMC console used previously.
[+]Microolap EtherSensor statistics is now accumulated for integration with external monitoring systems.
2011-06-07 Version 3.0.29.8081
Configuration console:
[-]An error was fixed in the bugreport utility which resulted in incorrect report generation.
2011-06-06 Version 3.0.28.8059
Captured objects analysis:
[+]The method of detecting IDs from Referer for vkontakte.ru was improved for version 3.x.
[-]An error was fixed with message generation in WebMail (!generic detector).
[-]An error was fixed with message generation in IM (IRC and XMPP detectors).
[-]Errors were fixed with message address filtering.
[-]An error was fixed with message header generation. The X-Sensor-Smtp-Helo header was generated instead of X-Sensor-Smtp-From.
Configuration console:
[-]An error was fixed with displaying perpetual licenses.
[-]Errors were fixed with reading license files from the management console.
2011-04-29 Version 3.0.27.7583
Data sources and objects capture
EtherSensor EtherCAP service:
[*]The most probable sources of exceptions for the ftp, icq, irc, msn, mra, smtp protocols were removed.
Captured objects analysis:
[+]The following service detectors were updated: mail.ru, moikrug.ru.
[-]An error was fixed which resulted in the EtherSensor Analyser service freezing at startup.
Configuration console:
[*]The old MMC-based version of the configuration/management subsystem was replaced with a WinFrom application.
2011-03-14 Version 3.0.25.6931
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Data processing by protocol parsers is now more reliable. The most probable sources of exceptions for the ftp, icq, irc, msn, mra, smtp protocols were removed.
[*]Exception handling logic during TCP session reconstruction was modified.
Captured objects analysis:
[+]The following service detectors were updated: CV (careerist.ru, superjob.ru, zarplata.ru), livejournal.com, facebook.com, mail.ru, myspace.com, odnoklassniki.ru, vkontakte.ru, yandex.ru.
[-]An error was fixed with caching reconstructed "raw" objects. This error resulted in interception result processing being stopped.
[-]An error was fixed with the processing of results of reconstructed object filter which raised an exception.
[-]An error was fixed with retrieving DNS names by IP addresses.
[-]An error was fixed with EML address detection.
Delivering analysis results to consumer system:
[-]An error was fixed with address generation (from, to, cc, bcc) in EML envelopes in the SMTP protocol when data is being transmitted to external consumers.
Logging:
[*]Resource consumption was reduced for processes used in Microolap EtherSensor statistics maintenance.
2011-02-10 Version 3.0.24.6617
Data sources and objects capture
EtherSensor EtherCAP service:
[-]An error was fixed with HTTP session processing which occurred for header line sizes over 4Kb.
Captured objects analysis:
[+]Compatibility was added for the last version of the script which detects user name and host in HTTP traffic.
[-]An error was fixed with header name parsing for EML envelopes according to RFC-5322.
Logging:
[*]Resource consumption was reduced for the EtherSensor Watcher service.
2011-01-28 Version 3.0.21.6411
Captured objects analysis:
[*]Configuration was updated to version 3.1, a block of parameters was added to detect KPPSU and KPPSH fields (eSafeUser, eSafeHost) in WebMail messages.
[+]The following detectors were updated: CV (careerist.ru, jobsmarket.ru, rabota.mail.ru, rabota.ru, superjob.ru), facebook.com, mail.ru, myspace.com, odnoklassniki.ru, vkontakte.ru.
Logging:
[-]An error was fixed with XML format violation when saving statistics.
[-]An error was fixed: the DumpTime parameter was not updated in top.hostname.XXX.xml when data was accumulated.
2010-12-29 Version 3.0.20.6277
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Recognition validity was improved for the XMPP/Jabber protocol.
Captured objects analysis:
[*]Message processing (detection, filtering) is now faster. Now up to N intercepted objects can be detected and filtered simultaneously. N is calculated as follows: N = CPU cores x 2.
