NetMon 4.0.

3 Release Notes
December 21, 2020

NetMon-4.0.3-ReleaseNotes_revA
 – NetMon Release Notes

© LogRhythm, Inc. All rights reserved

This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under the
End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of
the Software. This Software may be used or copied only in accordance with the Agreement. No part of this
Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use of
this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may
be trademarks, registered trademarks, or service marks of their respective holders.

VMware, ESX, and ESXi, VMware Certified Professional, vCenter, and vSphere are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301

(303) 413-8745
www.logrhythm.com

LogRhythm Customer Support

[email protected]
 – NetMon Release Notes

Contents
Overview .......................................................................................................................................... 1

Upgrades Partially Supported ........................................................................................................... 1

Known Issues ................................................................................................................................... 1

NetMon Features and Updates .......................................................................................................... 3

Version 4.0.3 ................................................................................................................................. 3
Features and Enhancements .......................................................................................................... 3
Resolved Issues ........................................................................................................................... 3
Version 4.0.2 ................................................................................................................................. 4
Features and Enhancements .......................................................................................................... 4
Resolved Issues ........................................................................................................................... 5
Version 4.0.1 ................................................................................................................................. 6
Features and Enhancements .......................................................................................................... 6
Resolved Issues ........................................................................................................................... 7
Version 3.9.3 ................................................................................................................................. 7
Features and Enhancements .......................................................................................................... 7
Resolved Issues ........................................................................................................................... 7
Version 3.9.2 ................................................................................................................................. 8
Features and Enhancements .......................................................................................................... 8
Resolved Issues ........................................................................................................................... 8
Version 3.9.1 ................................................................................................................................. 9
Features and Enhancements .......................................................................................................... 9
Resolved Issues ......................................................................................................................... 10
Version 3.8.2 ............................................................................................................................... 11
Features and Enhancements ........................................................................................................ 11
Resolved Issues ......................................................................................................................... 11
Version 3.8.1 ............................................................................................................................... 12
Features and Enhancements ........................................................................................................ 12
Resolved Issues ......................................................................................................................... 13
Version 3.7.1 ............................................................................................................................... 14
Features and Enhancements ........................................................................................................ 14
Resolved Issues ......................................................................................................................... 15
Version 3.6.2 ............................................................................................................................... 15
Features and Enhancements ........................................................................................................ 15
Resolved Issues ......................................................................................................................... 15
Version 3.6.1 ............................................................................................................................... 16
Features and Enhancements ........................................................................................................ 16
 – NetMon Release Notes

Resolved Issues ......................................................................................................................... 17

Version 3.5.1 ............................................................................................................................... 18
Features and Enhancements ........................................................................................................ 18
Resolved Issues ......................................................................................................................... 19
Version 3.4.2 ............................................................................................................................... 20
Features and Enhancements ........................................................................................................ 20
Resolved Issues ......................................................................................................................... 20
Version 3.4.1 ............................................................................................................................... 21
Features and Enhancements ........................................................................................................ 21
Resolved Issues ......................................................................................................................... 22
Version 3.3.2 ............................................................................................................................... 23
Features and Enhancements ........................................................................................................ 23
Resolved Issues ......................................................................................................................... 24
Version 3.3.1 ............................................................................................................................... 25
Features and Enhancements ........................................................................................................ 25
Resolved Issues ......................................................................................................................... 25
Version 3.2.3 ............................................................................................................................... 26
Features and Enhancements ........................................................................................................ 26
Resolved Issues ......................................................................................................................... 26
Version 3.2.2 ............................................................................................................................... 27
Features and Enhancements ........................................................................................................ 27
Resolved Issues ......................................................................................................................... 28
Version 3.2.1 ............................................................................................................................... 29
Features and Enhancements ........................................................................................................ 29
Resolved Issues ......................................................................................................................... 30
Version 3.1.2 ............................................................................................................................... 31
Features and Enhancements ........................................................................................................ 31
Resolved Issues ......................................................................................................................... 32
Version 3.1.1 ............................................................................................................................... 33
Features and Enhancements ........................................................................................................ 33
Resolved Issues ......................................................................................................................... 33
Version 2.8.2 ............................................................................................................................... 34
Features and Enhancements ........................................................................................................ 34
Version 2.8.1 ............................................................................................................................... 35
Features and Enhancements ........................................................................................................ 35
 – NetMon Release Notes

Overview
This document provides information about new features, known issues, and resolved issues in LogRhythm
NetMon.

Upgrades Partially Supported

NetMon 4.0.3 includes a process to upgrade directly from version 4.0.1 or 4.0.2. If you are running NetMon
3.6.1–3.9.3, you must first upgrade to version 4.0.1 before continuing the upgrade to 4.0.3. To upgrade from
a version of NetMon prior to 3.6.1, or if you have other questions about the upgrade process, please contact
LogRhythm Support.

For detailed instructions and more information on upgrades, see the Upgrade NetMon section of the
LogRhythm Documentation site.

Known Issues
IMPORTANT: After installing your NetMon appliance or NetMon software, do not update the CentOS
operating system using yum or any other method. An update could leave your NetMon
system in an unusable state.

If you are using a NetMon appliance, you should not access the operating system for any
reason.

• In some cases, it is possible for the upgrade to succeed even though the UI did not receive the
success response. When this issue occurs, you will see one of the following:
o The upgrade page in the UI reports an invalid .lrp file after running the upgrade.
o The page overlay never clears.
o The user session times out and the login page appears.
After you click Install, give the upgrade at least 30 minutes to complete. If the UI does not display the
success response after that time, SSH into the NetMon server and view
/var/log/probe/ProbeManager.log.

o If the log contains a message such as INFO [UpgradeCommand.cpp->Audit:128] ”Upgrade

process finished: NM_UPGRADE_SUCCESS” from the appropriate timeframe, reboot the box
from the command line.
o If there are messages indicating the upgrade failed or if there are no upgrade messages,
contact LogRhythm Support.
• The ixgbe driver provided by CentOS can cause 10G interfaces to drop all traffic after an
undetermined amount of time. Currently, the issue is known to occur on Dell R640 (NM3500) and Dell
R740 (NM5500) machines.
If you experience this issue, attempt the following workarounds:
o If the NetMon capture interface is connected to a 1 Gbps data source, move the capture
interface cable to one of the onboard 1G ports and update the capture interface selection in
the UI appropriately.
o If the NetMon capture interface is connected to a 10 Gbps data source, remove the capture
interface from the bond and select it as the lone capture interface for the system.
• If the problem persists after these workarounds, contact LogRhythm Support.

