20220711.0.0

cognitix Threat Defender build 20220711.0.0 rolls out a number of new features and improvements. Find out what’s new below.

Upgrade Compatibility

The following previous builds are compatible with cognitix Threat Defender build 20220711.0.0:

To view the release notes of previous builds, see Previous Releases.

cognitix Threat Defender build 20220711.0.0 is compatible with genucenter 7.5 and genucenter 8.0.

New Features and Improvements

IDS/IPS Improvements

  • We implemented a more powerful multi pattern matcher. This leads to the following changes:

    • cognitix Threat Defender can match more rules, in particular rules with very short patterns (less than 4 bytes).

    • The performance is improved.

    • Memory usage now strongly correlates with the size of searched patterns, i.e. loaded rules. For the current system IPS rule set this results in an increase from 308MB to 513MB.

  • cognitix Threat Defender now supports the following new or improved keywords:

    • ja3.hash, ja3s.hash, ja3_hash

    • tls.cert_fingerprint, tls_cert_fingerprint

    • tls.fingerprint

    • tls.cert_serial

    • ssh.proto

  • cognitix Threat Defender now supports IP (which is TCP or UDP) as a new protocol.

  • We now provide dedicated updates for the IDS patterns at frequent intervals. There are two ways to install them:

    • Online update: Install the cognitix IPS signatures update via Settings > Updates (see also Updating cognitix Threat Defender). This will replace the System IPS Rules.csv file seen under Threats > Intelligence Database > IPS Settings. It is also possible to set up a schedule for automatic updates.

    • Manual update: You can download new patterns from https://files.cognitix.de/pattern/ids-rules.pfw and install them manually.

Note

This new release contains many changes to the IPS/IDS. In particular domain rules matching certain top-level domains were changed. Therefore, review your IPS rule settings after installing the new version to avoid false positives.

Installer Improvements

  • The update and installer packages are now more robust.

  • To increase update stability, we improved the fallback to the previous version that is used if an error occurs during the update installation.

  • We upgraded to AlmaLinux 8.6.

  • cognitix Threat Defender now supports a new driver for Intel 2.5G network adapters (I225 Foxville).

User Interface Improvements

  • We made the login screen more responsive to user inputs to avoid unnecessary clicks. We also improved the error message.

  • The error message shown in asset operations with empty primary asset is now clearer.

  • We simplified the proxy settings under Settings > General.

  • We grouped the entries under Settings > System Actions and added explanations.

  • To improve performance, it is now possible to delete the entire incident log except for the 1,000 most recent entries.

  • To avoid confusion, tables now display a message if they do not contain any data.

  • Under Inventory > Assets you can select and deselect all assets visible in the table at once.

  • The warning shown after restoring an auto-generated backup and applying the configuration is now clearer.

Documentation Improvements

  • The manual now has an example on how to install cognitix Threat Defender using virt-manager and QEMU/KVM. See Virtual Environments.

  • You can now access the PDF version of the manual more easily via a new link at the top of each HTML page.

Important Fixed Issues

  • cognitix Threat Defender M and L systems now correctly forward traffic on SFP fiber links even after a reboot or update.

  • We fixed several UI bugs:

    • When the last seen column is expanded in the assets list, there is now only one scroll bar.

    • When there is more than one available update file, the selected update will now be correctly installed.

    • The Supported Attributes panel under Threats > Intelligence Database > Summary now correctly shows the number of attributes supported by cognitix Threat Defender.

    • The numbers of incidents in the graphs under Threats > Overview now match correctly.

    • Under Inventory, the network interface information of assets in the Last Seen section is now correctly updated.

Known Issues

When the API is under high load, cognitix Threat Defender may display a misleading “Connection Issue” notification. It is also possible that some data is not completely displayed.

Upgrade Instructions and Requirements

For information on the hardware requirements needed to install this build version, see the system requirements.

For instructions on how to install the new build version, see Updating cognitix Threat Defender.