[+]Updated the following detectors: CV (careerist.ru, hh.ru, job-mo.ru, rabota.mail.ru, rabota.by, rabotavia.ru, superjob.ru, zarplata.ru), facebook.com, livejournal.com, mail.ru, mail.ru-social, mamba.ru, moikrug.ru, myspace.com, odnoklassniki.ru, pochta.ru, vkontakte.ru, yandex.ru.
Logging:
[*]Now the EtherSensor Watcher service maintains data processing statistics and accumulates data in the [INSTALLDIR]\data\statistics directory. Accumulated information is rotated every 2 months. Daily statistics are accumulated in a separate folder inside the [INSTALLDIR]\data\statistics directory. A separate set of files is generated every hour:
top.clients.XXX.xml:
The number of connections established by the client, and the total size of data transmitted over all the sessions created by this client.
top.detectors.XXX.xml:
The number of detected messages.
top.hostname.XXX.xml:
The number of HTTP connections per hour.
Configuration console:
[*]The bugreport utility can now open reports directly from ZIP archives.
[*]You can now generate new and detect existing MINIDump files of Microolap EtherSensor services.
[*]You can now detect PCAP files with packets interception of which raised a data processing exception.
2010-12-02 Version 3.0.19.6031
Captured objects analysis:
[-]An error was fixed in message filters with the check-md5 status check.
Configuration console:
[-]An error was fixed which occurred during report generation by the bugreport utility.
2010-10-25 Version 3.0.18.6027
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Recognition validity was improved for the MRA (MRIM) protocol. The new protocol version was released, supported by new clients.
[+]The "FROZEN" state of the EtherSensor EtherCAP service can now be detected and rectified. The service is in the FROZEN state when it has stopped traffic interception due to internal errors or an attack. The packets the processing of which resulted in the FROZEN state of the service are saved to a PCAP file in the \log\pcaps directory.
[-]An error was fixed in the MRA(MRIM) protocol parser which resulted in the EtherSensor EtherCAP service freezing.
EtherSensor ICAP service:
[*]The string collection buffer size was increased to 32K (it was 8K according to the standard, but the size of individual strings was sometimes over 9.5K).
[*]HTTP commands longer than 7 characters were previously not processed; now this length is increased to 32 characters.
[*]Service configuration was also updated:
<?xml version="1.0" encoding="utf-8"?>
<IcapConfig version="3.0">
<SensorId>icap-01</SensorId>
<Network max_connections="4000">
<ListenAddress address="0.0.0.0:1344" />
</Network>
<Icap>
<Preview enabled="false" size="4096" />
<Allow204 enabled="true" />
<RawLog enabled="false" path=".\raw-log" />
<RequestLog enabled="false"
http_enabled="true"
channel="ICAP-REQUEST" />
<AlwaysOk enabled="true" />
<Header name="X-Client-IP" enabled="true" />
<Header name="X-Server-IP" enabled="false" />
</Icap>
</IcapConfig>
New tags added:
AlwaysOk
The AlwaysOk tag is nested within the Icap tag and enables the "always ok" mode. In this mode, the ICAP server responds with code 204 "No modifications" to any errors detected in the ICAP protocol on the client side.
The enabled attribute of the AlwaysOk tag specifies whether the "always ok" mode is active:
enabled="true" - the mode is active.
enabled="false" - the mode is inactive.
If the AlwaysOk tag is omitted, this mode is assumed to be disabled by default.
If the mode is active, the 204 response code is sent in return to errors even if it is prohibited by Allow204.
You should only enable this mode in rare cases when you are absolutely sure about what your are doing, because it may result in unpredictable failures in the operation of the ICAP client providing traffic.
RequestLog
The RequestLog tag is nested within the lcap tag and defines the error logging mode settings for ICAP and HTTP query protocols processed by the ICAP server. This log stores errors which may occur when ICAP client and server communicate, and are related to incorrect data formats sent by the ICAP client, misuse of the ICAP protocol, etc.
