Analysis Pipeline Release 5.7, 2017-Sep-29

Downloads

(MD5=12955e2da566f07ec0fd9cfa45aa6bd1)

(SHA1=3a3ce444f2677b3f7f0cb6a876670d5bea105426)

(SHA256=b996d31607c6788ade5d545d7974b0a3b49b6fd41aad6fcbec73f3b0a05737c3)

(RIPEMD160=670307637e689fa56d2b5aa19b9f3a067b27719e)

Notes

  • EVALUATIONS can be forced to wait a minimum amount of time before alerting
  • STATISTICS can now have a minimum number of records before updating.
  • Other bug fixes.

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.2 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.

Analysis Pipeline Release 5.6, 2017-Jan-7

Downloads

(MD5=fadd65bd032bdf1771377e8e7f5a4865)

(SHA1=d10787878b9ed62d1131b5a23c6733e866d2919a)

(SHA256=0a26a8f2ac95582804903c6d06c72bc10a3107de855d0600b34c066d5aaac7a4)

(RIPEMD160=86260e49ee7b01a379e8c924de208d626a3d2600)

Notes

  • All fields can use a SEED file of any type
  • More than one EXTRA ALERT FIELDs is now allowed.
  • EXTRA ALERT FIELDs can now be derived fields
  • Added EXTRA AUX ALERT FIELD to add fields to auxilliary alerts
  • STATISTICs can now updated EVERY HOUR, or EVERY DAY
  • STATISTICs will send one final update after processing a list of files using --name-files
  • Other bug fixes.

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.2 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.

Analysis Pipeline Release 5.5, 2016-Oct-18

Downloads

(MD5=43ab084456d255f77145bb17d4f6f84a)

(SHA1=3fa6af9ae3b4855cf853cec17b1597b190d44681)

(SHA256=6d4f2e5d7409142d911000fff45b7bb7caa5f3f71ffd68416a359686c46a47f9)

(RIPEMD160=49a0fd4ebb752f7873d537a41bab9a53cf6d12df)

Notes

  • New PERSISTENCE primitive to detect a FOREACH tuple's presence for a specified number of HOURS or DAYS.
  • A minimum number of records requirement can be added to primitives, either at the overall EVALUATION level, or for each value of the FOREACH field. Alerts will not be sent until the minimum number of records is seen.
  • Other bug fixes.

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.2 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.

Analysis Pipeline Release 5.4.1, 2016-Jul-13

Downloads

(MD5=7cc4746382862c28690b502244308912)

(SHA1=15de4f7c6e9afcba066eebc22be08627363b2986)

(SHA256=1236147d6121a76e66e01caa3c45a058b64602c3ca44b35adaab5e2f3f5927d7)

(RIPEMD160=75ef914c3ec57a504809d2482aade101a0af0bec)

Notes

  • List configuration can now write files with the contents of the list without sending an alert.
  • ICMP fields are fixed.
  • Filtering by comparing two fields works with derived fields.
  • Other bug fixes.

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.2 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.

Analysis Pipeline Release 5.4, 2016-Jun-3

Downloads

(MD5=2571f5738193d4603955e4fa49455312)

(SHA1=45108a84ec63352b62d2c6dcdc1b15fa70d95baa)

(SHA256=4e31c01543449c9cd04504a893e66f8024d20c4ecfa2d03790f0051a803cb8eb)

(RIPEMD160=88f17bcc3a0f14f3845ab5a12529a296893857c2)

Notes

  • Significant memory and prossecing efficiency improvements.
  • Streamlined Statistic processing
  • Reloading of bag files used as custom thresholds upon update.

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.2 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.

Analysis Pipeline Release 5.3.2, 2016-Feb-17

Downloads

(MD5=645475e221a1e6b0339288624cd253d4)

(SHA1=3384d5fe517affebb5962dc4f022288a6de14822)

(SHA256=a050abe81593251a1f7272b1c63f7d90eebfe9ec586eccad06c14bd79d9e28db)

(RIPEMD160=ac26094cea10052db99824e700f65e8373e97f4d)

Notes

  • Pmaps are IP version agnostic. Pmaps can have both v4 and v6 address that can be used with SIP and SIP_V6.
  • Small bug fixes with Ubuntu compiling and domain name processing.
  • Unit test improvements

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.2 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.

Analysis Pipeline Release 5.3.1, 2016-Jan-22

Downloads

(MD5=e3d7bda43f4d32b6701044410ffca1d2)

(SHA1=e133e411de746c28cf3811228482493e9a756bcc)

(SHA256=e14f713c877a73e1bd71dffa6acca22beffbf8a0d5e40907805850865ef0749d)

(RIPEMD160=004588bd469f253f2494dccc1e4c3881a23a99ab)

Notes

  • Changed Snarf alerts when using FOREACH. Rather than a single string containing a comma separated field list and a single string for the values, each value and field will be in parallel arrays, with values in appropriate format.
  • Small bug fixes.

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.2 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.

Analysis Pipeline Release 5.3, 2015-Sep-30

Downloads

(MD5=ea67d27ec608fe22fbc3a673fa535a10)

(SHA1=1f6733d31376ba9f7fee2313ccbd7ee50296d0be)

(SHA256=044e4a12470b6adcce2215488d10fb1f9b242da62dca676f7e4043e422baa85e)

(RIPEMD160=1d76b4daa97a014639ea8765e1628857292da796)

Notes

  • Expanded data inputs to include records from YAF (including all deep packet inspection fields), and any flat IPFIX records.
  • The handling of multiple data sources at once.
  • FAST FLUX primitive to detect fast flux networks from DNS records
  • Derived fields, that operate on values from the records, such as the length of a string, the second level domain from a fully qualified domain name, and pulling the day of the week from a timestamp.
  • The ability to have a watchlist using any type of field, paired with the having a LIST CONFIGURATION write the contents to file regardless of field type.
  • A special type of watchlist for DNS that checks each part of a domain name, rather than a generic string match.
  • First public release of Analysis Pipeline version 5.

Dependencies

  • SiLK — Analysis Pipeline requires SiLK 3.0 or later
  • SchemaTools — Analysis Pipeline requires SchemaTools 1.1 or later
  • fixbuf — Analysis Pipeline requires libfixbuf 1.4 or later
  • Snarf — Recommended: Analysis Pipeline can interact with the snarf alerting library.