PAGE 1
 – NetMon Release Notes

• Deep Packet Analytics error messages could point to the wrong location for certain errors. For more
information, see the Troubleshoot Deep Packet Analytics section of the NetMon Help, available at the
LogRhythm Documentation site.
• Charts on the diagnostics pages are labeled “UTC,” but actually display in the local browser’s time
zone.
• Microsoft Internet Explorer 11 (IE11) users may have to make several slight modifications within
NetMon:
o IE11 users should change browser settings so that NetMon API responses are not cached. If
you do not change this setting, then logging out of NetMon in IE11 may not work unless the
browser window is fully closed. In addition, turning on DPA rules may result in the Web
Management interface inaccurately displaying all rules as “not enabled” until NetMon is opened
in a new window.
To change this setting, click Tools, click Internet Options, click General, and then click
Settings (Website Data Settings). Under Check for newer versions of stored pages, select
Every time I visit the webpage, and then click OK.
o IE11 users cannot drag and drop files into NetMon uploaders for license files, upgrade files,
PCAP files, DPA rules, and more. To upload files, click the provided upload link and select a file
for upload using the dialog box.
o IE11 users must install a PDF viewer to view NetMon terms and conditions in the browser. The
following options are available:
 Foxit Reader: https://www.foxitsoftware.com/pdf-reader/
 Adobe Acrobat Reader DC: https://get.adobe.com/reader/
o When downloading the EULA through the Web Management interface in IE11, the file may be
called “download.” You can rename the file to “eula.pdf” manually and then open it in a PDF
viewer.
• Network visualization does not properly render in Dark Mode.
• Attempting to unzip a downloaded PCAP file with Archive Utility on OS X Catalina 10.15.3 results in an
“inappropriate file type or format” error. Unzipping can still be done in the terminal with “unzip <PCAP
name>”.
• In Firefox 72.0.1 (64-bit), a user could be redirected to a new dashboard in edit mode after upgrade.
If this occurs, navigate away from the New Dashboard page.
• If upgrading to 4.0.3 over a slow network link and your Session Timeout is enabled and set to a short
time, the UI can time out during the upload of the upgrade .lrp file, preventing the upgrade from
finishing. To ensure that the upgrade file can complete successfully, disable Session Timeout or
increase the interval of Session Timeout.

PAGE 2
 – NetMon Release Notes

NetMon Features and Updates

This section lists enhancements and resolved issues in the current release and previous releases.

Version 4.0.3
Features and Enhancements
The following features and enhancements are included in the 4.0.3 release:

Feature Description Benefits

RPM Package PHP has been upgraded to 7.3.25. These package upgrades mitigate security
Upgrades CentOS kernel and third-party PRM vulnerabilities.
packages have also been upgraded.

Additional An additional 94 applications have Customers can now identify even more
Application been classified, and there are now applications and more reliably differentiate
Classifications 3,754 applications classified in known traffic from suspicious traffic.
NetMon. New additions include Airbnb,
Uber Eats, and Disney+, among other
applications.

Resolved Issues
The following issues were resolved in the 4.0.3 release:

Bug # Description

DE282 The React code has been modified to properly handle names with trailing whitespace.

DE10168 The licenseserver process is now managed by systemd and linked to cassandra, so that when
cassandra restarts, licenseserver also restarts.

DE10303 “ECDHE-RSA-AES256-SHA384” has been added to SSL ciphers accepted by nginx on NetMon.

DE10318 The NetMon User Guide and API documentation have been updated with more detail about
Admin and Analyst roles, including noting which API routes are admin-only.

DE10354 The Discover page now uses the network_* pattern instead of the events_* index pattern, as
in other dashboards and visualizations.

DE11061 The Flow_SMTPDomainMismatch rule no longer throws an error related to a nil/empty

sender_domain field.

DE11170 The application capture list has been updated to match all application classifications.

DE11195 PHP has been upgraded to 7.3.25, addressing known security vulnerabilities.

DE11200 Changes are now properly saved when switching from using a Static IP to DHCP.

DE11703 Traffic using the Google QUIC protocol that was previously misclassified as “unknown” is now
properly classified.

PAGE 3
 – NetMon Release Notes

Version 4.0.2
Features and Enhancements
The following features and enhancements are included in the 4.0.2 release:

Feature Description Benefits

New Dashboards Alarm Trend, Network Analysis, SMB, Additional dashboards provide new ways
and Network Node Link Dashboards to interpret network data.
have been added. The Application
Exploration Dashboard has been
updated.

DNS Stitching When Stateless Protocol Stitching is Long-running, stitched DNS sessions no
Close Out Session on, stitched DNS sessions are closed longer appear as a large volume of data
out on the intermediate report interval leaving the network.
rather than running indefinitely.

Node Link Graph A new Node Link Graph visualization
Visualization has been included for analyst use. To
access the Node Link Graph, click the
Network visualization from the New
Visualization selector in Kibana. A
visual representation of a network is
available in the new Network Node
Link Dashboard.
The Network visualization provides
analysts with a unique way to visualize
data relationships in their network traffic.
Heavy customization is possible, as any of
NetMon’s data fields can be used as nodes
or links.

Elasticsearch and Elasticsearch and Kibana have both These upgrades mitigate security
Kibana Upgrade been upgraded to version 7.5.2. vulnerabilities and improve performance.

RPM Package PHP has been upgraded to 7.2.25. These package upgrades mitigate security
Upgrades nginx has been upgraded to 1.17.7. vulnerabilities.
CentOS kernel and third-party RPM
packages have also been upgraded.

Additional An additional 124 applications have Customers can now identify even more
Application been classified, and there are now applications and more reliably differentiate
Classifications 3,660 applications classified in known traffic from suspicious traffic.
NetMon. New additions include G
Suite, Amazon AppStream, and Apple
Remote Desktop, among other
applications.

PAGE 4
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 4.0.2 release:

Bug # Description

DE798 Updated AddEth.pl to require parameters and prevent undesired behavior when no parameters
were passed. Script help updated.

DE10001 The reported number of failed messages sent between the Deep Packet Inspection Threads and
the Rule Engine Threads is now accurate, correcting “Dropped” stats on the Flow Rate chart.

DE10061 Changes to the Engine Configuration now result in a short service restart, instead of restarting
all NetMon processes.

DE10101 Fixed crash on startup for cases where the Management interface does not have an IP address.

DE10118 Updated the “Analyze Charts in Diagnostics” section of the NetMon User Guide.

US4219 PHP “allow_url_fopen” was enabled by default. Disabled to address vulnerability concerns.

PAGE 5
 – NetMon Release Notes

Version 4.0.1
Features and Enhancements
The following features and enhancements are included in the 4.0.1 release:

Feature Description Benefits

Dark Mode Users can now choose between the NetMon is more pleasing to use in low-
traditional, light NetMon theme and a light environments.
new, dark background theme.

New Visualizations New visualizations—including dynamic Additional visualizations provide new ways
controls, area graphs, gauges, heat to interpret network data.
maps, and tag clouds—are available
for inclusion in dashboards.

Dashboard Live Dashboard views now support live The latest “last X minutes/hours” data is
Updating updating without user intervention. always displayed for users without
additional user actions. Traditional
snapshot dashboard views are still
available.