The enabled attribute of the RequestLog tag specifies whether the error logging mode is enabled for the ICAP and HTTP protocols:
enabled="true" - the logging mode is active.
enabled="false" - the logging mode is inactive.
The http_enabled attribute of the RequestLog tag specifies whether the error logging mode is enabled for HTTP queries:
enabled="true" - the logging mode for HTTP queries is active.
enabled="false" - the logging mode for HTTP queries is inactive.
http_enabled="true" is assumed by default (if the attribute is omitted).
The channel attribute of the RequestLog tag specifies the internal system name for the HTTP query logging channel. This parameter must always be channel="ICAP-REQUEST" and may only be modified on the direct instruction of the Microolap EtherSensor developer.
Header
The Header tag controls extended headers of the ICAP protocol. This tag can be used to notify the ICAP client whether the server supports the specified header. This can be used to allow or disallow the ICAP client to send the corresponding header to the server.
The enabled attribute of the Header tag specifies whether support for this header is enabled:
enabled="true" - the header is supported.
enabled="false" - the header is not supported.
If the tag is omitted, the header is assumed to be supported by default.
The name attribute of the Header tag specifies the name of the extended header.
The following extended ICAP headers are supported:
X-Client-IP
X-Server-IP
X-Client-Username
X-Subscriber-ID
X-Authenticated-User
X-Authenticated-Groups
All the headers are assumed to be supported by default (if the Header tags are omitted in the configuration file).
Captured objects analysis:
[*]Message filtering was made faster.
[+]The following detectors were updated: CV (careerist.ru, hh.ru, job.ru, job50.ru, jobsmarket.ru, rabota.mail.ru, rabotavgorode.ru, superjob.ru, zarplata.ru), facebook.com, livejournal.com, mail.ru, mail.ru-social, mamba.ru, moikrug.ru, meebo.com, myspace.com, odnoklassniki.ru, pochta.ru, smsmms (mts), twitter.com, vkontakte.ru, yandex.ru.
[-]An error was fixed with url-encoded check.
[-]An error was fixed with the Content-Type MIME header parsing.
2010-10-01 Version 3.0.17.5713
Data sources and objects capture
EtherSensor EtherCAP service:
[*]TCP connection reconstruction performance is now higher in the Packet Sniffer SDK library.
[-]An error was fixed with generating large IP filters.
Captured objects analysis:
[+]The following detectors were updated: CV (careerist.ru, hh.ru, job-mo.ru, job.ru, jobsmarket.ru, rabota.ru, superjob.ru, zarplata.ru; services added: job50.ru, rabotavgorode.ru, rabota.mail.ru), moikrug.ru, facebook.com, livejournal.com, loveplanet.ru, mail.ru, mail.ru-social, mamba.ru, meebo.com, myspace.com, odnoklassniki.ru, rambler.ru, smsmms, taba.ru, twitter.com, vkontakte.ru, yandex.ru.
Configuration console:
[+]A report can now be generated with Microolap EtherSensor counter values and details.
[+]The first release of the bugreport utility which can collect operation information for the Microolap EtherSensor system and the EtherSensor Updater automatic update service and send it to the Microolap EtherSensor developer for analysis.
2010-09-14 Version 3.0.16.5573
Captured objects analysis:
[*]Name generation logic for reconstructed objects was updated. The "unknown" name is now generated for the "image/*" Content-Type and unknown file names.<subtype>. I.e. the name will be unknown.jpeg for image.jpeg, unknown.gif for image/gif, etc.
[+]The following detectors were updated: CV (careerist.ru, funkyjob.ru, hh.ru, job-mo.ru, job.ru, jobsmarket.ru, rabota.ru, superjob.ru, zarplata.ru), hotmail.com, moikrug.ru, facebook.com, linkedin.com, livejournal.com, mail.ru, mail.ru-social, mamba.ru, myspace.com, odnoklassniki.ru, rambler.ru, smsmms, twitter.com, vkontakte.ru, yandex.ru.
