December 21, 2020

Upgrade Considerations

For upgrade considerations for this NetMon release, see Upgrade NetMon.

New Features

No new features were added in this release.

Improvements

DescriptionFeatureRelease Notes
ProbeReader Restart ImprovementsN/A

Explanation: Previously, ProbeReader modified network interface settings by default upon startup, even if settings had not changed. Now, ProbeReader checks network configuration upon startup and only applies ifcfg network settings if changes have occurred.

Benefit: ProbeReader can now restart without modifying network interfaces by default, which was both time-consuming and a potential point of risk.

RPM Package UpgradesThird-Party License Acknowledgments

Explanation: PHP has been upgraded to 7.3.25. CentOS kernel and third-party PRM packages have also been upgraded.

Benefit: These package upgrades mitigate security vulnerabilities.

Additional Application ClassificationsNetMon Supported Applications

Explanation: An additional 94 applications have been classified, and there are now 3,754 applications classified in NetMon. New additions include Airbnb, Uber Eats, and Disney+, among other applications.

Benefit: Customers can now identify even more applications and more reliably differentiate known traffic from suspicious traffic.

Deprecated Features

No features were deprecated in this release.

Resolved Issues

Bug #Description

DE282

The React code has been modified to properly handle names with trailing whitespace.

DE10168

The licenseserver process is now managed by systemd and linked to cassandra, so that when cassandra restarts, licenseserver also restarts.

DE10303

“ECDHE-RSA-AES256-SHA384” has been added to SSL ciphers accepted by nginx on NetMon.

DE10318

The NetMon User Guide and API documentation have been updated with more detail about Admin and Analyst roles, including noting which API routes are admin-only.

DE10354

The Discover page now uses the network_* pattern instead of the events_* index pattern, as in other dashboards and visualizations.

DE11061

The Flow_SMTPDomainMismatch rule no longer throws an error related to a nil/empty sender_domain field.

DE11170

The application capture list has been updated to match all application classifications.

DE11195

PHP has been upgraded to 7.3.25, addressing known security vulnerabilities.

DE11200

Changes are now properly saved when switching from using a Static IP to DHCP.

DE11703

Traffic using the Google QUIC protocol that was previously misclassified as “unknown” is now properly classified.

Known Issues

The following issues have each been found and reported by multiple users.

After installing your NetMon appliance or NetMon software, do not update the CentOS operating system using yum or any other method. An update could leave your NetMon system in an unusable state.

If you are using a NetMon appliance, you should not access the operating system for any reason.

Bug #DescriptionRelease Notes
DE223Dashboards occasionally display "no results" (from Kibana) on first load.

Expected Results: Results from Elasticsearch are always displayed in Kibana.

Workaround: To display the results, click the Refresh button on the dashboard.

DE242

Downloaded PCAPs display a "Date Modified" of Dec. 31, 1979.

Expected Results: Downloaded PCAP files have a date timestamp appropriate to the download time.

Workaround: There is no workaround.

DE255

Deleting a DPA rule after uploading it prevents you from immediately uploading it again.

Expected Results: Deleting a DPA rule after uploading it does not prevent you from immediately uploading it again.

Workaround: Navigate away from the DPA Rules page, and then return to the page to upload the rule successfully.

DE264Engine Queue Usage chart is inaccurate—a queue appears full when it is 50% full.

Expected Results: A full queue is shown as 100% when full.

Workaround: There is no workaround.

DE359

An upgrade hash message appears when a new license is uploaded.

Expected Results: A hash is not calculated and displayed for uploaded license files.

Workaround: Ignore the hash calculated for uploaded license files.

DE387An IP filter whitelist should drop packets that do not specify an IP address.

Expected Results: When using an IP filter whitelist, a packet with no IP address should be dropped. For example, a raw ethernet packet should be dropped when an IP filter whitelist is being used.

Workaround: There is no workaround.

DE388

LICENSE_CHANGE and SESSION_EXPIRED diagnostics are not sent via syslog.

Expected Results: These diagnostic messages should be sent to a connected SIEM.

Workaround: There is no workaround.

DE394

Changing secure Syslog settings from Configuration -> Syslog requires file upload, even when files are already uploaded.

Expected Results: Users should not have to re-upload files.

Workaround: Re-upload the files for new requests.

DE432

Uploading a DPA rule that has the same name as an existing rule without adding a "Flow_" or "Packet_" prefix silently overwrites the existing rule.

Expected Results: Users should be notified when a rule with the same name already exists in NetMon, and users should be given the chance to rename the rule being uploaded.

