Data sources and objects capture
EtherSensor EtherCAP service:
[*]Recognition validity was improved for the MRA (MRIM) protocol. The new protocol version was released, supported by new clients.
[+]The "FROZEN" state of the EtherSensor EtherCAP service can now be detected and rectified. The service is in the FROZEN state when it has stopped traffic interception due to internal errors or an attack. The packets the processing of which resulted in the FROZEN state of the service are saved to a PCAP file in the \log\pcaps directory.
[-]An error was fixed in the MRA(MRIM) protocol parser which resulted in the EtherSensor EtherCAP service freezing.
EtherSensor ICAP service:
[*]The string collection buffer size was increased to 32K (it was 8K according to the standard, but the size of individual strings was sometimes over 9.5K).
[*]HTTP commands longer than 7 characters were previously not processed; now this length is increased to 32 characters.
[*]Service configuration was also updated:
<?xml version="1.0" encoding="utf-8"?>
<ListenAddress address="0.0.0.0:1344" />
<Preview enabled="false" size="4096" />
<Allow204 enabled="true" />
<RawLog enabled="false" path=".\raw-log" />
<AlwaysOk enabled="true" />
<Header name="X-Client-IP" enabled="true" />
<Header name="X-Server-IP" enabled="false" />
New tags added:
The AlwaysOk tag is nested within the Icap tag and enables the "always ok" mode. In this mode, the ICAP server responds with code 204 "No modifications" to any errors detected in the ICAP protocol on the client side.
The enabled attribute of the AlwaysOk tag specifies whether the "always ok" mode is active:
enabled="true" - the mode is active.
enabled="false" - the mode is inactive.
If the AlwaysOk tag is omitted, this mode is assumed to be disabled by default.
If the mode is active, the 204 response code is sent in return to errors even if it is prohibited by Allow204.
You should only enable this mode in rare cases when you are absolutely sure about what your are doing, because it may result in unpredictable failures in the operation of the ICAP client providing traffic.
The RequestLog tag is nested within the lcap tag and defines the error logging mode settings for ICAP and HTTP query protocols processed by the ICAP server. This log stores errors which may occur when ICAP client and server communicate, and are related to incorrect data formats sent by the ICAP client, misuse of the ICAP protocol, etc.
The enabled attribute of the RequestLog tag specifies whether the error logging mode is enabled for the ICAP and HTTP protocols:
enabled="true" - the logging mode is active.
enabled="false" - the logging mode is inactive.
The http_enabled attribute of the RequestLog tag specifies whether the error logging mode is enabled for HTTP queries:
enabled="true" - the logging mode for HTTP queries is active.
enabled="false" - the logging mode for HTTP queries is inactive.
http_enabled="true" is assumed by default (if the attribute is omitted).
The channel attribute of the RequestLog tag specifies the internal system name for the HTTP query logging channel. This parameter must always be channel="ICAP-REQUEST" and may only be modified on the direct instruction of the Microolap EtherSensor developer.
The Header tag controls extended headers of the ICAP protocol. This tag can be used to notify the ICAP client whether the server supports the specified header. This can be used to allow or disallow the ICAP client to send the corresponding header to the server.
The enabled attribute of the Header tag specifies whether support for this header is enabled:
enabled="true" - the header is supported.
enabled="false" - the header is not supported.
If the tag is omitted, the header is assumed to be supported by default.
The name attribute of the Header tag specifies the name of the extended header.
The following extended ICAP headers are supported:
All the headers are assumed to be supported by default (if the Header tags are omitted in the configuration file).
Captured objects analysis:
[*]Message filtering was made faster.
[+]The following detectors were updated: CV (careerist.ru, hh.ru, job.ru, job50.ru, jobsmarket.ru, rabota.mail.ru, rabotavgorode.ru, superjob.ru, zarplata.ru), facebook.com, livejournal.com, mail.ru, mail.ru-social, mamba.ru, moikrug.ru, meebo.com, myspace.com, odnoklassniki.ru, pochta.ru, smsmms (mts), twitter.com, vkontakte.ru, yandex.ru.
[-]An error was fixed with url-encoded check.
[-]An error was fixed with the Content-Type MIME header parsing.