Protocols, Smart Polling, and Arc
A list of the improvements for Protocols, Smart Polling and Arc that have been introduced in this release.
- A new "Deployment Settings" tab is available under Arc menu to set the default configuration for downloaded or deployed Arc sensors.
- Fixed an issue where a valid dynamic host configuration protocol (DHCP) packet would cause a false positive
alert of type
SIGN:MALFORMED-TRAFFIC
. - Various changes have been applied to the Lua SDK to define custom
scriptable protocols. Scriptable protocols can now be defined as extensions to built-in
protocols. The sessions application programming interface (API) has been extended. The support for logging error messages has
been improved. The scriptable protocols can now set function codes both numerically and
with textual descriptions. The scriptable protocols can now leverage multithreading. The
RtuId
object has been renamed toNamespace
. A safety mechanism has been introduced, which denies the execution of scriptable protocols if the intrusion detection system (IDS) process has crashed repeatedly. Refer to the documentation for more information. - Protocol configuration lines ("probe") will be stored in the configuration when sent via the command-line interface (CLI) but their effect is deferred until the restart of the IDS.
- The Smart Polling activity log now displays IPv6 addresses in a cleaner way.
- Improved the accuracy for DNS links tagging.
- The asset view now shows add-on badges indicating to users whether a
specific add-on has enriched or could possibly enrich the asset. Specific asset fields
named
is_ai_enriched
,is_arc_enriched
,is_sp_enriched
,is_ti_enriched
are introduced to support the badges. These can be read through queries and can be used to build aggregated statistics. - Nodes affected by the
check_multiple_macs_same_ip
feature are no longer unintentionally kept alive by certain kind of packets, such as address resolution protocol (ARP) messages. - Arc is now deployed under
/usr/local/sbin
on Linux and macOS hosts, granting for support on RedHat Linux enterprise 9.3.