Quick Access to User-accessed dashboards are now The user workflow is streamlined.
Recently Used available with one click in the main
Dashboards user interface.

Quick Access to A dynamically populated list of all The user workflow is streamlined.
Built-In and User- dashboards loaded in NetMon is
Defined available on the Analyze menu.
Dashboards

User Interface The entire NetMon Web Management Many improvements to visual elements
Refinements interface has been refreshed. and workflow result in an improved user
experience.

Streamlined The dashboard import and export It is easier to share dashboards and
Dashboard Import processes have been simplified. visualizations.
and Export

Support for CIDR CIDR notation is now supported in It is easier to query for ranges of IP
Notation in dashboard queries and query alerts. addresses.
Queries

Manual Users can persistently override Network interfaces can be appropriately

Configuration network configuration settings. configured for different environments.
Mode

RPM Package PHP has been upgraded to 7.2.24. These package upgrades mitigate known
Upgrades CentOS kernel and third-party rpm security vulnerabilities.
packages have also been upgraded.

PAGE 6
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 4.0.1 release:

Bug # Description

DE15 The loopback IP address no longer incorrectly appears on the About page, and instead is
populated with the management IP address.

DE16 The upgrade index is now correctly created when an administrator user logs in for the first time
during system startup.

DE17 DPA rule selections are now correctly applied to replayed PCAPs.

US310 Removed nm-dispatch from product, fixing an issue with dispatch queue failing.

NOTE: The nm-dispatch process has been replaced with new processes (nm-es-indexer
and nm-es-percolator) using new queuing.

Version 3.9.3
Features and Enhancements
The following features and enhancements are included in the 3.9.3 release:

Feature Description Benefits

Additional An additional 77 applications have Customers can now identify even more
Application been classified, and there are now applications and more reliably differentiate
Classifications 3,551 applications classified in known good traffic from suspicious traffic.
NetMon. New additions include Google
Video, Apple News, and Hadoop,
among other applications.

Resolved Issues
The following issues were resolved in the 3.9.3 release:

Bug # Description

NM-1538 PHP has been upgraded to version 7.1.28.

PAGE 7
 – NetMon Release Notes

Version 3.9.2
Features and Enhancements
The following features and enhancements are included in the 3.9.2 release:

Feature Description Benefits

Analysis Engine NetMon’s Analysis Engine now extracts Users have more information to help
Improvements additional metadata fields. analyze and interpret application flows.

DPA Rule NetMon now sends additional
Enhancement metadata to LogRhythm Enterprise
when the
Flow_DetectClearTextPasswords Deep
Packet Analytics (DPA) rule detects a
cleartext password in use.
Users can now see deeper information on
alarms triggered by this DPA rule in
LogRhythm Enterprise without having to
take additional manual steps to retrieve it.

Additional An additional 95 applications have Customers can now identify even more
Application been classified, and there are now applications and more reliably differentiate
Classifications 3,474 applications classified in known good traffic from suspicious traffic.
NetMon. New additions include Azure
Right Management Service, Cisco
WebEx, and Oracle OEM Management,
among other applications.

Resolved Issues
The following issues were resolved in the 3.9.2 release:

Bug # Description

NM-1030 Better logic for Flow_ProtoMismatchPort DPA rule to avoid false positives.

NM-1205 Health stats were not being registered correctly under heavy load.

NM-1282 Better handling of error messages for application blacklist PUT.

NM-1423 DPA rule enhancement sending additional info to SIEM when cleartext password is detected.

NM-1439 Better error handling on Configuration > Network page.

NM-1444 Better error handling in PHP when navigating to the Filter page.

NM-1448 Fixed error when PUT to /api/network/hostname does not include “hostname” key but instead
another key.

NM-1464 Fixed corner cases in network selection configuration.

NM-1480 Fixed issue when static IP was used in script to add interface to a system to be recognized by
NetMon, static IP was lost when restarting NetMon.

NM-1499 PHP has been upgraded to version 5.6.40.

PAGE 8
 – NetMon Release Notes

Version 3.9.1
Features and Enhancements
The following features and enhancements are included in the 3.9.1 release:

Feature Description Benefits

GRE Support NetMon now integrates support for GRE support enables NetMon to monitor
Generic Routing Encapsulation (GRE). network traffic in a new, versatile way,
GRE enables network traffic to be including traffic from VPNs.
delivered to a remote NetMon for
analysis without requiring a dedicated
TAP or SPAN port.

NetMon Hostname A new metadata field, The hostname of the NetMon instance that
in Metadata NetmonHostname, is populated with generated metadata is now tracked.
the assigned hostname.

SmartFlow SmartFlow has been extended to True Application Identification now

Enhancements include Application Family, Application includes application category data. These
Tags, and NetMon Hostname metadata details are available when integrated with
fields. a LogRhythm SIEM.

Alternate NetMon automatically detects the The recovery IP address does not conflict
Recovery IP subnet it is part of. If it is on the with other IP addresses on a network.
Address 192.168.x.x subnet, the recovery IP is
set to the 172.16.x.x subnet instead.

Packet Capture Metadata associated with deleted Memory and processor use is more
Improvements captured sessions is now cleaned up efficient when packet capture is enabled.
more efficiently. The Capture
Dashboard has been updated to more
accurately reflect the status of
captured sessions.

Disk Cleanup NetMon now implements a new Disk cleanup is more efficient.
Improvements method to automatically manage its
disk usage. Disk cleanup starts when
drives are 89% full. Old data is
deleted until the disk is 87% full.

PAGE 9
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.9.1 release:

Bug # Description

NM-1255 NetMon now includes OpenJDK 1.8.0.181 to address critical and high-risk vulnerabilities in
earlier versions, including CVE-2016-3458, CVE-2016-3485, CVE-2016-3498, CVE-2016-3500,
CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3552, CVE-
2016-3587, CVE-2016-3598, CVE-2016-3606, and CVE-2016-3610.

NM-1319 The security certificate included with NetMon has been updated with an extended expiration
date.

NM-1323 Resolved an issue where some users inspecting a saved rule saw an error message when
clicking the Search icon on the Rules tab.

NM-1352 Resolved an issue where disk cleanup failed.

NM-1357 Resolved an issue where memory grew unbounded on systems with large disks and packet
capture enabled.

NM-1374 NetMon’s Web user interface now works properly in Microsoft Internet Explorer 11.

NM-1407 NetMon’s installer has been updated to improve compatibility with a wider range of hardware.

PAGE 10
 – NetMon Release Notes

Version 3.8.2
Features and Enhancements
The following features and enhancements are included in the 3.8.2 release:

Feature Description Benefits

Deep Packet A new Deep Packet Analytics (DPA) The DPA API enables new automated
Analytics API API provides programmatic access to actions and integrations.
advanced analysis features.

Deep Packet The DPA user interface has been It is easier to create and modify DPA
Analytics User updated with improved usability and rules.
Interface Update workflow. Rules are now separated by
their origin (system or custom). The
DPA rule editor has also been updated.