[-]An error was fixed with envelope generation for MSN messages and contact lists.
Delivering analysis results to consumer system:
[-]An error was fixed with incorrect encoding of message subjects and other headers.
Configuration console:
[-]A logical error was fixed with setting and reading disk quota values.
2010-08-27 Version 3.0.13.5377
Data sources and objects capture
EtherSensor EtherCAP service:
[-]An error was fixed with protocol analyzer generation, which resulted in the crash of the EtherSensor EtherCAP service.
Captured objects analysis:
[+]Message decoding based on the Content-Transfer-Encoding property was added for messages only containing an attachment and being not MIME-encoded.
[+]The following detectors were updated: CV (zarplata.ru), moikrug.ru, facebook.com, mail.ru, mail.ru-social, mamba.ru, odnoklassniki.ru, rambler.ru, twitter.com, vkontakte.ru, yandex.ru.
[-]An error was fixed in the DNSBL action in filter rules.
[-]An error was fixed with the processing incorrect messages without bodies.
[-]An error was fixed in the EML parser: there were problems with MIME decoding with transport encoding other than binary.
Delivering analysis results to consumer system:
[+]Transport thread pool was implemented. Now there are up to 10 threads (instead of 1 thread) which send analysis results to consumer systems, depending in the data size of reconstructed objects. This makes the EtherSensor Transfer service significantly faster.
2010-07-26 Version 3.0.12.5119
Captured objects analysis:
[+]The following detectors were updated: CV (careerist.ru, hh.ru, job-mo.ru, job.ru, rabota.ru, superjob.ru, zarplata.ru), moikrug.ru, facebook.com, loveplanet.ru, mail.ru, mail.ru-social, mamba.ru, meebo.com, odnoklassniki.ru, twitter.com, vkontakte.ru, yandex.ru.
[-]An error was fixed in the filter rule condition which used MD5 to find message duplicates.
2010-07-19 Version 3.0.11.4969
Captured objects analysis:
[+]A filter rule condition was added to find message duplicates by MD5.
[+]The following detectors were updated: chanboard, CV (hh.ru, job-mo.ru, job.ru, rabota.ru, superjob.ru, zarplata.ru), moikrug.ru, myspace.com, my.mail.ru, facebook.com, taba.ru, twitter.com.
[-]An error was fixed with X-Sensor-Ldap-Hostname, X-Sensor-Ldap-User header detection.
2010-07-26 Version 2.0.17.4175
Captured objects analysis:
[+]The following detectors were updated: facebook.com, loveplanet.ru, mail.ru, mail.ru-social, mamba.ru, odnoklassniki.ru, vkontakte.ru, yandex.ru.
Configuration console:
[-]An error was fixed in the MMC management console which resulted in an exception when interception result transport rules were being edited.
2010-07-23 Version 2.0.16.4170
Captured objects analysis:
[+]The following detectors were updated: accounts, facebook.com, loveplanet.ru, mail.ru, mail.ru-social, mamba.ru, meebo.com, myspace.com, odnoklassniki.ru, pochta.ru, twitter.com, vkontakte.ru, yandex.ru.
Delivering analysis results to consumer system:
[+]Transport thread pool was implemented. Now there are up to 10 threads (instead of 1 thread in the previous version) which send analysis results to consumer systems, depending in the data size of reconstructed objects. This makes the EtherSensor Transfer service significantly faster.
2010-07-09 Version 2.0.15.4019
Captured objects analysis:
[+]X-Sensor-Ldap-Hostname and X-Sensor-Ldap-User headers are now generated in the EML envelope if the User-Agent query field contains the eSafeHost and eSafeUser fields.
