Changelog#
This page includes IDSTower releases history & a highlight of Major features/enhancements added.
2.5.3 - (14-2-2024)
Changes:
New Feature: Users can now choose between Major Suricata/Filebeat versions when deploying a new cluster, note that Suricata 7 is not published on older OS versions.
New Feature: Added support for Ubuntu 23.04/23.10, Debian 10.8/11.4/12.1, CentOS 9 stream, Rocky Linux/AlmaLinux 8/9, also generic linux support was Added.
Improved: Improved how Built-in/User-Custom repositories packages are discoverd.
Improved: removed mariadb from being a dependency of the IDSTower RPM/DEB packages to allow users to use remote instances of mariadb if needed.
Improved: Error messages are now more descriptive.
Improved: The cluster installation process is now faster and more robust.
BugFix: on IDSTower package installation, only attempt to stop IDSTower service if it is running.
Deprecated: Removed support for RHEL7/CentOS7/AWS Linux 2.
Deprecated: Minimum supported MariaDB version is now 10.6, older version still works, however, we encourage users to upgrade to the LTS version.
Various other enhancements and bug fixes.
Please Follow the Upgrade Guide from v2.5.2 to v2.5.3 to update IDSTower to the latest version.
2.5.2 - (6-12-2023)
Changes:
New Feature: ARM64 architecture support.
Improved: Improved the speed of Bulk action on Rules & IOCs.
Improved: Improved the speed & memory usage on Rules & IOCs feeds import.
Improved: now you can set a custom config file path/name for IDSTower via the –config/-c command line argument.
Various other enhancements and bug fixes.
Please Follow the Upgrade Guide from v2.5.1 to v2.5.2 to update IDSTower to the latest version.
2.5.1 - (15-10-2023)
Changes:
BugFix: Fixed a simple regression in the IOCs Export UI.
Please Follow the Upgrade Guide from v2.5.0 to v2.5.1 to update IDSTower to the latest version.
2.5.0 - (14-10-2023)
Changes:
New Feature (Pro): Rules & IOCs exports: you can now export IDSTower-managed Rules & IOCs to other systems like Suricata, Suricata-Update, OpenSense…etc via a simple URLs.
You can export the data in various formats, including: text, STIX 2.1, Suricata DataSet, DataRep & IOCs as Suricata IDS Rules.
This feature also includes a comprehensive filtration system that allows you to export only the data you need, this feature is available in IDSTower Professional Edition
New Feature: Rewrote & improved IDSTower agents on Suricata hosts, now the agents are more robust, reliable & efficient, the agents also produce more logs to help with troubleshooting, run crontab -l on your Suricata hosts to see the new agents.
New Feature: Added a log deletion script that runs periodically to delete old Suricata events/logs, this helps with keeping the disk usage under control, run crontab -l on your Suricata hosts to see the new script, by default, this script will delete data to keep disk utilization under 50%.
Improved: IDSTower now automatically installs missing binaries from Suricata hosts, including cron, curl…etc.
Various other enhancements and bug fixes.
Please Follow the Upgrade Guide from v2.4.x to v2.5.0 to update IDSTower to the latest version.
2.4.1 - (4-9-2023)
Changes:
BugFix: Fixed a bug that prevented ET Open feed from importing rules with long metadata fields.
Please Follow the Upgrade Guide from v2.4.0 to v2.4.1 to update IDSTower to the latest version.
2.4.0 - (13-3-2023)
Changes:
New Feature: You are now able to add custom indicators of compromise (IOCs) feeds with support for various Threat Intelligence Feeds formats, including:
MISP Feed: MISP feeds (Exported MISP events as json files).
MISP API: MISP Instance API.
TAXII/STIX 2.0/2.1: TAXII/STIX server, both version 2.0 and 2.1 are supported.
Text: Text based feeds.
CSV: CSV based feeds, this allows you to import IOCs from virtually any CSV formatted file.
JSON: JSON based feeds, this allows you to import IOCs from virtually any JSON formatted file, this feature utilize JsonPath queries (JPath) to extract IOCs values from the feed’s JSON file.
IDSTower will periodically download IOCs from those feeds and push them to your Suricata Clusters automatically.
Improved: Rules and IOCs viewing and searching is significantly faster and uses less resources.
Improved: IDSTower now downloads, parses & imports feeds faster by utilizing all threads available in the system.