UEFI Boot Support NetMon can now boot from UEFI. NetMon has broader hardware support.

Resolved Issues
The following issues were resolved in the 3.8.2 release:

Bug # Description

NM-1255 Updated the version of Java included with NetMon.

NM-1288 Fixed installation issues on newer hardware.

NM-1298 Corrected the permissions needed to access IP filtering and application blacklisting
configuration interfaces.

PAGE 11
 – NetMon Release Notes
Version 3.8.1
Features and Enhancements
The following features and enhancements are included in the 3.8.1 release:
Feature Description
IP Filtering Users can now control which traffic
NetMon processes based on IP
address. Filters can be easily added or
switched on/off from either the Web
Management interface or the NetMon
API.
Application NetMon now has the ability to exclude
Blacklisting specific applications from processing,
metadata creation, capture, and
alarms.
Application Two new metadata fields,
Families and Tags ApplicationFamily and ApplicationTags,
classify NetMon application traffic into
categories such as Web, SCADA,
Instant Messaging, and many more.
The new Application Exploration
Dashboard makes it easy to visualize
and search application families and
tags.
Open Metadata A new API route (GET /api/search)
Query API enables NetMon to retrieve any
metadata.
Stateless Protocol This Configuration > Engine setting
Stitching for DNS consolidates stateless sessions (DNS
over UDP) into a single session.
Support NetMon 3.8.1 includes two new
Dashboards dashboards—Traffic Profile and Traffic
Endpoints—that help identify and
remedy performance issues.
PCAP Replay A toggle switch on the Configuration >
Forwarding Switch Syslog page allows NetMon users to
hide replayed PCAPs from LogRhythm
Enterprise.
Benefits
With more granular control over processed
traffic, users can filter out sensitive
endpoints, include only suspicious IP
addresses, distribute traffic across
multiple NetMon appliances and instances,
and more.
By adding applications to a blacklist, users
can easily focus resources on the most
relevant data.
Searching flows by family or tag greatly
accelerates threat-hunting by making it
easy to target groups of related
applications or specific types of traffic with
simplified search queries.
Users can extract metadata to another
application or into a report, or use a
SmartResponse to obtain all metadata
from a session.
Enabling this protocol reduces metadata
generation and improves performance.
These dashboards help pinpoint the
causes of slow performance, and can be
used with IP filtering and application
blacklisting (Configuration > Filter) to
prevent specific IP addresses or
applications from flooding a NetMon.
Analysts can examine traffic in NetMon
without triggering downstream alerts.
PAGE 12
 – NetMon Release Notes

Feature Description Benefits

Improved A new queue architecture reduces
Performance memory consumption and improves
stability. The disk packet writer
captures packets to disk at a more
consistent rate.
NetMon utilizes system resources more
effectively and has improved performance
and increased stability.

Additional An additional 45 applications have Customers can now identify even more
Application been classified—there are now 3,379 applications and more reliably differentiate
Classifications total applications classified in NetMon. known good traffic from suspicious traffic.
New additions include Microsoft
PowerShell Remoting, Turbo VPN, and
iFIX, among other applications.

Resolved Issues
The following issues were resolved in the 3.8.1 release:

Bug # Description

NM-802 Inconsistent information in the installation guide has been updated.

NM-806 Modbus traffic is now correctly categorized.

NM-939 A vulnerability with Nginx versions (CVE-2017-7529) has been resolving by updating the
included version of Nginx.

NM-1006 Permissions on the MonitorDispatch directory have been updated.

NM-1037 NetMon now correctly handles passwords containing certain special characters.

NM-1057 The user interface now correctly reflects PCAP download status.

NM-1060 Certain included libraries have been updated.

NM-1067 The documented description of Basic DPI mode has been updated.

NM-1091 Resolved an issue where, in some cases, replayed traffic was not available for download and
file reconstruction.

NM-1111 Configurations have been updated to better handle PCAP cleanup.

NM-1123 Resolved an issue where packets were sometimes duplicated during PCAP replay.

NM-1125 Resolved an issue where the Configuration > Network > Interfaces panel failed to load.

PAGE 13
 – NetMon Release Notes
Version 3.7.1
Features and Enhancements
The following features and enhancements are included in the 3.7.1 release:
Feature Description
PCAP Replay NetMon 3.7.1 introduces improved
Upgrade PCAP Replay features, including two
new metadata fields, a new Replayed
Traffic Dashboard, a more efficient
underlying architecture, a new API
route to retrieve replayed PCAP
session IDs, and improved workflow
around analyzing replayed traffic.
Data Forwarding The Configuration > Syslog page now
provides the option for licensed
NetMon users to restrict whether
network traffic metadata is forwarded
over SmartFlow (Syslog) to
LogRhythm Enterprise.
Updated Web Among other UI refinements and
Management improvements, the shutdown, reboot,
Interface and restart services are now restricted
to administrator-only.
VMware Support NetMon 3.7.1 is the first version of
NetMon officially supported on
VMware. For more information, see
the VMware Installation and
Configuration Guide, available on the
LogRhythm Community.
Additional NetMon now classifies 69 additional
Application applications—there are now 3,334
Classifications total applications classified in NetMon.
New additions include mobile games
and social networks, among other
applications.
Benefits
Replayed PCAP files can now be isolated
from live traffic and inspected
independently. The new metadata fields
enable powerful analysis and aggregation
of replayed traffic. Individual links from
uploaded PCAPs to the Analyze Dashboard
are pre-filtered to show specific replayed
traffic.
Traffic generated from NetMon can now be
reduced when alerts and diagnostics are
sufficient for a given customer
environment.
Users without administrator permissions
will not be able to shut down, reboot, or
restart NetMon, adding a level of security
to prevent unwanted or potentially
intrusive system behaviors.
Users can install NetMon on virtual
machines powered by VMware vSphere
using LogRhythm-recommended
configuration specifications.
Customers can now identify even more
applications and more reliably differentiate
known good traffic from suspicious traffic.
PAGE 14
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.7.1 release:

Bug # Description

NM-784 Traffic from the Redis cloud system monitoring protocol is no longer misidentified as POP3.

NM-803 The list of supported applications available in the NetMon Help has been updated to remove
deprecated protocols.

NM-804 A parsing error that mapped some NetMon Syslog data into the wrong Syslog fields in
LogRhythm Enterprise has been fixed.

NM-805 The license upgrade process has been improved so that licenses without an expiration date can
be successfully installed without overwriting existing licenses.

NM-807 The NetMon Installation and Configuration Guide has been updated to clarify that SAN storage
and DM-multipath are not supported to extend storage volumes.

NM-809 A bug that prevented the dispatch process from accepting certain sessions has been resolved.

Version 3.6.2
Features and Enhancements
The following features and enhancements are included in the 3.6.2 release:

Feature Description Benefits

Operating System NetMon’s base operating system CentOS 7.4 provides improved security
Upgrade installer has been upgraded CentOS and reliability, and also ensures that
7.4. NetMon 3.6.2 and future versions will run
on additional hardware.