[+]The following detectors were updated: accounts, blogger.com, facebook.com, fileupload, !generic, linkedin.com, livejornal.com, loveplanet.ru, mail.ru, mamba.ru, meebo.com, myspace.com, odnoklassniki.ru, plaxo.com, pochta.ru, smsmms, twitter.com, vkontakte.ru, yandex.ru.
[+]The following detectors were added: moimir.mail.ru.
2010-05-18 Version 2.0.14.3656
Captured objects analysis:
[+]Generation of the following EML envelope headers was implemented from the data provided by the ICAP server:
X-Sensor-Icap-Client-Username
X-Sensor-Icap-Subscriber-Id
X-Sensor-Icap-Authenticated-User
X-Sensor-Icap-Authenticated-Group
2010-05-06 Version 2.0.13.3595
Delivering analysis results to consumer system:
[-]An error was fixed with EML envelope processing in the SMTP client of the transport service.
2010-04-30 Version 2.0.12.3570
Delivering analysis results to consumer system:
[-]An error was fixed with the BDAT command processing in the SMTP client of the transport service.
2010-04-28 Version 2.0.11.3551
Captured objects analysis:
[+]Processing of binary messages (Exchange 2010) was added Now all binary messages are received as attachments.
[+]The following detectors were updated: facebook.com, linkedin.com, livejournal.com, loveplanet.ru, mamba.ru, myspace.com, odnoklassniki.ru, twitter.com, vkontakte.ru, yandex.ru.
2010-03-09 Version 2.0.11.2767
Data sources and objects capture
EtherSensor ICAP service:
[*]Compliance with the updated draft-stecher-icap-subid-00.txt.
When the ICAP client sends the X-Subscriber-ID, X-Authenticated-User, X-Authenticated-Groups headers, they are now saved as data file properties in the passport: icap-x-subscriber-id, icap-x-authenticated-user, icap-x-authenticated-group correspondingly.
If the X-Authenticated-Groups contains multiple groups, each of them is saved as a separate icap-x-authenticated-group property which contains only one group.
[+]New debug counters were added:
\ICAP\Request\POST
The number of POST requests passed by ICAP to REQMOD.
\ICAP\Request\PUT
The number of PUT requests passed by ICAP to REQMOD.
\ICAP\Request\Open
The number of files opened to save POST/PUT in REQMOD.
\ICAP\Request\Open-active
The number of files currently open to save POST/PUT in REQMOD.
\ICAP\Request\Closed-and-save
The number of files closed with the "save to cache" status (they must be in the cache).
\ICAP\Request\Closed-and-delete
The number of files closed with the "remove from cache" status (due to some errors).
[+]Filtering for raw-log was implemented in REQMOD. Requests to Host: icap.health.check result in the removal of raw-log files for this TCP session. The filter is currently hard-coded.
[+]Now if the ICAP client sends the X-Client-Username header, it is saved as a data file property in the icap-x-client-username passport. The header may be sent by the SQUID server if it has user authentication configured. Configuring icap_send_client_username on|off in squid.conf file. Other clients may also send this header, but we don't know it for sure.
2010-01-28 Version 2.0.10.2766
Captured objects analysis:
[-]An error was fixed in the SMTP parser which was introduced in the 2.0.9.2741 release due to changes made to capture the Exchange server traffic.
2010-01-26 Version 2.0.9.2741
Captured objects analysis:
[+]The following detectors were updated: chanboard, facebook.com, hotmail.com, linkedin.com, livejournal.com, loveplanet.ru, mail.ru, mamba.ru, meebo.com, myspace.com, nextmail.ru, odnoklassniki.ru, plaxo.com, pochta.ru, rambler.ru, smsmms, twitter.com, vkontakte.ru, yahoo.com, yandex.ru.
[+]The following detectors were added: The accounts detector: it detects user registration events on remove web services. In addition to logins and passwords, it collects additional details submitted by the user during at registration (addresses, emails, names, phones, nicks, descriptions, etc.). You can use this detector to determine the resources visited by network users at the level of intercepted authentication events for these resources.
