Releases: CERT-Polska/n6
Version 4.12.0-beta1
Version 4.5.0
Features and Notable Changes
System/Configuration/Programming-Only
- [data sources, setup, config, etc/docker, tests] Globally renamed the parser class
SpamhausEdrop202303Parser
toSpamhausEdropParser
(defined inn6datasources.parsers.spamhaus
and referred to in a few other places -- in particular, being the name of the-parser-dedicated configuration section!) and the executable scriptn6parser_spamhausedrop202303
ton6parser_spamhausedrop
; also, fixedn6datasources.tests.parsers.test_spamhaus.TestSpamhausEdropParser
by removing its attributePARSER_RAW_FORMAT_VERSION_TAG
. The rationale for these changes is that the actual parser has never had any raw format version tag assigned.
Less Notable Changes and Fixes
-
[data pipeline, lib]
n6filter
: fixed an event-ownership-criteria-related bug (inn6lib.auth_api.InsideCriteriaResolver
's machinery...) regarding handling the (practically hardly probable yet not impossible) corner case of the0.0.0.0/32
IP network being set in Auth DB as such a criterion... The bug might maken6filter
reject all incoming data (because of raised exceptions). -
[tests, docs] Made non-major enhancements and fixes regarding some unit tests and documentation.
Programming-Only
- [tests]
n6datasources.tests.parsers._parser_test_mixin
: enhanced certainParserTestMixin
-provided checks related to raw format version tags.
Version 4.4.0
Features and Notable Changes
-
[data sources, config] Added support for the
shadowserver.msmq
source (just by adding the parser for it, as there already exists one common collector for allshadowserver.*
sources). -
[data sources, config] Removed support for the following sources:
blueliv.map
anddarklist-de.bl
(removed both collectors and parsers!) as well asshadowserver.modbus
(removed just this source's parser). -
[data sources] The parsers for the
dataplane.*
sources have been changed to support the current data format (there was a need to change the delimiter and the row parsing mechanism...). -
[data sources] The collector for the
abuse-ch.ssl-blacklist
source (implemented inn6datasources.collectors.abuse_ch
as the class namedAbuseChSslBlacklistCollector
) used to be able to load the collector state in a legacy format related to the value of the class attributerow_time_legacy_state_key
-- that format is no longer supported, as the base class_BaseAbuseChDownloadingTimeOrderedRowsCollect
no longer makes use of that attribute. Note: these changes are relevant and breaking only if you need to load your collector state in that old format -- almost certainly you do not. -
[data sources] A new processing mechanism has been added to numerous existing parsers for
shadowserver.*
sources (by enhancing the_BaseShadowserverParser
class, defined in then6datasources.parsers.shadowserver
module) -- concerning events categorized as"amplifier"
. The mechanism is activated when aCVE-...
-like-regex-based match is found in thetag
field of the input data -- then the parser, apart from yielding an event (hereinafter referred to as a basic event) withcategory
set to"amplifier"
, also yields an extra event -- which is identical to the basic one, except that itscategory
is set to"vulnerable"
and itsname
is set to the regex-matched value (which is, basically, the CVE identifier). Because of that,name
andcategory
should no longer be declared as parser'sconstant_items
, so now_BaseShadowserverParser
provides support foradditional_standard_items
(which is a parser class's attribute similar toconstant_items
). For relevant parser classes, thename
andcategory
items have been moved from theirconstant_items
to theiradditional_standard_items
. -
[data sources] Now the generic
*.misp
collector supports loading state also in its legacy Python-2-specific format. -
[data sources, data pipeline, lib] A new restriction (implemented in
n6lib.data_spec.fields
, concerning theIPv4FieldForN6
andAddressFieldForN6
classes) is that, from now on, the zero IP address (0.0.0.0
) is neither a valid component IP within a record dict'saddress
(i.e., its items'ip
) orenriched
(i.e., keys in the mapping being its second item), nor a valid value of a record dict'sdip
. Note that this restriction regards all parsers and most of the other data pipeline components (via the machinery ofn6lib.record_dict.RecordDict
et consortes...). -
[data pipeline] The name of the AMQP input queue declared by
n6enrich
has been changed (!) fromenrichement
toenrichment
. -
[data pipeline] The
n6enrich
pipeline component (implemented inn6datapipeline.enrich
): from now on, the zero IP address (0.0.0.0
), irrespective of its exact formatting (i.e., regardless whether some octets are formatted with redundant leading zeros), is no longer taken into account when IPs are extracted fromurl
s, and whenfqdn
s are resolved to IPs. -
[data pipeline, event db, config] From now on, when
n6recorder
, during its activity (i.e., withinRecorder.input_callback()