Resolved Issues
The following issues were resolved in the 3.6.2 release:

Bug # Description

N/A NetMon has been updated with security patches to mitigate the “Spectre” variant 1 (CVE-2017-
5753) and “Meltdown” (CVE-2017-5754) vulnerabilities. Note that Spectre variant 2 (CVE-
2017-5715) has not been patched in version 3.6.2.

N/A The included version of PHP has been updated to version 5.6.33.

PAGE 15
 – NetMon Release Notes
Version 3.6.1
Features and Enhancements
The following features and enhancements are included in the 3.6.1 release:
Feature Description
Updated DPI The Deep Packet Inspection (DPI)
Engine engine has been updated.
Role-Based Users can now be assigned either
Authentication Administrator or Analyst roles.
Functionality is restricted for analyst
users. Multiple users can have
administrator roles.
User API Administrator users can now update
user information, create users, delete
users, and reset user passwords
through the API.
Updated Web The Web Management interface has
Management been updated and refined, including a
Interface new top navigation bar and multiple
fixes.
Benefits
The updated DPI engine improves
stability, is more resilient to different
traffic profiles, and is better at classifying
protocols. System performance is
significantly improved, and hardware is
utilized more efficiently.
NetMon’s role-based authentication
functionality can assign users greater
control over levels of access. Users with
the Analyst role are restricted and cannot
change key configuration items.
Additionally, multiple named users can
now have the Admin role, resulting in
greater control over administrator
privileges and more resilient and flexible
system management.
The capabilities of the NetMon RESTful API
have been expanded to include user
management. This enables centralized,
flexible user administration, user
synchronization across multiple NetMon
instances, integration with an enterprise’s
Identity and Access Management (IAM)
platforms, and improved coordination with
SIEM user profiles.
The NetMon user interface now looks and
behaves as the SIEM Web Console does,
providing a cohesive, seamless user
experience between both products. The
user interface has been expanded to
provide improved workflows for managing
user- and role-related capabilities.
PAGE 16
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.6.1 release:

Bug # Description

NM-789 PHP has been upgraded to version 5.6.32. Earlier versions of NetMon included PHP 5.6.30,
which was vulnerable to CVE-2017-11142 (a CPU resource consumption DoS vulnerability).
This update mitigates vulnerabilities affecting versions of PHP prior to 5.6.32 (CVE-2017-
16642, CVE-2017-12933, CVE-2017-11628, CVE-2017-11145, CVE-2017-11144, CVE-2017-
11143, CVE-2017-11142, CVE-2017-7890).

NM-792 Extra blank lines are no longer added to the passwords file upon user creation, preventing
unchecked growth of the passwords file and potential exhaustion of memory resources.

NM-793 Resolved an issue where API keys could be overwritten in cases where a username contains
another user’s username.

NM-794 Deleted users can no longer access NetMon—deleted user tokens are immediately revoked and
system access is no longer possible. This fixes an issue where it was possible for a deleted user
to access the NetMon web interface if the deleted user had not yet cleared his or her browser
cache.

N/A Previous versions of NetMon would sometimes serve stale pages in the Web interface. This
version of NetMon corrects this behavior by properly indicating when pages should and should
not be cached. Prior versions of NetMon reported issues where clearing the cache was a
necessary workaround—this improvement addresses those cases.

N/A Pages are automatically refreshed after upgrade. In prior versions of NetMon, some successful
upgrades would appear to hang until the user manually refreshed the browser page. This fix
eliminates the need for a manual browser refresh by properly and automatically refreshing the
page after an upgrade completes.

PAGE 17
 – NetMon Release Notes
Version 3.5.1
Features and Enhancements
The following features and enhancements are included in the 3.5.1 release:
Feature Description
Additional Additional application classifications
Application were added—there are now 3,257
Classifications classified in NetMon. New additions
include assorted gaming sites (such as
clash_of_clans), additional CDN sites
(such as lightstreamer), industrial
control protocols (such as OPCUA and
Profinet), and improved cloud
protocols for Azure services and
Microsoft Office Online.
Additional Admin New REST-based endpoints were
API Methods added for upgrading and licensing a
NetMon, managing time, downloading
DPA rules, and rebooting and shutting
down the server.
Improved DPA The Deep Packet Analytics (DPA) rule
Documentation documentation has been reorganized
and improved.
Additional DPA New DPA methods have been added to
Methods improve logging support and make it
easier to find an application in the
path.
Additional DPA New packet-level methods have been
Packet-Level created to easily extract specific bytes
Methods of data from a packet as an integer or
a string of raw HEX data.
Stop Scrolling in On the Logs page, it is now possible to
Log Viewer stop the automatic scrolling of system
diagnostic and audit logs.
Benefits
Users can more clearly identify traffic and
differentiate between normal “time-
wasters” and suspicious or malicious
traffic.
These methods extend the REST-based
Admin API tier for management of
multiple NetMons and integration with
LogRhythm’s SIEM and other management
tools.
Analysts can find method calls and
examples much faster.
New methods simplify rule development
and make it easier to efficiently isolate
classes of traffic (for example, “find all
ssl”) regardless of the final classification
(for example, “/tcp/ssl/https/pandora”).
Packet-level analysis is much easier and
more in line with capabilities of IDS
systems like Bro and Snort. Rules can be
written to match byte-level signatures.
It is now much easier to read through logs
for specific events without the risk of the
message scrolling off the page.
PAGE 18
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.5.1 release:

Bug # Description

NM-778 Non-admin users can no longer see the Configuration > Upgrade page or start an upgrade.

NM-780 Session length now supports Int64 in all places. This prevents data rollover for long sessions.

NM-785 Download of DPA rules works again, generating non-corrupt .lrl files. (Note: This was a bug in
3.4.2 only).

NM-786 Java ES library has been updated to prevent lockup of the Dispatch service.

N/A Kibana Startup log is now properly managed for size.

N/A Capitalization in the UI has been fixed for consistency (Manage Users, Upgrade, Replay).

N/A A potential JavaScript injection vulnerability has been closed.

N/A Deprecated function warning in logs has been resolved.

PAGE 19
 – NetMon Release Notes

Version 3.4.2
Features and Enhancements
The following features and enhancements are included in the 3.4.2 release:

Feature Description Benefits

New Metadata The JSONSize metadata field is This field helps isolate data problems that
Field Named available on all flows. cause failures in Elasticsearch.
JSONSize

DPA Rule Editor The DPA Rule Editor window is now Writing DPA rules is easier and less prone
Window Improved easier to use. to accidental loss of content.

Updates to More interface name patterns are Non-hardware-based network interfaces

Network recognized. (for example, virtual systems) are now
Interfaces recognized and supported on the Network
Configuration page.

