search close


Agent Release Notes

4.35.0 2022-11-09

  • Added optional systemd based agent auto update for Debian, Ubuntu, and RHEL/CentOS
  • Upgraded to Golang 1.19.3
  • Improved GraphQL Parsing
  • Improved CMDEXE detection
  • Updated base GeoIP data: November 2022

4.34.0 2022-10-12

  • Upgraded to Golang 1.19.2
  • Improved SQLI detection
  • Updated base geo IP data: October 2022

4.33.0 2022-09-14

  • Added GA support for AWS Lambda
  • Fixed HAProxy SPOA healthcheck response
  • Improved SQLI detection
  • Improved CMDEXE detection
  • Upgraded to Golang 1.18.6
  • Updated base geo IP data: September 2022

4.32.1 2022-08-24

  • Closed GraphQL related vulnerability
  • Improved CMDEXE detection

4.32.0 2022-08-17

  • Added x86_64 and arm64 support for Red Hat Enterprise Linux(RHEL9)/CentOS Stream 9
  • Improved CODEINJECTION detection
  • Improved CMDEXE detection
  • Improved inspection of HTTP request bodies
  • Updated base geo IP data: August 2022

4.31.0 2022-07-13

  • Upgraded to Golang 1.18.4
  • Improved SQLI detection
  • Improved CMDEXE detection
  • Updated base geo IP data: July 2022

4.30.0 2022-06-21

  • Added Beta Support for AWS Lambda
  • Added Fastly CDN endpoint for fetching updates, improving download performance
  • Added x86_64 and arm64 support for Ubuntu 22.04
  • Updated base geo IP data: June 2022
  • Improved inspection for text/plain, CMDEXE, SQLI and Log4j

4.29.0 2022-05-11

  • Updated base geo IP data: May 2022
  • Improved inspection logic

4.28.0 2022-04-18

  • Expanded GraphQL inspection to cover additional data types and anomalous behavior
  • Improved XSS detection
  • Enhanced inspection of multipart/form-data
  • Updated base geo IP data: April 2022

4.27.0 2022-03-16

  • Added arm64 linux support and packages for Ubuntu, Debian and CentOS
  • Upgraded to Golang 1.17.8
  • Updated base geo IP data: March 2022

4.26.0 2022-02-16

  • Improved envoy v3 API compatibility
  • Improved reporting of blocked WebSocket messages
  • Improved reverse proxy WebSocket header forwarding
  • Updated base geo IP data: February 2022

4.25.0 2022-01-19

  • Improved reverse proxy Content-Type inspection
  • Improved reverse proxy gRPC User-Agent forwarding
  • Updated base geo IP data: January 2022

4.24.1 2021-12-10

  • Improved Content-Type normalization when determining which types to inspect

4.24.0 2021-11-17

  • Updated base geo IP data: November 2021

4.23.0 2021-10-21

  • Fixed an inconsistency in determining the client IP when trust-proxy-headers is disabled and client-ip-header was set to the default of using the X-Forwarded-For proxy header
  • Improved GraphQL query parsing
  • Updated base geo IP data: October 2021

4.22.0 2021-09-16

  • Added conn-max-per-host reverse proxy configuration option to allow limiting the number of upstream connections
  • Improved generation of agent cache directory when non path-safe characters are present in the system hostname
  • Improved handling of abstract socket namespaces in rpc-address
  • Upgraded to Golang 1.17.1
  • Updated base geo IP data: September 2021

4.21.1 2021-08-16

  • Corrected deadlock issue
  • Added Debian 11 (bullseye) support (released 2021-09-01)

4.21.0 2021-08-16

  • Added external data information to SIGUSR1 diagnostic logs
  • Added an experimental bypass-egress-proxy-for-upstreams configuration option to more easily exclude revproxy upstream traffic from an egress proxy
  • Improved external data error handling and metrics
  • Standardized release notes
  • Updated base geo IP data: August 2021

4.20.0 2021-07-22

  • Added initial support for sigsci-module-envoy
  • Added Alpine 3.13, 3.14 support
  • Improved service lifecycle management, avoiding rare service restarts on agent startup
  • Improved geo IP update logic to prevent downgrading to prior versions in specific cases
  • Updated external data fetches to honor download-config-version option
  • Updated base geo IP data: July 2021

4.19.1 2021-06-24

  • Fixed permissions for the Unix RPC socket file under stricter umask settings

4.19.0 2021-06-23

  • Improved handling of log locations when stdout or stderr is used
  • Improved CMDEXE detection
  • Added support for application/graphql content-type for reverse proxy mode
  • Updated base geo IP data: June 2021

4.18.0 2021-04-28

  • Fixed a JSON parsing issue with strings ending in \
  • Added initial functionality to support future GraphQL parsing
  • Updated base geo IP data: April 2021