...), encounters an exception which represents a database/DB API error (i.e., an instance of aMySQLdb.MySQLError
subclass, possibly wrapped in (an) SQLAlchemy-specific exception(s)...) whose error code (i.e.,<exception>.args[0]
being anint
, if any) indicates a fatal condition -- then aSystemExit(<appropriate message>)
is raised, so that the AMQP input message is requeued and then6recorder
executable script exits with a non-zero status. The set of error codes which are considered fatal (i.e. which trigger this behavior) is configurable -- by setting thefatal_db_api_error_codes
configuration option in therecorder
section; by default, that set includes only one value:1021
(i.e., theERR_DISK_FULL
code -- see: https://mariadb.com/kb/en/mariadb-error-codes/). -
[portal, rest api, stream api, data pipeline, lib] A security-related behavioral fix has been applied to the event access rights and event ownership machinery (implemented in
n6lib.auth_api
...): from now on, IP-network-based access or ownership criteria (those stored in thecriteria_ip_network
andinside_filter_ip_network
tables of Auth DB) referring to networks that contain the zero IP address (0.0.0.0
) are translated to IP address ranges whose lower bound is0.0.0.1
(in other words,0.0.0.0
is excluded). Thanks to that, events withoutip
are no longer erroneously considered as matching such IP-network-based criteria. In practice, from the security point of view, the fix is most important when it comes to Portal and REST API (considering that those components query Event DB, in whose records the absence of an IP is, for certain technical reasons, represented by the value0
rather thanNULL
). For other involved components, i.e.,n6filter
andn6anonymizer
/Stream API, the security risk was rather small or non-existent. Note: as the fix is also related ton6filter
, it affects values ofmin_ip
in theinside_criteria
part of the JSON returned by the Portal API's endpoint/info/config
; they are displayed by the Portal's GUI in the Account information view, below the IP network filter label -- as IP ranges' lower bounds. -
[portal, rest api, lib] A behavioral fix related to the one described above (yet, this time, not related to security) has been applied to the procedure of translation of the
ip.net
request parameter to the corresponding fragment of Event DB queries (see: theip_net_query()
method ofn6lib.db_events.n6NormalizedData
...): from now on, each value that refers to a network which contains the zero IP address (0.0.0.0
) is translated to an IP address range whose lower bound is0.0.0.1
(in other words,0.0.0.0
is excluded); thanks to that, events with noip
are no longer erroneously included in such cases. -
[portal, rest api, lib] A new restriction (implemented in
n6lib.data_spec.fields
, concerning theIPv4FieldForN6
andAddressFieldForN6
classes) is that the zero IP address (0.0.0.0
) is no longer a valid value of theip
anddip
request parameters received by REST API's endpoints and analogous Portal API's endpoints. Also, regarding the Portal's GUI, the front-end validation part related to the IP search parameter has been appropriately adjusted. -
[portal, rest api, lib] The mechanism of result data cleaning (implemented as a part of a certain non-public stuff invoked in
n6lib.data_spec.N6DataSpec.clean_result_dict()
) has been enhanced in such a way that theaddress
field of cleaned result dicts no longer includes any items withip
equal to the zero IP address (0.0.0.0
), i.e., they are filtered out even if they appear in some Event DB records (they could when it comes to legacy data). Note that it is complemented by the already existing mechanism of removing from raw result dicts anyip
anddip
fields whose values are equal to the zero IP address (see:n6lib.db_events.make_raw_result_dict()
...). -
[test rest api, config, lib]
n6lib.generate_test_events
: several changes and enhancements regarding theRandomEvent
class have been made, including backward incompatible additions/removals/modifications of options defined by its config spec, affecting the way the optional test REST API application (provided byn6web.main_test_api
et consortes...) is configured usinggenerator_rest_api.*
options... Also, most of theRandomEvent
's configuration-related stuff has been factored out to a new mixin class,RandomEventGeneratorConfigMixin
.
System/Configuration/Programming-Only
-
[data sources, data pipeline, config, etc/docker] Added, fixed, changed and removed several config prototype (
*.conf
) files in the directories:N6DataSources/n6datasources/data/conf/
,N6DataPipeline/n6datapipeline/data/conf/
andetc/n6/
. Note: for some of them, manual adjustments in user's actual configuration files are required (see the relevant comments in those files...). -
[setup, lib]
N6Lib
's dependencies: changed the version ofdnspython
from1.16
to2.4
. Also, added a new dependency,importlib_resources
, with version locked as>=5.12, <5.13
. -
[setup, data pipeline]
N6DataPipeline
's dependencies: temporarily locked the version ofintelmq
as<3.2
.
