Release Date: 15 Jun 2019
1.) Full support for non-PANOS IoT known threat events parsed through logstash and tagged in elasticsearch via HoneyPot DB information
2.) Full support for GTP and SCTP logs with EventCode enrichment
3.) Upgrades to ELK 7.1.1 and Ubuntu 18.04 LTS
4.) Separate Workspaces and visualizations for DNS Threat, IoT Threat, GTP/SCTP and System Logging
5.) Full support of PAN-OS 9.x logging messages
6.) Cloud-DNS logging from NGFW with separate categorization for DGA and DNS tunneling events
Remove stdout { codec => rubydebug } from all logstash outputs
Add logstash tuning to installation procedures and scripts
ConnectionTimeout caused by - ReadTimeoutError
Elasticsearch mapping change for ELK 7.x
Update mappings for PANOS 9.0
Determine DGAs in cloud-dns and set to be enriched later
Port to ELK 7.x causes ValueError thrown if Domain doc doesn't exist
TransportError - cluster_block_exception when updating index
During heavy load, ES times out and processing halts
Remove TCP inputs for all NGFW logging in pipelines
(admin,load,start) parameters for start-up script (sfn) need to be documented
Kibana uses elasticsearch.hosts rather than elasticsearch.url in 7.x
Add .panrc to setup.sh
Add elasticsearch tuning to installation procedures and scripts
Add external IP IoT log events to SFN
Visualizations for URL filtering module
Create classes and search code for URL events
Upgrade of flask to 0.12.3 for CVE fix creates json encoder error
Update logfields in conf files for PANOS 9.0
Update elasticsearch-dsl.py for changes to ELK 7.x
Github ALERT: Jinja2 vulnerability found in requirements.txt
Github ALERT: Vulnerability found in urllib3 import
Release Date: 05 Feb 2019
1.) Support for non-PANOS IoT known threat events parsed through logstash and tagged in elasticsearch
2.) Support for GTP and SCTP logs with EventCode enrichment
3.) Separate pipelines for Logstash listeners
4.) Further automated installation
5.) BETA - Cloud-DNS logging from NGFW - BETA
6.) BETA - IoT IP syslog from external devices - BETA
Use pipeline functionality in logstash to separate listeners to individual pipelines
Fix setup to use current UID
Threat doc classified as SFN-DNS has no domain name
TunnelID_IMSI is mapped to a long but should be text
Upgrade to ElasticStack 6.5
Add GTP events to be stored in SFN
Use pipeline functionality in logstash to separate listeners to individual pipelines
Logstash for external IP IoT
setup.sh checks issue
Add relevant tag to domain document
sfn.log written as root when run as a service
Update doc examples to use new indexes
Owner/Subscriber information
Release Date: 01 Nov 2018
1.) Support for EDL based DNS events parsed through logstash and tagged in elasticsearch
2.) Dated indexes changed to threat-<year.month> to reduce shard errors in elasticsearch
3.) New visualizations added to Safe Networking Overview dashboard to separate EDL events from content based events
4.) New filter added to most dashboards to show only EDL derived information
5.) Logstash filters to parse and store URL filtering events
6.) Tag groups added to events to add more searchable items per event
Unused portal example code
Installation issues while using documentation
Shard errors due to too many indexes searched per visualization
Unable to index dns sinkhole events to elasticsearch when pcap is enabled on Anti-Spyware profile
Tag group not populating correctly in event document
Domain resolution in event document
'None' Type is not subscriptable in write of domain document
Unable to index msg because Destination Postal Code is not a short
Rename repository to safe-networking from safe-networking-sp and port all issues
Custom DNS Signatures Block List with Threat ID 12000000 - take domain name from file name field
Determine SFN processing routes for different EDL types
- Domain processing complete - no IP EDL processing
Release Date: 24 May 2018
1.) Now uses syslog, instead of HTTP logging, for all DNS threats
2.) Support for all threat and traffic logs generated by NGFW running panos 8.x
3.) Dated indexes to help with curating data over time
4.) New index names of threat-<year.month.day> and traffic-<year.month.day>
5.) Logstash filters to parse and store URL filtering events
6.) Move to new repository and naming conventions
Release Date: 30 Mar 2018
1.) Configurable Flask interface and port bindings
2.) Configurable AutoFocus points information threading and execution thresholds
3.) Configurable multi-processing
4.) Retrieve number of events per domain
doc_created gets manipulated when sfn-domain-details doc is updated
Domains per install list
Make AutoFocus point updates separate, configurable thread
Flask bound to 0.0.0.0 which makes Web service available on TCP :5000
Make multi-procs configurable
SFN stops if daily AF points go to 0
Release Date: 23 Feb 2018
1.) Start SafeNetworking at system start time automatically
Breakout large docs into headings with sub-docs
Auto startup using supervisor
Add contributing guidelines
Need issue templates
Need pull request templates
Startup script
setup.sh
Release Date: 09 Feb 2018
1.) New Kibana visualizations and Dashboards added for malware viewed by time
- If you already have an install:
Setup index-patterns for sfn-domain-details* & sfn-tag-details*
Import install/kibana/export.json via Kibana and select the appropriate index-patterns for the visualizations
2.) Safenetworking now processes all threat categories with dns in the name (dns, dns-wildfire, etc.)
Concurrency issue with af-details
SFN2.0.1 not populating sfn-domain-details index docs
Change "Not Available" verbage
Runner processDNS() search should be descending
Move documentation to the Wiki
sfn linting score
runner linting score
dnsutils linting score
dns linting score
views linting score
init linting score
instance empty directory
public = empty directory
cleanup unused directory
Unassigned shards error
Add new viz to 2.0.2
- Intermittently, there is a domain document concurrency error that will show up in the sfn.log as an ERROR and it will create subsequent ERROR messages as the system cannot work with the domain details document correctly. To remedy this, as it could slow down performance, delete the domain document in question. Contact the account team or SP-Solutions with help on this matter.
Release Date: 17 Jan 2018
Moved to ElasticStack (ELK) as the underlying architecture
New processing engine for DNS event
Ability to sync directly from Github with no VM download
Issue tracking via Github
Full documentation on install, startup and (some) troubleshooting
- Intermittently, there is a concurrency error that will show up in the sfn.log as an ERROR and it will create subsequent ERROR messages as the system cannot work with the domain details document correctly. To remedy this, as it could slow down performance, delete the domain document in question. Contact the account team or SP-Solutions with help on this matter.