Skip to content

v0.21.0
Compare
Choose a tag to compare
@philrz philrz released this 16 Dec 21:44
v0.21.0
e917c30
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Visit the Brim Download page to find the package for your OS platform.

NOTE - The Brim v0.21.0 release includes initial support for the automatic generation of Suricata alerts from imported pcaps. The alert records may be isolated via a ZQL search event_type=alert and are also included automatically alongside relevant Zeek event context in the correlation visualization in the Log Detail view. The Suricata build that's packaged with Brim uses the Emerging Threats Open ruleset, and Brim triggers a download of the most recent set of these rules each time it is launched.

There are two known issues found during testing that may be bugs in Suricata that impact the correctness of the alerts seen in Brim:

  • When run on a system under heavy load, Suricata has sometimes been observed to generate fewer alerts than expected (or none at all) for a given pcap.
  • Alerts may be generated with timestamps that are seconds/minutes further into the future beyond the end of the time range of the flow that triggered them.

These issues are still being investigated and more information will be provided as they're better understood. More Suricata-related functionality is also planned in upcoming releases. For now, please contact us on Slack or open an issue if you have any questions or problems with the new Suricata support, including incidents of the issues described above.

  • Update zq to v0.25.0
  • Add Suricata support to generate alerts from imported pcaps (#1207)
  • Include Suricata alerts in the correlation visualization in the Log Detail view (#1262)
  • Update the Supported Platforms article with detail from recent testing (#1267, #1273)
  • Add a wiki doc with details for using Brim with a remote zqd (#1222, #1252)
  • Add a wiki doc with basic Brim installation guidance (#1253, #1260)
  • Add a "Sectional" package in the code that allows a view to be split (#1247)
  • Add a "Tree list" package in the code for working with lists (rendering, drag & drop, etc.) (#1254)
  • Fix an issue where Brim would freeze during zoom-in/zoom-out (#1275)
  • Fix an issue where autoupdate would install releases with version numbers "older" than the number of the one currently installed (#1244)
  • Fix an issue where the Space list would come up empty and Space details would show "NAN UNDEFINED" after a Brim restart (#1283, #1288)
  • Fix an issue on Windows where clicking records generated from an imported pcap produced error messages (#1287)
  • Windows releases are signed, but you may see a warning popup when you run the installer (unlike our Mac/Linux releases). See Microsoft Windows beta limitations for details.
Assets 9
Loading