Installer Supports NetMon can now be installed on a Installation on some VM systems with
Alternate Partition system that does not have an sda non-standard partition naming (for
Names partition. example, vda instead of sda) now works
correctly.

Auto- Auto-capitalization has been improved Users no longer need to capitalize

Capitalization and added to the Discover and metadata names in any filter field.
Visualize filters under the Analyze
menu.

Resolved Issues
The following issues were resolved in the 3.4.2 release:

Bug # Description

NM-753 The Authentication Required popup no longer displays on the login page.

NM-759 A DPA rule uploaded as an .lrl can now be re-uploaded after the rule is deleted.

NM-764 Hexadecimal DNS flags correctly convert to 16-bit values in NetMon.

NM-766 A possible memory corruption issue on system startup has been resolved.

NM-769 A possible race condition causing system failure has been resolved.

NM-775 The Download Diagnostics .zip file now opens properly on Windows systems.

NM-776 The Flow_PrivateKeyExtensions rule now works correctly for mapi protocol.

NM-758 The .iso install script is no longer hardcoded to be installed on the sda drive.

N/A CVE-2017-1000364 and CVE-2017-1000366 (Stack Clash exploits) are patched.

PAGE 20
 – NetMon Release Notes
Version 3.4.1
Features and Enhancements
The following features and enhancements are included in the 3.4.1 release:
Feature Description
Validate an The official hash of the upgrade file
Upgrade now prompts you to verify the
upgrade before uploading and
installing the updated version of
NetMon.
Set Up a Secure Through the Configuration > Syslog
Syslog user interface, you can now configure
a secure TCP Syslog connection.
Improved The Configuration > Network user
Interface interface now includes an interface
Configuration selector with the ability to see all
recognized interfaces, including data
received and IP addresses.
New Help Tab From the Help tab of the top
navigation bar, you can now access
the NetMon online Help and
Community forum, as well as
download diagnostics files.
Benefits
Visually comparing the hash of the .lrp file
with LogRhythm’s published hash value
provides a human interaction guarantee
that the upgrade file is legitimate and
officially from LogRhythm.
Network data is highly valuable. By
securing the connection between the
NetMon and the SIEM, this data can be
transported securely for further analysis
and correlation.
Setting up a NetMon is now easier than
ever. Instead of guessing which cryptically
named port (for instance, enp0s02) is
your incoming tap data, you can see which
port is receiving data and select it. You
also do not have to guess which interfaces
are part of a bond. You can simply select
the interfaces you want to capture.
LogRhythm’s Community is a great
resource for NetMon information and
support, and the embedded link makes it
easier than ever to connect. The
Diagnostics .zip file contains rich
information that is useful for
understanding NetMon’s configuration and
performance.
PAGE 21
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.4.1 release:

Bug # Description

NM-614 If a PCAP download request times out, the message is no longer “retrying download” when the
download does not actually retry.

NM-757 The Login dialog is no longer available when the rest of the services have not yet started.

NM-760 The validation message for changing a hostname now mentions that lowercase is required for a
valid hostname.

NM-761 API download routes now properly report HTTP status on error conditions.

NM-763 Improvements to Elasticsearch tuning and data truncation have been made to prevent crashes
under specific large loads.

NM-765 The download library now properly streams for very large files.

NM-770 A fix has been implemented for a vulnerability exposed via Metasploit.

NM-771 Backup .ifcfg.old files are now ignored and not considered valid interfaces.

PAGE 22
 – NetMon Release Notes
Version 3.3.2
Features and Enhancements
The following features and enhancements are included in the 3.3.2 release:
Feature Description
Additional NetMon now classifies 3,061 unique
Classifications applications. Shutterstock,
SolarWinds, Microsoft Docs Online,
and many ICS/SCADA protocols were
added in this release.
New API Methods Additional API methods have been
exposed for managing Query Rules,
downloading DPA rules, examining
service status, downloading logs, and
changing the hostname of the system.
API Security All API methods have been updated
Improvements with increased client and server-side
validation, stronger authentication,
improved auditing, and other related
security changes.
Additional Audit Additional Audit messages are now
Records created for upgrade success and
failure, several API routes,
downloading DPA rules, and user
logouts.
Change Hostname You can now change the hostname of
the NetMon instance through either
the Configuration > Engine user
interface or an API method.
Change Syslog Through the Configuration > Syslog
Port user interface, you can now change
the Syslog sender port from 514 to
601 or to any port larger than 1000.
Benefits
Customers can now identify even more
Layer 7+ applications and more reliably
differentiate known good traffic from
suspicious traffic.
Customers can continue integrating with
NetMon and automating management
functions.
Customers can trust that the API layer is
not a security vulnerability.
Customers can trust that NetMon fully
tracks user actions and provides a clear
and consistent audit trail.
Customers can now easily manage
multiple NetMon devices and bring NetMon
devices into compliance with Linux host
naming standards.
Customers can now adjust NetMon output
to target Syslog receivers listening on
non-standard (514) ports. This is a
precursor to support full TLS-encrypted
Syslog output.
PAGE 23
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.3.2 release:

Bug # Description

NM-519 Windows Management (WSMan) is now an identified application.

NM-741 A banner indicating that only some data is forwarded has been re-implemented on the Syslog
page in NetMon Freemium mode.

NM-745 The various “Delta” fields have been corrected for long-running flows.

NM-746 The FieldCountIndexed field has been renamed to RepeatedFieldCountIndexed.

NM-747 Double JSON error reports on certain API methods have been fixed.

NM-748 All previously installed versions now appear in the /systemInfo command.

NM-750 The Flow_DetectPrivateKey rule has been updated and corrected for current DPI fields.

NM-751 A non-meaningful “fatal” error has been removed from logs when DPA rules are
enabled/disabled.

NM-755 PHP has been upgraded to 5.6.30, addressing several CVEs.

N/A Email validation now functions properly. For example, [email protected] is no longer
considered an invalid email address.

N/A Various improvements have been made to an API that gathers version information and
upgrade history.

N/A On install, NetMon now presets the number of processing threads based on the underlying
architecture.

PAGE 24
 – NetMon Release Notes

Version 3.3.1
Features and Enhancements
The following enhancements are included in the 3.3.1 release:

Feature Description Benefits

New API Methods Public API calls have been added for Customers can start automating
restarting services and changing management of NetMons and improving
capture settings. integration with other systems, such as
the SIEM’s Web Console.

Initial Passwords On initial installation, all default This simplifies deployment and
Changed passwords are now set to changeme. encourages customers to follow good
security practices by changing NetMon’s
default password.

Sharing Usage LogRhythm now collects basic license LogRhythm’s development efforts and
Statistics level, version information, and upgrade schedule will be based on actual
anonymous usage statistics. No actual usage patterns.
customer data is sent to LogRhythm.
Customers using an enterprise license
can opt out.

Audit Log Additional audit log messages are Administrators evaluating NetMon usage
Improvements stored and include the user who now have richer data about system
triggered the message. access.

