||December 11th, 2017
|Maintenance Release #1
||December 18th, 2017
|Maintenance Release #2
||March 26th, 2018
CloudShark 3.4 December 11th, 2017
Happy Holidays from all of us here at QA Cafe and CloudShark!.
We’ve been working on several new features to help with your packet analysis. Whether it’s finding out where in the world packets or malware traffic is coming from, or tracking bandwidth at the sub-millisecond level, or tweaking protocol decode preferences to fine tune your analysis, we’ve made big improvements!
As always, a HUGE thank you to our customers who suggest features, report bugs, and give us amazing feedback about how CloudShark helps them every day. Keep it up everybody!
New Features and Highlights
If you’re tracing problems across a world-wide network, or just want to know where traffic and visitors are coming from, CloudShark’s new GeoIP maps will show you where in the world your packets are from.
The analysis tool gives you a map of the world shaded for the number of endpoints, packets, or bytes.
Changing what data is displayed on the map will update the table, and hovering over the graph or the table will highlight the corresponding entry. Clicking on a country will bring you right to the display filter for those packets. And, like everything else in CloudShark, can be accessed simply by URL.
See it in action on one of our example traces.
What started as a simple bug report from a customer turned into a minor overhaul of our graphs. CloudShark graphs now can display data to the microsecond level for short duration captures, and performs much better across a variety of intervals sub millisecond. Each series is able to generate a whopping 50,000 data points - much more than before.
Custom Protocol Preferences
Experts always need a way to get in under the hood and tinker with the decode engine in specific situations. CloudShark has always provided a mechanism to set system-wide preferences, but they were applied to every file on the system.
CloudShark 3.4 adds a new Custom Protocol Preference dialog box for setting specific low-level protocol preferences and persisting them along with the individual capture file. From within the capture view, click on the new “Profile” drop-down and choose “Protocol Preferences”.
These protocol preferences can be modified to affect behaviors like subdissector reassembly, de-segmenting TCP streams, or enabling the calculation of checksums. Any advanced dissector preference can be set. Preferences are easily searchable and there is documentation displayed for each field.
Simplified RSA Key Dialog
Building on top of improvements in the latest tshark, CloudShark has simplified the RSA decryption dialog box for capture files. Only the key name needs to be specified in order to decrypt packets. The IP/Port/Protocol is not needed.
This should speed up adding decryption rules to capture files.
Upgraded to the latest Tshark
CloudShark 3.4 includes the latest protocols and dissectors from the most recent Wireshark 2.4 release. You can read the Wireshark release notes here.
Threat Assessment Addon
CloudShark Threat Assessment has new GeoIP features built in as well. Threat Maps have been added to highlight which countries resolve back to IP address included in alerts. The vectors can be filtered by clicking on the map to zero in on what malware is communicating with what country.
Take a look at this example of a Threat Map.
An issue was also identified where certain alerts were not being correlated with a packet number by Suricata. This would cause the threat vectors from being displayed out of order. CloudShark 3.4 is able to handle this better now.
Any “Threat Details” URL’s that have been saved from an earlier version of CloudShark will need to be updated.
Bug fixes and other changes
- Escape invalid characters from JSON
- Add timestamps to the log file for easier debugging
- Fix a bug that prevented exporting a capture file after opening a graph
- Fix problem calculating display filter from zoomed in section of a graph
- Threat Vectors are now displayed in the correct chronological order
- Offline installations no longer enable a remote nginx repository
Enterprise customers upgrading from a version as old as CloudShark 2.8.x can run the following as root to perform the upgrade:
Please read the upgrade instructions if you are upgrading from an older version of CloudShark.
If you are a CloudShark Hosted customer accessing through https://www.cloudshark.org, the system has already been upgraded and is running now!
CloudShark 3.4.1 December 18th, 2017
The Custom Protocol Preferences feature introduced in CloudShark 3.4 has a bug that could lead to overwriting or the creation of arbitrary files on the underlying Linux operating system. The preferences used to define certain types of debug log output from underlying tshark commands could be improperly configured.
CloudShark 3.4.1 addresses this issue by preventing these types of preferences from being used. If you have upgraded to CloudShark 3.4.0, we recommend you upgrade to 3.4.1 now. Customers on the 3.3.x series (and earlier) are not affected.
Bug fixes and other changes
- The 802.11 Wireless column preset has been updated with the correct field name for the SSID. It has changed from wlan_mgt.ssid to simply wlan.ssid.
- Upgraded to the latest release of our graphing library
- Prevented XSS when network name resolution is enabled and a malicious hostname is in the system-wide hosts file.
- Protocol Preferences “default” column value matches the system-default
- SearchWorkers now run with the correct environment and can use system-wide preferences
- Fixed an exception in Wireless Decryption that could happen with a heavily corrupted wireless capture
CloudShark 3.4.2 March 26th, 2018
CloudShark 3.4.2 makes improvements to the graphing tools, adds SHA1 hashes to the HTTP Objects table, adds data rate columns to the Conversations table, and updates the underlying version of tshark.
CloudShark graphs have been getting a lot of attention in version 3.4. In this maintenance release we’ve added to the available units that you can graph on the Y-Axis. You can now view all of the previously available Y-Axis units but now in per second units. This can help identify any burstiness in the given interval.
We’ve also added a value Y-Axis unit. If you were using graph functions before, you had to specify the Y-Axis units as packets due to the inner workings of how we generate the data behind the graphs. This worked great when graphing typically large values such as the packet length but was not ideal for values smaller than 1 (a fraction of a packet). Now when the Y-Axis unit is set to value you’ll be able to see values less than 1 much better:
Stay tuned to our blog for some posts showing in-depth examples of how to use these new Y-Axis units to solve network performance issues.
HTTP Object SHA1
If you’ve been using threat assessment to find malicious traffic and see something fishy being sent over HTTP we’ve added the SHA1 hash of the object which you can submit to VirusTotal to see if its malicious. These are also great to determine at a glance if identical files are being downloaded across different sessions.
The Conversations analysis tool has been given a “Rate” column to display the bits-per-second data rates for each side of a conversation. Like all our tables, you can sort on this value to highlight the fastest or the slowest data rates within a file.
Threat Assessment: Suricata 4.0.4
Our Threat Assessment addon gets upgraded to version 4.0.4 of Suricata with this release. This new version is compatible with rules optimized for Suricata 2.0 and newer, so existing rules will continue to work. However, we recommend upgrading to the latest version of the rules to take advantage of any new features.
If you are using our scripts to pull in something like the ETPro rules, you will need to update them on your system. Read more about it here.
CloudShark 3.4.2 includes the latest protocols and dissectors from the latest Wireshark 2.4.5 release. You can read the Wireshark release notes here.
One big reason to upgrade is if you’re working with TLS 1.3 traffic. Here’s an example capture file to get you started: Sample TLS 1.3.pcap
Bug fixes and other changes
- Fix error in installation when sudo is not configured
- Remove the _message URL parameter used to display messages