Data sources and objects capture
EtherSensor EtherCAP service:
[*]The pssdk6.sys traffic interception driver was changed. The old version sometimes resulted in BSOD.
[*]URI parsing logic was changed in the HTTP protocol parser.
[*]FTP protocol parser was updated: sometimes it resulted in the crash of the ethcapsvc.exe service.
[*]SMTP protocol parser was updated: multiline server responses for the WELCOME and other commands had been processed incorrectly.
[*]TCP connections without proper ending according to RFC are now logged with the "warning" status.
Captured objects analysis:
[*]Recognition validity and processing efficiency for Lotus Notes messages are now higher.
[*]The (CHECK-MESSAGE-ID) message filter condition for message duplicate filtering by the Message-ID field was updated.
[+]The X-Sensor-Lotus-MessageId header is now checked for the LOTUS protocol.
[*]The message filter condition for message filtering by IP addresses was updated. The address check type for "any" addresses was added.
<rule enabled="true">
<match>
<c name="ip"
address="any"
value="10.64.40.24" />
</match>
<action name="drop" />
</rule>
[+]The SAVE RAW DATA action was added to the message filter. This message can be used to save source (original) data of the message.
[+]You can now attach source data to the message:
<rule enabled="1">
<comment>For all HTTP objects save original data.</comment>
<match>
<c name="protocol" value="http" />
</match>
<action name="save-raw-data" value="true" />
</rule>
[+]The following detectors were updated: CV (hh.ru, job50.ru, job.ru, job.ws, jobsmarket.ru, rabotamedikam.ru, rabotavgorode.ru, rabota.mail.ru, rabota.ru, rabota.by, superjob.ru), diary.ru, google.com (Google Hangouts web message interception was added), gorod55, facebook.com, linkedin.com, livejournal.com, loveplanet.ru, mamba.ru, mail.ru, my.mail.ru, mfd.ru, moikrug.ru, pochta.ru, smsmms (mysmsbox.ru, megafon.ru, mts.ru, skylink.ru, tele2.ru, wsms.ru), yandex.ru, yahoo.com, ukr.net, vkontakte.ru, wordpress.com.
[+]Reconstruction of files downloaded in parts over the HTTP protocol was added.
[+]An error was fixed with accidentally switching to demo mode with an active license: module license expiration dates were checked incorrectly.
Delivering analysis results to consumer system:
[+]Message headers now include the current EtherSensor UHID: the X-Sensor-UHID header.
[-]An error was fixed in SMTP transport. Sometimes closed connections were used to send messages to archive.
Logging:
[*]Incorrectly closed TCP connections are now logged with the "warning" status. A special rule is created in the default configuration of the watcher service which logs such messages to a separate file.
<LogRule output="file://capstrange.log"
maxsize="10Mb"
encoding="utf-8"
endline="CR,LF">
<Channel name="CAPMAIN" loglevels="error, warning, criterr" />
</LogRule>
[-]An error was fixed with the calculation of module expiration time in the logging system messages.
[-]An error was fixed with getting the full path to the message log file.
[-]An error was fixed with saving statistics which sometimes resulted in memory leaks.
Configuration console:
[*]mconsole.exe, kppsreport.exe, perfmonitor.exe utilities were integrated into a single EtherSensor management application - mconsole.exe.
[+]The Ctrl+S hotkey was added to save a modified configuration.
[+]All EtherSensor services can now be stopped, started and restarted at once.
[+]A EtherSensor diagnostic report can now be unpacked to a separate directory.
[+]Message and HTTP query filters can now be re-formatted to improve filter readability.
[-]An error was fixed with filter display (incorrect filter encoding).
[-]An error was fixed with getting the full path to the message log file.
[-]An error was fixed with performance counter update.
[-]An error was fixed with license load and display. Sometimes the application crashed.
[-]An error was fixed with saving filefrop profile settings.
News 