4.17.0 2021-03-04

  • Improved SQLi processing
  • Improved CMDEXE detection
  • Updated base geo IP data: March 2021

4.16.0 2021-02-01

  • Added Alpine 3.12 support
  • Added initial support for envoy v3 APIs needed to run envoy with deprecated v2 API support disabled
  • Fixed version reported by --version and other help/usage texts
  • Improved redaction logic for jsessionid query parameters
  • Improved CMDEXE processing
  • Updated the Windows installer to install the agent service with a delayed automatic start to avoid a rare failure to start on boot
  • Updated base geo IP data: January 2021

4.15.0 2020-12-16

  • Fixed startup hang on tls-key files with trailing whitespace
  • Added windows-eventlog-level configuration option to limit Windows event viewer logging, which now defaults to “warning” (was “info”) to reduce default logging output
  • Updated third party dependencies

4.14.0 2020-10-29

  • Upgraded to Golang 1.15.2
  • Updated base geo IP data: October 2020

4.13.0 2020-09-15

  • Improved revproxy upstream error reporting
  • Added back signals missing from statsd output
  • Added runtime support for future rate limiting enhancements
  • Updated base geo IP data: September 2020

4.12.0 2020-08-11

  • Improved statsd output by filtering out internal rate limiting metrics inadvertently translated as signals
  • Added support on Windows to write select logs to the eventlog in addition to the file based logging
  • Updated base geo IP data: August 2020

4.11.0 2020-07-16

  • Fixed systemd support for Ubuntu 18.04
  • Improved SQLi and CMDEXE detection
  • Upgraded to Golang 1.14.5
  • Updated base geo IP data: July 2020

4.10.0 2020-06-25

  • Added support for additional blocking codes and redirects in revproxy and envoy modes
  • Deprecated the inspection-alt-response-codes concept in favor of using all codes 300-599 as “blocking”
  • Removed X-Sigsci-* HTTP response headers when blocking in envoy
  • Fixed a revproxy configuration regression issue which caused a failure to connect to the upstream when the upstream URL was configured without explict ports for http (80) or https (443)
  • Improved the reverse proxy pass-host-header configuration option to allow the hostname to be passed through to the upstream TLS handshake for SNI and certificate validation, avoiding the need to configure tls-verify-servername

4.9.0 2020-06-04

  • Improved HTTP/2 support for reverse proxy listeners and upstreams
  • Improved TLS support for reverse proxy listeners and upstreams
  • Improved processing of client IP headers in Azure environments
  • Improved CPU and memory performance
  • Fixed revproxy and envoy modes so that they register the module with the dashboard on agent startup
  • Fixed issue with some lists using non-ASCII characters
  • Fixed parsing time duration values as integers in configuration flags and environment vars in addition to config files
  • Upgraded to Golang 1.14.3
  • Updated base geo IP data: June 2020

4.8.0 2020-05-11

  • Added support for disabling revproxy upstream connection pooling with conn-idle-max=0 and clarified the documentation
  • Improved XSS, SQLi and CMDEXE detection
  • Upgraded to Golang 1.13.10
  • Updated base geo IP data: May 2020

4.7.0 2020-04-08

  • Added experimental support for encrypted TLS keys for revproxy via the tls-key-passphrase option
  • Added experimental jaeger tracing support for the envoy module via the jaeger-tracing option
  • Added Unix domain socket support for the envoy grpc listener (as it was documented)
  • Added Alpine 3.11 .apk support
  • Improved SQLi detection
  • Improved error handling of upstream HTTP/2 errors in revproxy to return 502 instead of 500
  • Improved accuracy of some latency metrics
  • Updated UserAgent field to not URL decode by default (decode only if required)
  • Updated base geo IP data: April 2020

4.6.0 2020-03-12

  • Improved support for Windows installs using custom install location via INSTALLDIR
  • Removed concurrent-write problem afflicting GOSH FilterFun when called from PRE/POST (INIT-time was ok)
  • Improved XSS, SQLi and CMDEXE detection
  • Added support for alternative blocking codes with envoy and revproxy via the inspection-alt-response-codes option

4.5.0 2020-02-06

  • Improved latency for envoy integration
  • Improved logging/metrics/debugging for envoy integration
  • Updated max-connection to have a default based on the number of workers (typically set via max-procs) instead of defaulting to unlimited
  • Added support for utilizing max-connections in envoy integration
  • Improved support for Ambassador using existing envoy integration
  • Added Debian 10 (buster) support
  • Added CentOS 8 (el8) support
  • Updated base geo IP data: February 2020

4.4.1 2020-01-21

  • Updated the underlying rule execution engine to be more strict with parsing

4.4.0 2020-01-09

  • Improved SQLi and PHP code injection detection
  • Enabled HTTP/2 support for reverse proxy upstreams
  • Improved response streaming for reverse proxy listeners
  • Fixed extracting the Path and Query when processing requests without a URI field
  • Upgraded to Golang 1.13.5

