4.0.5 NetMon Release Notes

RPM Package Upgrades

Third-Party License Acknowledgments

Explanation: PHP has been upgraded to 8.1.5. CentOS kernel and thirdparty RPM packages have also been upgraded.

Benefit: These package upgrades mitigate security vulnerabilities.

DE223

Dashboards occasionally display "no results" (from Kibana) on first load.

Expected Results: Results from Elasticsearch are always displayed in Kibana.

Workaround: To display the results, click the Refresh button on the dashboard.

DE242

Downloaded PCAPs display a "Date Modified" of Dec. 31, 1979.

Expected Results: Downloaded PCAP files have a date timestamp appropriate to the download time.

Workaround: There is no workaround.

DE255

Deleting a DPA rule after uploading it prevents you from immediately uploading it again.

Expected Results: Deleting a DPA rule after uploading it does not prevent you from immediately uploading it again.

Workaround: Navigate away from the DPA Rules page, and then return to the page to upload the rule successfully.

DE264

Engine Queue Usage chart is inaccurate—a queue appears full when it is 50% full.

Expected Results: A full queue is shown as 100% when full.

Workaround: There is no workaround.

DE359

An upgrade hash message appears when a new license is uploaded.

Expected Results: A hash is not calculated and displayed for uploaded license files.

Workaround: Ignore the hash calculated for uploaded license files.

DE387

An IP filter whitelist should drop packets that do not specify an IP address.

Expected Results: When using an IP filter whitelist, a packet with no IP address should be dropped. For example, a raw ethernet packet should be dropped when an IP filter whitelist is being used.

Workaround: There is no workaround.

DE388

LICENSE_CHANGE and SESSION_EXPIRED diagnostics are not sent via syslog.

Expected Results: These diagnostic messages should be sent to a connected SIEM.

Workaround: There is no workaround.

DE394

Changing secure Syslog settings from Configuration -> Syslog requires file upload, even when files are already uploaded.

Expected Results: Users should not have to reupload files.

Workaround: Re-upload the files for new requests.

DE432

Uploading a DPA rule that has the same name as an existing rule without adding a "Flow_" or "Packet_" prefix silently overwrites the existing rule

Expected Results: Users should be notified when a rule with the same name already exists in NetMon, and users should be given the chance to rename the rule being uploaded.

Workaround: Prefix rule names with "Flow_" or "Packet_."

DE809

A ProbeReader crash occurs if a service restart is requested while one is already underway.

Expected Results: Additional restart requests should not be accepted while a restart is underway.

Workaround: After restarting services, wait 5–10 minutes before issuing another API request.

DE814

When attempting to download a replayed file that is not yet available on disk, a misleading error message on the File Reconstruction Dashboard says "could not connect, download service is busy." Typically, this occurs when a NetMon is receiving little or no traffic and data is not being flushed to disk.

Expected Results: An appropriate error message gives users an accurate account of why the file reconstruction failed.

Workaround: There is no workaround.

DE822

Downloading a PCAP for a long-running session (days) consistently times out.

Expected Results: PCAP files for long-running sessions download without timing out.

Workaround: There is no workaround.

DE841

The DPA API gives an unhelpful error message if the application/json header is missing.

Expected Results: NetMon REST API provides a descriptive and helpful error message when errors occur.

Workaround: Use the "application/json" header with the api/dpaRules/custom API.

DE885

When the system setting "Forward Replayed Traffic" is not selected, replayed PCAPs that generate query alarms incorrectly send the alarms via syslog to the SIEM.

Expected Results: When the system setting "Forward Replayed Traffic" is not selected, replayed PCAPs that generate query alarms do not send the alarms via syslog to the SIEM.

Workaround: There is no workaround.

DE891

DNS query_type metadata is incorrectly extracted. For example, if the query_type is 41, NetMon displays a value of 0.

Expected Results: The query_type metadata is correctly extracted and displayed for DNS sessions.

Workaround: There is no workaround.

DE902

When the free space on the root partition is less than the size of the upgrade file, the upload fails with an Internal Server Error (500), but there is no indication that there is not enough disk space to perform the upgrade.

Expected Results: If there is not enough disk space to perform an upgrade, users should be notified with a specific error.

Workaround: If a 500 Internal Server Error occurs when trying to upgrade NetMon, check the root disk space on NetMon. Users can retrieve additional disk space by deleting log files and removing Cassandra stats data files.

DE9977

The diagnostic charts are displayed in local browser time but are incorrectly labeled in UTC.

Expected Results: The diagnostic charts are not labeled in UTC.

Workaround: There is no workaround

DE10070

In Firefox 72.0.1 (64-bit), users could be redirected to a new dashboard in edit mode after upgrade.

Expected Results: Upgrades should redirect Firefox users to the Analyze Dashboard.

Workaround: Navigate away from the New Dashboard page.

DE10127

A grayed-out check box prevents changing the network settings from Static to DHCP.

Expected Results: Switching between Static and DHCP should work in either direction.

Workaround: Use the AddEth.pl script to configure NetMon for DHCP.

DE10136

Enabling Authorization Warning from Configuration -> Client Security results in unexpected UI button behavior.

Expected Results: UI buttons should correctly gray out or remain clickable.

Workaround: Refresh the page.

DE10360

Attempting to unzip a downloaded PCAP file with Archive Utility on OS X Catalina 10.15.3 results in an "inappropriate file type or format" error.

Expected Results: Users should be able to open downloaded PCAPs.

Workaround: Unzipping can still be done in the terminal using “unzip .”

DE10364

Deep Packet Analytics error messages could point to the wrong location for certain errors.

Expected Results: DPA errors report the correct line number with the offending error.

Workaround: There is no workaround.

DE10511

The Network Node Link dashboard does not show in dark mode.

Expected Results: If dark mode is selected, all visualizations should be shown in dark mode.

Workaround: There is no workaround for this issue.

DE10512

The ixgbe driver provided by CentOS can cause 10 G interfaces to drop all traffic after an undetermined amount of time. Currently, the issue is known to occur on Dell R640 (NM3500) and Dell R740 (NM5500) machines.

Expected Results: Traffic should not drop.

Workaround: If you experience this issue, attempt the following workarounds: If the NetMon capture interface is connected to a 1 Gbps data source, move the capture interface cable to one of the onboard 1 G ports and update the capture interface selection in the UI appropriately. If the NetMon capture interface is connected to a 10 Gbps data source, remove the capture interface from the bond and select it as the lone capture interface for the system. If the problem persists after these workarounds, contact LogRhythm Support.

DE10957

NetMon fails to download PCAP files and SMTP attachments when there is little to no TAP traffic being processed.

Expected Results: PCAPs and SMTP attachments are successfully downloaded.

Workaround: Provide NetMon with some TAP traffic while downloading PCAPs and SMTP attachments.