Workaround: Prefix rule names with "Flow_" or "Packet_."

DE809

A ProbeReader crash occurs if a service restart is requested while one is already underway.

Expected Results: Additional restart requests should not be accepted while a restart is underway.

Workaround: After restarting services, wait 5–10 minutes before issuing another API request.

DE814When attempting to download a replayed file that is not yet available on disk, a misleading error message on the File Reconstruction Dashboard says "could not connect, download service is busy." Typically, this occurs when a NetMon is receiving little or no traffic and data is not being flushed to disk.

Expected Results: An appropriate error message gives users an accurate account of why the file reconstruction failed.

Workaround: There is no workaround.

DE822

Downloading a PCAP for a long-running session (days) consistently times out.

Expected Results: PCAP files for long-running sessions download without timing out.

Workaround: There is no workaround.

DE841

The DPA API gives an unhelpful error message if the application/json header is missing.

Expected Results: NetMon REST API provides a descriptive and helpful error message when errors occur.

Workaround: Use the "application/json" header with the api/dpaRules/custom API.

DE885

When the system setting "Forward Replayed Traffic" is not selected, replayed PCAPs that generate query alarms incorrectly send the alarms via syslog to the SIEM.

Expected Results: When the system setting "Forward Replayed Traffic" is not selected, replayed PCAPs that generate query alarms do not send the alarms via syslog to the SIEM.

Workaround: There is no workaround.

DE891DNS query_type metadata is incorrectly extracted. For example, if the query_type is 41, NetMon displays a value of 0.

Expected Results: The query_type metadata is correctly extracted and displayed for DNS sessions.

Workaround: There is no workaround.

DE902

When the free space on the root partition is less than the size of the upgrade file, the upload fails with an Internal Server Error (500), but there is no indication that there is not enough disk space to perform the upgrade.

Expected Results: If there is not enough disk space to perform an upgrade, users should be notified with a specific error.

Workaround: If a 500 Internal Server Error occurs when trying to upgrade NetMon, check the root disk space on NetMon. Users can retrieve additional disk space by deleting log files and removing Cassandra stats data files.

DE9977The diagnostic charts are displayed in local browser time but are incorrectly labeled in UTC.

Expected Results: The diagnostic charts are not labeled in UTC.

Workaround: There is no workaround.

DE10070In Firefox 72.0.1 (64-bit), users could be redirected to a new dashboard in edit mode after upgrade.

Expected Results: Upgrades should redirect Firefox users to the Analyze Dashboard.

Workaround: Navigate away from the New Dashboard page.

DE10127A grayed-out check box prevents changing the network settings from Static to DHCP.

Expected Results: Switching between Static and DHCP should work in either direction.

Workaround: Use the AddEth.pl script to configure NetMon for DHCP.

DE10136Enabling Authorization Warning from Configuration -> Client Security results in unexpected UI button behavior.

Expected Results: UI buttons should correctly gray out or remain clickable.

Workaround: Refresh the page.

DE10360Attempting to unzip a downloaded PCAP file with Archive Utility on OS X Catalina 10.15.3 results in an "inappropriate file type or format" error.

Expected Results: Users should be able to open downloaded PCAPs.

Workaround: Unzipping can still be done in the terminal using “unzip <PCAP name>.”

DE10364

Deep Packet Analytics error messages could point to the wrong location for certain errors.

Expected Results: DPA errors report the correct line number with the offending error.

Workaround: There is no workaround.

DE10511The Network Node Link dashboard does not show in dark mode.

Expected Results: If dark mode is selected, all visualizations should be shown in dark mode.

Workaround: There is no workaround for this issue.

DE10512The ixgbe driver provided by CentOS can cause 10 G interfaces to drop all traffic after an undetermined amount of time. Currently, the issue is known to occur on Dell R640 (NM3500) and Dell R740 (NM5500) machines.

Expected Results: Traffic should not drop.

Workaround: If you experience this issue, attempt the following workarounds:

  • If the NetMon capture interface is connected to a 1 Gbps data source, move the capture interface cable to one of the onboard 1 G ports and update the capture interface selection in the UI appropriately.
  • If the NetMon capture interface is connected to a 10 Gbps data source, remove the capture interface from the bond and select it as the lone capture interface for the system.

If the problem persists after these workarounds, contact LogRhythm Support.

DE10957NetMon fails to download PCAP files and SMTP attachments when there is little to no TAP traffic being processed.

Expected Results: PCAPs and SMTP attachments are successfully downloaded.

Workaround: Provide NetMon with some TAP traffic while downloading PCAPs and SMTP attachments.