Improved: IDSTower can now be configured to ignore TLS errors for specific feeds where presented TLS certificate are invalid, this helps with feeds hosts using self-signed or expired certificate, including internal ones.
Improved: User can now trigger feeds update manually via Settings->Feeds .
Improved: expired IOCs are now deleted more efficiently.
Improved: IDSTower now verifies that IOCs types and structure are valid (eg: verify that an IOC with IP type is a valid IP address).
Improved: You can now use longer feeds urls.
Improved: Upgrades to new IDSTower versions is easier now after Introducing auto-migration of database schemas.
Various other enhancements and bug fixes.
Please Follow the Upgrade Guide from v2.3.x to v2.4.0 to update IDSTower to the latest version.
2.3.1 - (10-12-2022)
Changes:
Bugfix: This release fixes a regression that causes suricata process to crash under some conditions on Ubuntu hosts, this issue was caused by incompatibility between security hardening settings applied by IDSTower and suricata packages on Ubuntu, it is highly recommended to apply this update to ensure the stability of your suricata deployments.
Please Follow the Upgrade Guide from v2.3.0 to v2.3.1 to update IDSTower to the latest version.
2.3.0 - (1-12-2022)
Changes:
New Feature: Introducing configuration profiles feature, a quick & easy way to configure Suricata & Filebeat during cluster install based on tested configurations blueprints, in this release we added two configuration profiles to Suricata:
IDS mode: configures suricata in IDS Mode.
IDS + NSM mode: configures suricata in IDS Mode + NSM (enables the protocol transactions logs).
and two configuration profiles for the logshipper (filebeat):
send events to ElasticSearch: configures filebeats to send suricata events to ElasticSearch Cluster and automatically setup ElasticSearch index template for Suricata.
send events to Logstash: configures filebeats to send suricata events to Logstash hosts.
As always, you can fully control the configuration via the IDSTower UI, these new configuration are only available for newly clusters.
In the next coming releases of IDSTower we will allow current clusters to be upgraded to the new configuration profiles to allows easier management of configurations and new features.
Moreover, we will also release more configuration profiles covering suricata in IPS mode, filebeat to Kafka…etc, so stay tuned!
New Feature: Automatically cleanup & remove expired Indicators (IOCs) from database to free resources, this feature is enabled by default and removes the IOCs that expired 6 weeks ago, you can disabled this behavior or configure the period to keep the IOCs after expiry in IDSTower UI –> Settings –> Indicators page.
New Feature: control Suricata threshold.config, classification.config & reference.config from IDSTower UI.
New Feature: added support for Ubuntu 22 (Jammy Jellyfish).
Improved: Improved the heuristics algorithm used to set the Target Keyword value in transformed IDS rules.
Improved: Handle the misclassification of some of the published IOCs in ThreatFox Feed.
Improved: Allow more characters in network interfaces names.
Improved: Suricata hosts will now check for rules/IOCs updates more frequently (every 5 minutes).
Improved: Add a title for indicator value so it gets shown in full if displayed value is trimmed.
Improved: Search md5/hash attribute using VirusTotal instead of google.
Bugfix: On Configuration refresh/update, rules/IOCs files on Suricata hosts will be kept at their latest version.
Bugfix: When you upgrade IDStower package on Ubunut, appsettings.json won’t be overwritten.
Bugfix: Fixed a bug on UI where interface names will overflow each other when you attempt to change monitored interfaces.
Bugfix: When attempting to delete expired indicators and “all indicators” is selected, the backend sends error message asking to set type filter as if it is required.
Various other bug fixes and improvements.
Please Follow the Upgrade Guide from v2.2.0 to v2.3.0 to update IDSTower to the latest version.
2.2.0 - (3-6-2022)
Changes:
Enterprise Feature: Added an AWS Connector, which lets you setup periodic export of IDS Rules & Indicators to AWS Network Firewall as stateful rule groups, this means that you can now use IDSTower to Manage your AWS Network Firewall Suricata Compatible Rules, expect more connectors in the future!
Feature: Allow user to change monitored interfaces easily on Suricata hosts.
Feature: Rules Management UI now supports searching & filtering using Rules Tags.
Feature: Rule Action Override, users can now easily Override the rule action (eg: alert, drop…etc) without having to edit the rule source code, IDSTower will transform this when the rules are sent to Suricata Hosts or exported to AWS, you can also set the rule action for multiple rules at once (aka: bulk change) via the Rules Management UI->Rules Actions dropdown menu, moreover, you can enable/disable this behavior via Settings as the case with other Overrides.
