Changelog#

This page includes IDSTower releases history & a highlight of Major features/enhancements added.

2.4.1 - (4-9-2023)

Changes:

  • BugFix: Fixed a bug that prevented ET Open feed from importing rules with long metadata fields.

Please Follow the Upgrade Guide from v2.4.0 to v2.4.1 to update IDSTower to the latest version.

2.4.0 - (13-3-2023)

Changes:

  • New Feature: You are now able to add custom indicators of compromise (IOCs) feeds with support for various Threat Intelligence Feeds formats, including:

    • MISP Feed: MISP feeds (Exported MISP events as json files).

    • MISP API: MISP Instance API.

    • TAXII/STIX 2.0/2.1: TAXII/STIX server, both version 2.0 and 2.1 are supported.

    • Text: Text based feeds.

    • CSV: CSV based feeds, this allows you to import IOCs from virtually any CSV formatted file.

    • JSON: JSON based feeds, this allows you to import IOCs from virtually any JSON formatted file, this feature utilize JsonPath queries (JPath) to extract IOCs values from the feed’s JSON file.

    IDSTower will periodically download IOCs from those feeds and push them to your Suricata Clusters automatically.

  • Improved: Rules and IOCs viewing and searching is significantly faster and uses less resources.

  • Improved: IDSTower now downloads, parses & imports feeds faster by utilizing all threads available in the system.

  • Improved: IDSTower can now be configured to ignore TLS errors for specific feeds where presented TLS certificate are invalid, this helps with feeds hosts using self-signed or expired certificate, including internal ones.

  • Improved: User can now trigger feeds update manually via Settings->Feeds .

  • Improved: expired IOCs are now deleted more efficiently.

  • Improved: IDSTower now verifies that IOCs types and structure are valid (eg: verify that an IOC with IP type is a valid IP address).

  • Improved: You can now use longer feeds urls.

  • Improved: Upgrades to new IDSTower versions is easier now after Introducing auto-migration of database schemas.

  • Various other enhancements and bug fixes.

Please Follow the Upgrade Guide from v2.3.x to v2.4.0 to update IDSTower to the latest version.

2.3.1 - (10-12-2022)

Changes:

  • Bugfix: This release fixes a regression that causes suricata process to crash under some conditions on Ubuntu hosts, this issue was caused by incompatibility between security hardening settings applied by IDSTower and suricata packages on Ubuntu, it is highly recommended to apply this update to ensure the stability of your suricata deployments.

Please Follow the Upgrade Guide from v2.3.0 to v2.3.1 to update IDSTower to the latest version.

2.3.0 - (1-12-2022)

Changes:

  • New Feature: Introducing configuration profiles feature, a quick & easy way to configure Suricata & Filebeat during cluster install based on tested configurations blueprints, in this release we added two configuration profiles to Suricata:

    • IDS mode: configures suricata in IDS Mode.

    • IDS + NSM mode: configures suricata in IDS Mode + NSM (enables the protocol transactions logs).

    and two configuration profiles for the logshipper (filebeat):

    • send events to ElasticSearch: configures filebeats to send suricata events to ElasticSearch Cluster and automatically setup ElasticSearch index template for Suricata.

    • send events to Logstash: configures filebeats to send suricata events to Logstash hosts.

    As always, you can fully control the configuration via the IDSTower UI, these new configuration are only available for newly clusters.

    In the next coming releases of IDSTower we will allow current clusters to be upgraded to the new configuration profiles to allows easier management of configurations and new features.

    Moreover, we will also release more configuration profiles covering suricata in IPS mode, filebeat to Kafka…etc, so stay tuned!

  • New Feature: Automatically cleanup & remove expired Indicators (IOCs) from database to free resources, this feature is enabled by default and removes the IOCs that expired 6 weeks ago, you can disabled this behavior or configure the period to keep the IOCs after expiry in IDSTower UI –> Settings –> Indicators page.

  • New Feature: control Suricata threshold.config, classification.config & reference.config from IDSTower UI.

  • New Feature: added support for Ubuntu 22 (Jammy Jellyfish).

  • Improved: Improved the heuristics algorithm used to set the Target Keyword value in transformed IDS rules.

  • Improved: Handle the misclassification of some of the published IOCs in ThreatFox Feed.

  • Improved: Allow more characters in network interfaces names.

  • Improved: Suricata hosts will now check for rules/IOCs updates more frequently (every 5 minutes).

  • Improved: Add a title for indicator value so it gets shown in full if displayed value is trimmed.

  • Improved: Search md5/hash attribute using VirusTotal instead of google.

  • Bugfix: On Configuration refresh/update, rules/IOCs files on Suricata hosts will be kept at their latest version.

  • Bugfix: When you upgrade IDStower package on Ubunut, appsettings.json won’t be overwritten.

  • Bugfix: Fixed a bug on UI where interface names will overflow each other when you attempt to change monitored interfaces.

  • Bugfix: When attempting to delete expired indicators and “all indicators” is selected, the backend sends error message asking to set type filter as if it is required.

  • Various other bug fixes and improvements.

Please Follow the Upgrade Guide from v2.2.0 to v2.3.0 to update IDSTower to the latest version.