2009-09-03 Version 2.0.5.2500
Captured objects analysis:
[+]The following detectors were updated: facebook.com, hotmail.com, livejournal.com, loveplanet.ru, mail.ru, mamba.ru, meebo.com, myspace.com, nextmail.ru, odnoklassniki.ru, pochta.ru, rambler.ru, smsmms, twitter.com, vbulletin, vkontakte.ru, yandex.ru, icq.
[-]Errors were fixed in the HTTP protocol parser.
[-]Errors were fixed in the MRA protocol parser.
2009-08-03 Version 2.0.4.2360
Captured objects analysis:
[+]The following detectors were updated: chanboard, facebook.com, hotmail.com, linkedin.com, livejournal.com, loveplanet.ru, mail.ru, mamba.ru, meebo.com, myspace.com, nextmail.ru, odnoklassniki.ru, rambler.ru, smsmms, twitter.com, ukr.net, vkontakte.ru, wordpress.com, yandex.ru.
[+]The following detectors were added: gazup.com, ifolder.ru.
2009-05-31 Version 2.0.0.2300
Captured objects analysis:
[+]New detectors:
facebook.com
New social network user registration event.
Social network user profile update event.
Events transmitted by social network users.
File uploads (downloads) by social network users.
linkedin.com
New social network user registration event.
Social network user profile update event.
Events transmitted by social network users.
File uploads (downloads) by social network users.
meebo.com
Messages exchanged by meebo.com users.
myspace.com
New social network user registration event.
Social network user profile update event.
Events transmitted by social network users.
File uploads (downloads) by social network users.
plaxo.com
New social network user registration event.
Social network user profile update event.
Events transmitted by social network users.
File uploads (downloads) by social network users.
twitter.com
New social network user registration event.
Social network user profile update event.
Events transmitted by social network users.
File uploads (downloads) by social network users.
wordpress.com
Messages posted by users.
mail.ru
Detection of instant online messages exchanged by mail.ru users via MRA.
2009-02-26 Version 1.0.8
Data sources and objects capture
EtherSensor EtherCAP service:
[*]TCP session reconstruction performance is now higher in the Packet Sniffer SDK library.
Captured objects analysis:
[*]Processing of new messages in WebMail and WebSocial was added.
[+]Detection and reconstruction of ICQ and MRA objects (currently only for contact lists and text messages) was added.
Delivering analysis results to consumer system:
[-]An error was fixed with sending messages to consumers over SMTP in the Microolap EtherSensor client.
Logging:
[+]Statistics of results sent to consumers by modules was added (the !translag.log file).
2008-10-29 Version 1.0.7.7
Data sources and objects capture
[+]The 32 bit version of Microolap EtherSensor was added.
Delivering analysis results to consumer system:
[-]An error was fixed which resulted in duplicate messages sent to consumers and incorrect counters displayed in log files.
2008-10-27 Version 1.0.7
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Packet Sniffer SDK traffic capture library version 5.0. This version increases traffic capture and connection reconstruction performance by 8-10 times compared to the previous version 4.x.
Captured objects analysis:
[*]Performance of modules which process objects from the odnoklassniki.ru and vkontakte.ru services is now higher.
[+]The following odnoklassniki.ru domains were added: odnoklassniki.ru, odnoklasniki.ru, odnoklassniki.ua, odnoklassniki.kz.
