20220711.0.0
cognitix Threat Defender build 20220711.0.0 rolls out a number of new features and improvements. Find out what’s new below.
Upgrade Compatibility
The following previous builds are compatible with cognitix Threat Defender build 20220711.0.0:
To view the release notes of previous builds, see Previous Releases.
cognitix Threat Defender build 20220711.0.0 is compatible with genucenter 7.5 and genucenter 8.0.
New Features and Improvements
IDS/IPS Improvements
We implemented a more powerful multi pattern matcher. This leads to the following changes:
cognitix Threat Defender can match more rules, in particular rules with very short patterns (less than 4 bytes).
The performance is improved.
Memory usage now strongly correlates with the size of searched patterns, i.e. loaded rules. For the current system IPS rule set this results in an increase from 308MB to 513MB.
cognitix Threat Defender now supports the following new or improved keywords:
ja3.hash, ja3s.hash, ja3_hash
tls.cert_fingerprint, tls_cert_fingerprint
tls.fingerprint
tls.cert_serial
ssh.proto
cognitix Threat Defender now supports IP (which is TCP or UDP) as a new protocol.
We now provide dedicated updates for the IDS patterns at frequent intervals. There are two ways to install them:
Online update: Install the
cognitix IPS signatures
update via Settings > Updates (see also Updating cognitix Threat Defender). This will replace theSystem IPS Rules.csv
file seen under Threats > Intelligence Database > IPS Settings. It is also possible to set up a schedule for automatic updates.Manual update: You can download new patterns from https://files.cognitix.de/pattern/ids-rules.pfw and install them manually.
Note
This new release contains many changes to the IPS/IDS. In particular domain rules matching certain top-level domains were changed. Therefore, review your IPS rule settings after installing the new version to avoid false positives.
Installer Improvements
The update and installer packages are now more robust.
To increase update stability, we improved the fallback to the previous version that is used if an error occurs during the update installation.
We upgraded to AlmaLinux 8.6.
cognitix Threat Defender now supports a new driver for Intel 2.5G network adapters (I225 Foxville).
User Interface Improvements
We made the login screen more responsive to user inputs to avoid unnecessary clicks. We also improved the error message.
The error message shown in asset operations with empty primary asset is now clearer.
We simplified the proxy settings under Settings > General.
We grouped the entries under Settings > System Actions and added explanations.
To improve performance, it is now possible to delete the entire incident log except for the 1,000 most recent entries.
To avoid confusion, tables now display a message if they do not contain any data.
Under Inventory > Assets you can select and deselect all assets visible in the table at once.
The warning shown after restoring an auto-generated backup and applying the configuration is now clearer.
Documentation Improvements
The manual now has an example on how to install cognitix Threat Defender using virt-manager and QEMU/KVM. See Virtual Environments.
You can now access the PDF version of the manual more easily via a new link at the top of each HTML page.
Important Fixed Issues
cognitix Threat Defender M and L systems now correctly forward traffic on SFP fiber links even after a reboot or update.
We fixed several UI bugs:
When the last seen column is expanded in the assets list, there is now only one scroll bar.
When there is more than one available update file, the selected update will now be correctly installed.
The Supported Attributes panel under Threats > Intelligence Database > Summary now correctly shows the number of attributes supported by cognitix Threat Defender.
The numbers of incidents in the graphs under Threats > Overview now match correctly.
Under Inventory, the network interface information of assets in the Last Seen section is now correctly updated.
Known Issues
When the API is under high load, cognitix Threat Defender may display a misleading “Connection Issue” notification. It is also possible that some data is not completely displayed.
Upgrade Instructions and Requirements
For information on the hardware requirements needed to install this build version, see the system requirements.
For instructions on how to install the new build version, see Updating cognitix Threat Defender.