Feature: Indicators Management UI now supports searching & Filtering Indicators by indicator type (eg: FQDN, IP…etc).
Improved: Importing/Parsing/Transforming IDS Rules are now faster by utilizing all available threads in the system.
Improved: Rule Category are carried over to new rule revisions automatically, categories the rules as you wish and IDSTower will assign the new revisions of the same rule into the same Category.
Improved: Rules & Indicators search performance has been improved by adding more indexes!
Bugfix: updated host heartbeat script to fix a bug that prevents heartbeats from being sent when monitoring more than one interface.
Bugfix: updated suricata.yaml template to correctly set cluster-id when monitoring more than one interface.
Various other bug fixes and improvements.
Please Follow the Upgrade Guide from v2.1.0 to v2.2.0 to update IDSTower to the latest version.
2.1.0 - (3-10-2021)
Changes:
Feature: Now you can add a custom IDS Rules Feed, with various authentication modes supported.
Feature: Now you can do bulk actions on all IDS Rules and IOCs in the IDSTower.
Feature: IDSTower is now available as an RPM and DEB packages, a repository is available for both.
Various other bug fixes and improvements.
Please make sure to do a config refresh after upgrading to this version to update IDS Hosts configuration files to the latest version, you can do this via Cluster->Hosts->Hosts Actions->All Hosts->Refresh stale config
2.0.2 - (10-8-2021)
Changes:
Feature: Https certificate setup, please follow this guide for Configuring https on IDSTower.
Feature: Added support for AWS Amazon Linux 2, now you can install IDSTower on AWS Amazon Linux 2 VMs.
BugFix: Fixed an issue with indicators update.
Various other bug fixes and improvements
Please make sure to do a config refresh after upgrading to this version to update IDS Hosts configuration files to the latest version, you can do this via Cluster->Hosts->Hosts Actions->All Hosts->Refresh stale config
2.0.1 - (14-7-2021)
Changes:
Feature: Addded the ability to do an all-in-one install, now you can deploy Suricata to the same Host running IDSTower.
BugFix: Fixed an issue with Ubuntu 18 with old ansible versions.
Various other bug fixes and improvements.
2.0.0 - (19-6-2021)
Changes:
Major release with new features & significant improvements.
Suricata now is auto-configured to alert on Indicators of compromise, including Malicious IPs, Domains & Hashes using IPRep & DataRep features of Suricata.
Out-of-the-box integration with 14 Threat Intelligence feeds (free & commercial) that covers both IDS Rules & indicators of compromise (IOCs), with total control on update frequency, assigned score & auto-expiry date.
Easy-To-Use Indicators Management Interface, with integrated references to investigation tools like VirusTotal, IpInfo & SecurityTrails.
Complete IOCs Life-Cycle Management, covering ingestion from feeds, scoring, auto-deployment & auto-expiry, with manual control when needed.
Rules & IOCs changes are automatically pushed to Suricata Hosts & Suricata service auto-reload rules when changes detected.
Full Control on Rules Transformation settings, you can now enable/disable specific Transformations.
Rules Transformation option to set Rule Target Keyword using Heuristics.
Rules Transformation option to replace $EXTERNAL_NET rule variable with “any” to expand rules detection to cover lateral movements in your network.
Rules Transformation options to add IDSTower Rule ID, IDSTower Rule URL, user added tags & other information to rules metadata keyword for more contextualized alerts!
Full Control on Indicators Alerting settings, Enable/Disable alerting on Malicious IPs, Domains & Files.
User Management Interface to add/remove/enable/disable users.
The Built-in Packages repository (for offline deployment) is now offered as a separate package to allow it to be independently updated.
Various other bug fixes and improvements.
To upgrade from version 1.0.x to this version, please follow Upgrade Guide from v1.0.x to v2.0.0
1.0.2 - (11-4-2021)
Changes:
Now you can force remove a cluster even when hosts are unresponsive.
Improved how UI handle redirection.
Various other bug fixes and improvements.
1.0.1 - (16-2-2021)
Changes:
Added support to deploy & manager Suricata in Ubuntu 18.04 (Bionic) and Ubuntu 20.04 (Focal).
Added all packages necessary to deploy Suricata to an offline cluster.
Various bug fixes and improvements.
1.0.0 - (29-1-2021)
Changes:
Initial public release.