Resolved Issues
The following issues were resolved in the 3.3.1 release:

Bug # Description

NM-712 The DPA audit log now notes the user who made changes.

NM-730 The configuration and feature associated with “SIEM Logging” in the Syslog Configuration has
been removed.

NM-740 Saved Query Rules can now be edited.

N/A The warning color for downloading PCAPs or files has changed from bright red to yellow, and
the icon has been fixed.

N/A A non-harmful, “fatal” warning that appeared in /var/log/messages has been removed.

PAGE 25
 – NetMon Release Notes

Version 3.2.3
Features and Enhancements
The following enhancements are included in the 3.2.3 release:

Feature Description Benefits

New DPI Forty-five new application
Classifications classifications have been added,
including Oracle Real Application
Clusters (RAC), Elasticsearch, Citrix
PVS, Zoom video conferencing, and
Pokémon GO.
New application classifications enrich the
ability to identify normal operational traffic
for enterprise systems, reducing the
“noise” in searching for threats.

Continued UI Additional changes have been made to These changes bring NetMon even more in
Improvements the styling of the user interface. line with the SIEM Web Console, providing
a seamless visual experience for analysts.
Additional small changes help streamline
the user experience, reducing the effort
needed to learn and use NetMon features.

Resolved Issues
The following issues were resolved in the 3.2.3 release:

Bug # Description

NM-700, Previously unknown/unidentified UDP traffic in PCAPs is now correctly identified as the Oracle
NM-714 RAC protocol.

NM-729 Data with fields longer than 32,766 bytes are now automatically truncated (HTTP cookie only).

NM-733 Error messages now notify users if an .lrp configuration upgrade is unsuccessful.

NM-734 NetMon now runs properly on certain VMware and hardware systems that use non-sequential
core numbering.

NM-737 Settings have been changed to prevent syslogd and journald from impeding Syslog messages.

NM-739 A patch was applied to address the critical “Dirty Cow” Linux kernel vulnerability (CVE-2016-
5195).

PAGE 26
 – NetMon Release Notes
Version 3.2.2
Features and Enhancements
The following enhancements are included in the 3.2.2 release:
Feature Description
Improved Styling The look and feel of NetMon has
been updated to more closely match
the LogRhythm Web Console.
Main Menu Bar Among other changes, Rules and
Changes Alarms have been given a more
prominent place in the top
navigation menu.
Alarms Dashboard A new dashboard has been created
specifically to show alarms.
Changes in Several configuration pages—
Configuration particularly the DPA rules page—
have been modified for a more
streamlined experience.
Server Server management functions have
Management been grouped in a new menu icon.
Deep Packet The DPI engine has been updated
Inspection Update and can now classify 2,952
applications.
HTTPS Version The HTTPS protocol version is now
stored as metadata in the
ProtocolVersion field.
DPA Rule Checking DPA rules are now checked at
runtime for access to invalid or
missing metadata fields.
In-Place CentOS Customers on NetMon versions
Upgrade 2.8.1–3.1.2 have an upgrade path to
3.2.2.
Benefits
Users familiar with LogRhythm will have an
easier time transitioning to the NetMon
interface.
More prominent access to Deep Packet
Analytics rules and Query Alerts leads to
increased usage of automated analytics.
The Alarms Dashboard makes it easier to
evaluate alarms generated by DPA rules and
saved searches, and also to determine
investigation priorities, reducing time to
detection and time to response.
Analysts and administrators will be able to
more quickly find necessary configuration
elements and make changes, such as
uploading new rules.
Analysts will have an easier time finding
server maintenance functions such as
restart, reboot, and shutdown.
About 200 new applications are classified,
including Uber, Slack, LogMeIn, and more
cloud hosts.
You can easily detect less secure
connections that use deprecated encryption
by viewing or detecting the version in use.
Developers of DPA rules now know if they’ve
tried to access invalid metadata fields.
Customers who are still using a NetMon
version based on CentOS 6 have an in-place
(LRP-based) upgrade path to NetMon 3.2.2
and CentOS 7.2, which provides improved
security, reliability, and sustainability.
PAGE 27
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.2.2 release:

Bug # Description

NM-659 Searches run from the Alarms page now properly appear in NetMon’s Search History log.

NM-720 The License page now refreshes and displays the upgraded product license correctly after
upgrading or installing a new license.

NM-723 Cassandra heap size has been increased to prevent it from running out of memory in
conditions of high flow rate.

NM-724 Resolved autofill overlap issues in the Google Chrome browser.

NM-725 Applied a patch to address CentOS vulnerability CVE-2016-5696.

NM-726 A default PHP file that uses the “phpInfo()” command was deleted to fortify NetMon against a
PHPInfo disclosure vulnerability.

NM-728 Changed Ingress/Egress Dashboard text to clarify that direction is determined not only by
source IP and destination IP locations, but also by the number of srcBytes and dstBytes.

N/A Implemented a fix for PCAP replay of HTTPS sessions, which were not ending cleanly.

PAGE 28
 – NetMon Release Notes

Version 3.2.1
Features and Enhancements
The following enhancements are included in the 3.2.1 release:

Feature Description Benefits

Operating System NetMon’s base operating system has CentOS 7.2 provides improved security,
Upgrade been upgraded from CentOS 6.5 to reliability, and sustainability. It addresses
CentOS 7.2. numerous vulnerabilities and keeps
NetMon on a current version of CentOS.

Hardened OS NetMon’s base operating system has Many OS-level features have been
been hardened to prevent malicious removed or restricted, and account access
access. has been limited to help prevent malicious
activities.

Improved Capture has been increased to 1 Gb Increases the usability of Freemium for a
Freemium per second, and alarms and diagnostic wider variety of customers and use cases,
Experience messages can be sent via syslog. including short term incident response.

User Experience Filters and titles on configuration NetMon admin time is minimized through
Improvements pages make it easier to find key a simplified context in user experience.
configuration values.

User Password Passwords can be changed by Provides more efficient account

Management individual users and any password can management for multiple NetMon users.
be change by the admin user.

DPA Scanning of DPA rules can now scan the first 500 Allows for deeper analytics of these
FTP and SMTP KB of an FTP transfer or SMTP email protocols, including scenarios like
Session Bodies body. scanning for key words, PII, PHI, or
corporate intellectual property.

Additional System Rule Content

Top Level Domain A DPA rule creates metadata to NetMon users can quickly determine the
Rule and identify domain names, and the end points for web traffic, noting
Dashboard resulting data can be visualized in a anomalous top level domains.
new dashboard.

Traffic Direction A DPA rule creates metadata NetMon users can quickly evaluate a
Rule and identifying traffic direction, and the network to determine ingress, egress, and
Dashboard resulting data can be visualized in a lateral traffic patterns to help identify
new dashboard. anomalous activity.

Canadian SIN DPA New rule detects PII exposure of The new DPA rule can detect accidental or
Rule Canadian Social Insurance Numbers. malicious exposure of PII through
unencrypted channels.