2.2.0 - (3-6-2022)

Changes:

  • Enterprise Feature: Added an AWS Connector, which lets you setup periodic export of IDS Rules & Indicators to AWS Network Firewall as stateful rule groups, this means that you can now use IDSTower to Manage your AWS Network Firewall Suricata Compatible Rules, expect more connectors in the future!

  • Feature: Allow user to change monitored interfaces easily on Suricata hosts.

  • Feature: Rules Management UI now supports searching & filtering using Rules Tags.

  • Feature: Rule Action Override, users can now easily Override the rule action (eg: alert, drop…etc) without having to edit the rule source code, IDSTower will transform this when the rules are sent to Suricata Hosts or exported to AWS, you can also set the rule action for multiple rules at once (aka: bulk change) via the Rules Management UI->Rules Actions dropdown menu, moreover, you can enable/disable this behavior via Settings as the case with other Overrides.

  • Feature: Indicators Management UI now supports searching & Filtering Indicators by indicator type (eg: FQDN, IP…etc).

  • Improved: Importing/Parsing/Transforming IDS Rules are now faster by utilizing all available threads in the system.

  • Improved: Rule Category are carried over to new rule revisions automatically, categories the rules as you wish and IDSTower will assign the new revisions of the same rule into the same Category.

  • Improved: Rules & Indicators search performance has been improved by adding more indexes!

  • Bugfix: updated host heartbeat script to fix a bug that prevents heartbeats from being sent when monitoring more than one interface.

  • Bugfix: updated suricata.yaml template to correctly set cluster-id when monitoring more than one interface.

  • Various other bug fixes and improvements.

Please Follow the Upgrade Guide from v2.1.0 to v2.2.0 to update IDSTower to the latest version.

2.1.0 - (3-10-2021)

Changes:

  • Feature: Now you can add a custom IDS Rules Feed, with various authentication modes supported.

  • Feature: Now you can do bulk actions on all IDS Rules and IOCs in the IDSTower.

  • Feature: IDSTower is now available as an RPM and DEB packages, a repository is available for both.

  • Various other bug fixes and improvements.

Please make sure to do a config refresh after upgrading to this version to update IDS Hosts configuration files to the latest version, you can do this via Cluster->Hosts->Hosts Actions->All Hosts->Refresh stale config

2.0.2 - (10-8-2021)

Changes:

  • Feature: Https certificate setup, please follow this guide for Configuring https on IDSTower.

  • Feature: Added support for AWS Amazon Linux 2, now you can install IDSTower on AWS Amazon Linux 2 VMs.

  • BugFix: Fixed an issue with indicators update.

  • Various other bug fixes and improvements

Please make sure to do a config refresh after upgrading to this version to update IDS Hosts configuration files to the latest version, you can do this via Cluster->Hosts->Hosts Actions->All Hosts->Refresh stale config

2.0.1 - (14-7-2021)

Changes:

  • Feature: Addded the ability to do an all-in-one install, now you can deploy Suricata to the same Host running IDSTower.

  • BugFix: Fixed an issue with Ubuntu 18 with old ansible versions.

  • Various other bug fixes and improvements.

2.0.0 - (19-6-2021)

Changes:

  • Major release with new features & significant improvements.

  • Suricata now is auto-configured to alert on Indicators of compromise, including Malicious IPs, Domains & Hashes using IPRep & DataRep features of Suricata.

  • Out-of-the-box integration with 14 Threat Intelligence feeds (free & commercial) that covers both IDS Rules & indicators of compromise (IOCs), with total control on update frequency, assigned score & auto-expiry date.

  • Easy-To-Use Indicators Management Interface, with integrated references to investigation tools like VirusTotal, IpInfo & SecurityTrails.

  • Complete IOCs Life-Cycle Management, covering ingestion from feeds, scoring, auto-deployment & auto-expiry, with manual control when needed.

  • Rules & IOCs changes are automatically pushed to Suricata Hosts & Suricata service auto-reload rules when changes detected.

  • Full Control on Rules Transformation settings, you can now enable/disable specific Transformations.

  • Rules Transformation option to set Rule Target Keyword using Heuristics.

  • Rules Transformation option to replace $EXTERNAL_NET rule variable with “any” to expand rules detection to cover lateral movements in your network.

  • Rules Transformation options to add IDSTower Rule ID, IDSTower Rule URL, user added tags & other information to rules metadata keyword for more contextualized alerts!

  • Full Control on Indicators Alerting settings, Enable/Disable alerting on Malicious IPs, Domains & Files.

  • User Management Interface to add/remove/enable/disable users.

  • The Built-in Packages repository (for offline deployment) is now offered as a separate package to allow it to be independently updated.

  • Various other bug fixes and improvements.

  • To upgrade from version 1.0.x to this version, please follow Upgrade Guide from v1.0.x to v2.0.0

1.0.2 - (11-4-2021)

Changes:

  • Now you can force remove a cluster even when hosts are unresponsive.

  • Improved how UI handle redirection.

  • Various other bug fixes and improvements.

1.0.1 - (16-2-2021)

Changes:

  • Added support to deploy & manager Suricata in Ubuntu 18.04 (Bionic) and Ubuntu 20.04 (Focal).

  • Added all packages necessary to deploy Suricata to an offline cluster.

  • Various bug fixes and improvements.

1.0.0 - (29-1-2021)

Changes:

  • Initial public release.