Programming-Only
-
[data pipeline]
n6datapipeline.enrich.Enricher
: renamed theurl_to_fqdn_or_ip()
method tourl_to_hostname()
, and changed its interface regarding the return value: now it is always either a non-emptystr
orNone
. -
[lib]
n6lib.common_helpers
andn6sdk.encoding_helpers
: renamed thetry_to_normalize_surrogate_pairs_to_proper_codepoints()
function toreplace_surrogate_pairs_with_proper_codepoints()
. -
[lib] Removed three functions from
n6lib.common_helpers
:is_ipv4()
,is_pure_ascii()
andlower_if_pure_ascii()
. -
[lib]
n6lib.db_events
: removedIPAddress
's constant attributesNONE
andNONE_STR
(instead of them use then6lib.const
's constantsLACK_OF_IPv4_PLACEHOLDER_AS_INT
andLACK_OF_IPv4_PLACEHOLDER_AS_STR
). -
[lib]
n6lib.record_dict
: removedRecordDict
's constant attributesetitem_key_to_target_key
(together with some internal experimental mechanism based on it...).
...
Version 4.0.1
- [docs, setup] Fixed generation of the docs by upgrading
mkdocs
to the version1.2.4
.
Version 4.0.0
This release is a big milestone.
Among others:
-
the n6 Portal gained support for OpenID Connect-based single sign-on (SSO) authentication;
-
the n6 Stream API (STOMP-based) now supports authentication based on API keys (those which have already been accepted by the n6 REST API); the new mechanism, implemented as a part of the
N6BrokerAuthApi
package, replaces the previously used mechanism (which was based on X.509 client certificates); -
added a significant number of components obtaining and processing security event data from external sources: 26 collectors and 86 parsers; now, in total, we have 35 collectors and 91 parsers (see the
N6DataSources
package); -
got rid of the Python-2-compatible legacy code (most of which were Python 2 versions of collectors and parsers) that used to reside in
N6Core
; the accompanying Python 2 packages (N6CoreLib
,N6Lib-py2
andN6SDK-py2
) have also been removed; note that the components related to active data sources have been migrated to Python 3 (8 collectors and 7 parsers -- now they reside inN6DataSources
); therefore, n6 is now Python-3-only (finally!); -
significant performance improvements have been accomplished: certain kinds of data queries (via the n6 REST API or n6 Portal) have become much faster, and
n6aggregator
's memory consumption has been considerably reduced; -
also, many minor improvements, a bunch of fixes, some refactoring and various cleanups have been made.
Note that some of the changes are not backwards-compatible.
Version 3.0.1
-
[docs] A bunch of fixes and improvements regarding the documentation, including major changes to its structure, layout and styling.
-
[setup]
do_setup.py
: regarding the default value of the option--additional-packages
under Python 3, the version of themkdocs
package has been pinned (1.2.3
), and themkdocs-material
package (providing thematerial
docs theme) has been added (and its version is also pinned:8.0.3
); regarding the same under Python 2, themkdocs
package has been removed.
Version 3.0.0
This release is a big milestone. It includes, among others:
-
migration to Python 3
-
in the n6 data pipeline infrastructure: optional integration with IntelMQ
-
in the n6 Portal: a new frontend (implemented using React), two-factor authentication (based on TOTP), user's/organization's own data management (including config update and password reset forms, with related e-mail notices), and other goodies...
-
in the n6 REST API: API-key-based authentication
-
and many, many more improvements, a bunch of fixes, as well as some refactoring, removals and cleanups...
Note that many of the changes are not backwards-compatible.
Also, note that most of the main elements of n6 -- namely: N6DataPipeline
, N6DataSources
, N6Portal
, N6RestApi
, N6AdminPanel
, N6BrokerAuthApi
, N6Lib
and N6SDK
-- are now Python-3-only (more precisely: are compatible with CPython 3.9).
The legacy, Python-2-only stuff -- most of which are collectors and parsers (external-data-sources-related components) -- reside in N6Core
and N6CoreLib
; the collectors and parsers placed in N6Core
, if related to non-obsolete external data sources, will be gradually migrated to Python-3-only N6DataSources
(so that, finally, we will be able to rid of N6Core
and N6CoreLib
). There are also Python-2-only variants of N6Lib
and N6SDK
: N6Lib-py2
and N6SDK-py2
(needed only as dependencies of N6Core
/N6CoreLib
).
Version 2.0.0
This was the first public release of n6 (on 2018-06-22).