Identify Bank New rule detects exposure of bank The new DPA rule can detect accidental or
Routing Numbers routing numbers. malicious exposure of bank routing
numbers through unencrypted channels.

PAGE 29
 – NetMon Release Notes

Feature Description Benefits

Improved CCN Existing DPA rule algorithm improved The improved DPA rule accidental or
Detection for detecting credit card numbers. malicious exposure of credit card numbers
through unencrypted channels.

Resolved Issues
The following issues were resolved in the 3.2.1 release:

Bug # Description

NM-674 NetMon was incorrectly classifying certain logs as “Thunder.”

NM-697 In deployments having a large number of small flows, NetMon was crashing when trying to
insert data into Elasticsearch.

NM-699 NetMon was displaying ports for ICMP traffic when no ports should have been displayed.

NM-704 The version of PHP used by NetMon has been upgraded to 5.6.22.

PAGE 30
 – NetMon Release Notes

Version 3.1.2
Features and Enhancements
The following enhancements are included in the 3.1.2 release:

Feature Description Benefits

User Interface The UI has been refreshed and updated, There is less visual contrast between
Update aligning it with the look and feel of the SIEM different parts of the LogRhythm
Web Console. solution.

Configurable NetMon has a new Client Security page, Compliance with enterprise security
Security Options providing configurable options for: policies.
• a login authorization banner in the UI
and for shell access
• a session timeout period
• a configurable minimum password length

New Diagnostic New diagnostic messages are enabled for: Enhances security, troubleshooting
Messages • Changing passwords and system reliability, including
• Adding, deleting or changing a user central monitoring and audit control
• Restarting services through SIEM integration.
• Shutting down NetMon
• Rebooting NetMon
• Changing the license
• Upgrading NetMon
• Any configuration change
• File reconstruction or PCAP download via
UI or API call
• Add, edit, enable, disable, upload or
delete DPA rule
• Disk space limit reached

Dashboard On startup, all official LogRhythm Provides improved stability for

Validation dashboards are validated—missing customers.
Dashboards are added, and outdated or
corrupt Dashboards are replaced.

New Ports The Destination Port Dashboard is now New use case dashboard for hunting
Dashboard available, with visualizations to show all for unusual traffic and rogue
traffic by port, application, destination IP, services.
and source IP.

DPI Update: Nagios is now classified properly. Improved ability to ignore or set
Nagios policies for Nagios identified traffic.

Indexing The algorithm used for inserting metadata Eliminates a performance bottleneck
Improvements into Elasticsearch has been further when capturing metadata and
optimized for improved performance. processing short, frequent flows.

PAGE 31
 – NetMon Release Notes

Resolved Issues
The following issues were resolved in the 3.1.2 release:

Bug # Description

NM-694 Classification Only mode is now a switch on the Engine configuration page.

NM-696 The VlanID field is now capitalized properly.

PAGE 32
 – NetMon Release Notes

Version 3.1.1
Features and Enhancements
The following enhancements are included in the 3.1.1 release:

Feature Description Benefits

5 Gbps Sustained The NM5400 platform now With additional license purchases, customers can
License supports data capture up to analyze more network traffic in a single NetMon
5 Gbps sustained. installation.

UI Update NetMon’s UI is updated with
a refreshed look and
increased functionality.
Dashboards are now richer, faster and more
responsive. New data aggregations and
visualizations are possible, dashboards are easier to
create, and analysts will have more power to quickly
find and analyze troublesome network traffic.

New Metadata TLS version and cipher suite As SSL continues to be replaced by TLS, capturing
Fields ID are now captured as the TLS version and encryption cypher suite helps
metadata. quickly identify security vulnerabilities and outdated
systems.

VLAN segment is now The VLAN segment ID helps differentiate traffic on

captured as metadata. networks that leverage the 802.1q protocol to
separate network segments.

Improved HTTP DPA rules can now analyze DPA rules can now perform much more efficiently
Processing with HTTPRequest and with simple logic looking at the request versus
Deep Packet HTTPResponse separately. response of HTTP-based protocols. This allows for
Analytics faster and richer analysis of suspicious web based
traffic.

Integration of NetMon audit and diagnostic
Diagnostic Events messages are now stored
with the locally in a designated audit
LogRhythm SIEM file. In addition, these
messages are sent to the
SIEM via syslog.
Separating audit and diagnostic events from other
logs makes it easier to report on NetMon usage and
troubleshoot the system’s health. Incorporating
these logs into the SIEM provides additional rich
reporting and alarming similar to other SIEM
components.

Resolved Issues
The following issues were resolved in the 3.1.1 release:

Bug # Description

NM-684 NetMon is running vulnerable OpenSSL version 1.0.1.e.

NM-688 NetMon is shipping with vulnerable glibc version 2.12.

NM-693 Infinite loop when processing SIP/FaceTime traffic.

PAGE 33
 – NetMon Release Notes

Version 2.8.2
Features and Enhancements
The following enhancements are included in the 2.8.2 release:

Feature Description Benefits

Thread Affinity NetMon will calculate the optimal setting for Ensures you are getting the best
Processing Threads to maximize performance possible performance out of your
based on the number of CPU cores in your NetMon system.
NetMon system.

Basic DPI Mode In Basic DPI mode, the packet processing Improves processing efficiency and
path is expedited due to the reduced number greatly reduces the potential for
of data structures that are used in the packet dropped packets.
processing pipeline. In this mode, 95% of the
protocols classified and attributes extracted
remain unchanged.

REST API Updates NetMon’s REST API has been updated with Provides programmatic access to
routes to enable reconstruction and download the latest features available in
of file attachments from captured sessions NetMon.
through the API.

New Deep Packet NetMon 2.8.2 includes several new and
Analytics Rules updated system rules for Deep Packet
Analytics. Details about new rules can be
found in NetMon 2.8.2 Release Notes and
NetMon Deep Packet Analytics: System Rules.
Provides customers with new
advanced ways to inspect and act
on traffic in their network.

PAGE 34
 – NetMon Release Notes
Version 2.8.1
Features and Enhancements
The following enhancements were included in the 2.8.1 release:
Feature Description
Packet Capture To improve capture and
with netmap throughput performance, netmap
is now available as a packet
capture library in NetMon.
File File attachments from a captured
Reconstruction SMTP session can be reconstructed
into their original format for further
investigation.
NetMon Freemium NetMon Freemium is now a general
availability release. Customers and
prospects alike can now find and
download NetMon Freemium.
Benefits
Switching to a netmap capable interface can
improve performance if you are seeing
dropped packets on your existing input
interface.
File reconstruction can assist with forensic
analysis or legal matters. For example, you
may need to review all files sent by and to a
specific user.
NetMon Freemium enables more users to
evaluate NetMon for a POC or on a small-
footprint system. It provides the same
functionality as a full NetMon license, minus
SIEM integration and with lower limits on
processing, storage, and data retention.
PAGE 35