[+]Modules were added to implement reconstruction of HTTP objects for the following services: loveplanet.ru, mamba.ru, livejournal.com.
loveplanet.ru domains added:
1ovep1anet.ru, alovely.ru, datelove.ru, dating.wmj.ru, flirt.me-to-you.info, flirt2008.ru, loveplanet-vip.ru, lovemir.com, love.efremov.net, love.livedate.ru, love-planet.ru, 1oveplanet.ru, loveplanet.ru, loveplanet-vip.ru, lovemoskva.ru, lov1.ru, loveopen.ru, lovedrom.ru, lovepeace.ru, mos-love.ru, planet.sbrn.ru, dating-loveplanet.ru, dating-znakomstva.ru, lovo.ru;
mamba.ru domains:
4love.ru, date.datinglove.ru, dating.freetime.com.ua, explore.ru, flirtru.ru, flirt77.ru, fastlove.ru, facelink.ru, greatlove.ru, holiday.ru, iloveyou.ru, jdu.ru, jzzz.info, lovemy.com.ua, love.alfa-beta.ru, love.azlyrics.ru, love.butt-head.ru, love.girlzzz.info, love.lovz.ru, love.mail.ru, love.rambler.ru, love-kiss-dating.ru, love.neolove.ru, love.pautinka.ru, love.primochka.ru, love.gay.ru, love.ignio.com, love.lesbi.ru, love.russianchat.ru, lov.ru, lovedate.ru, mamba.ru, mambo.ru, mheart.ru, romantica.ru, search.all4love.ru, svidanka.ru, vstret.ru, znakomstva.lt, znakomstva.lv, znakomstva.odnoklassniki.ru, younglover.ru, lovedosug.ru, lubovy.ru;
livejournal.com domains:
livejournal.com, livejournal.ru.
Logging:
[+]Extended the set of counters that show Microolap EtherSensor performance indicators. The counters are displayed in real time in !capstat.log, !sysstat.log, !transtat.log log files.
[+]The log entry was made more detailed for the SMTP transport which sends analysis results to consumer systems.
Configuration console:
[+]The crashreport.dll module was added which generates exception reports when Microolap EtherSensor services crash. The exception report is saved to the log\crashrpt directory. The exception report consists of two files: 1) application minidump; 2) execution environment report.
[+]The Microolap EtherSensor installer enables automatic startup for services in case of a crash or a exception.
[-]An error was fixed with a long startup of Microolap EtherSensor services after an operating system restart.
2008-07-28 Version 1.0.5
Captured objects analysis:
[+]MD5 Hash is now calculated for reconstructed objects to identify duplicates.
[+]The following detectors were updated: mail.ru, rambler.ru, yandex.ru, pochta.ru, google.com, yahoo.com, ukr.net, odnoklassniki.ru, vkontakte.ru, squirrel-mail, file-upload, hotmail.com, nextmail.ru, newmail.ru, phpBB.
Delivering analysis results to consumer system:
[+]The X-Sensor-Object-MD5Hash header was added to messages sent to consumers over SMTP.
[-]A logic error was fixed with sending messages to consumers over SMTP.
2008-07-28 Version 1.0.4
Captured objects analysis:
[+]The following detectors were updated: mail.ru, rambler.ru, yandex.ru, pochta.ru, google.com, yahoo.com, ukr.net, odnoklassniki.ru, vkontakte.ru, squirrel-mail, file-upload, hotmail.com, nextmail.ru.
[+]The following detectors were added: newmail.ru, phpBB.
Configuration console:
[+]Logging settings can now be configured.
2008-07-25 Version 1.0.2
Captured objects analysis:
[+]The following detectors were added: hotmail.com, nextmail.ru.
Delivering analysis results to consumer system:
[-]An error was fixed with the "Sensor-Id" header.
2008-07-16 Version 1.0.1
Data sources and objects capture
EtherSensor EtherCAP service:
[*]Memory consumption was optimized for traffic capture.
Delivering analysis results to consumer system:
[+]The following headers were added for EML generation to be sent to the consumer over SMTP:
MailFrom/RcpTo
Via/X-Forwarded
Date
Network-If-Id (you can now determine exactly the network interface from which the reconstructed object was captured).
[+]The header with the size of the reconstructed object.
Logging:
[+]Log archiving was added to save disk space.
Configuration console:
[+]The configurator MMC console was implemented.