4.3.0 2019-12-05

  • Added a workaround in Envoy gRPC mode for cases where HTTP/2 body data is missing
  • Updated base geo IP data: December 2019

4.2.0 2019-11-11

  • Optimized text matching under certain conditions
  • Added remove-hop-header option in Reverse Proxy to mitigate HTTP request smuggling
  • Added experimental expose-raw-headers option for added visibility into HTTP request smuggling
  • Added WebSocket inspection of JSON payloads in Reverse Proxy
  • Updated base geo IP data: November 2019

4.1.0 2019-10-03

  • Updated base geo IP data: October 2019
  • Upgraded to Golang 1.12.10

4.0.0 2019-09-17

  • Added new functionality to speed list processing, which will make agent decisioning even faster
  • Fixed a race condition that could prevent startup in Envoy gRPC mode

3.27.0 2019-09-02

  • Added experimental support in Reverse Proxy to add a Connection: close header to responses for requests that may not be safe to continue
  • Added support in Reverse Proxy to capture all inbound request headers
  • Added support for setting application request headers
  • Improved gRPC call cancelation detection for Envoy Proxy
  • Upgraded from Golang 1.11 to 1.12.8

3.26.0 2019-07-09

  • Added docker cpu cgroup detection for memory limits, reporting available memory via any limits
  • Improved foundational architecture for future support of Envoy Proxy fixing a race condition
  • Updated base geo IP data: July 2019

3.25.0 2019-06-11

  • Fixed false negative with XSS detection
  • Fixed false negatives related to Transact-SQL
  • Improved XSS javascript on-event detection
  • Added signatures for Windows binaries
  • Improved foundational architecture for future support of Envoy Proxy with better handling of timeouts
  • Updated base geo IP data: June 2019

3.24.1 2019-05-30

  • Improved detection of XML content-type to ensure request body will be processed

3.24.0 2019-05-20

  • Improved XSS javascript on-event detection
  • Fixed parsing the client IP when multiple headers (e.g., X-Forwarded-For) are present
  • Fixed a race condition in the network interface “upstart service” configuration
  • Fixed issue with how rpc-workers configuration value is parsed
  • Added inspection-* options for revproxy and envoy
  • Improved foundational architecture for future support of Envoy Proxy with better scalability and configurability
  • Updated base geo IP data: May 2019

3.23.0 2019-04-29

  • Fixed issue with how max-procs configuration value is parsed
  • Fixed issue with commandline only options being bound to env vars (e.g., SIGSCI_VERSION)
  • Added a statsd-type option when using a dogstatsd statsd server. Enabling this new option will allow for more intuitive reporting within Datadog.
  • Improved foundational architecture for future support of Envoy Proxy with better detection of partial request body data

3.22.0 2019-04-10

  • Improved foundational architecture for future support of Envoy Proxy by natively supporting the request body in Envoy 1.10+ without using Lua
  • Fixed how the Reverse Proxy handles clients closing connections mid-request; it now logs 499 rather than 500
  • Updated base geo IP data: April 2019

3.21.0 2019-03-21

  • Fixed an issue in which a handful of agents were not receiving rule updates
  • Improved support for dynamic geo IP updates to eliminate routine geo updates in the agent

3.20.0 2019-03-11

  • Added support for dynamic geo IP updates to eliminate routine geo updates in the agent
  • Updated base geo IP data: March 2019 (future updates will be dynamic)

3.19.1 2019-02-21

  • Improved foundational architecture for future support of Envoy Proxy by improving error handling and logging

3.19.0 2019-02-11

  • Improved multi-part processing
  • Updated base geo IP data: February 2019

3.18.0 2019-02-04

  • Fixed Reverse Proxy inspection-timeout so that the configured inspection-timeout is respected instead of waiting indefinitely for request analysis to complete
  • Added Reverse Proxy queuing logic similar to how the agent works
  • Updated Reverse Proxy to Golang 1.11.5 to address
  • Added the ability to specify max-procs as a percentage e.g. max-procs=100% indicates this is a dedicated instance / container
  • Removed full stack log in reverse proxy if the handler is aborted after response headers are sent

3.17.0 2019-01-09

  • Added docker cpu cgroup detection - the agent detects a container start with --cpus 4 as 4 cpus and adjust settings accordingly
  • Improved XSS inspection (false negative)
  • Updated Geo IP data: January 2019

3.16.0 2018-12-11

  • Improved foundational architecture for future support of Envoy Proxy by improving how some dates are calculated
  • Updated Geo IP lookup to resolve a few cases of incorrect countries being reported
  • Updated Geo IP data: December 2018

3.15.1 2018-12-04

  • Addressed Windows installer issue which could have caused the agent not to upgrade
  • Improved foundational architecture for future support of Envoy Proxy by removing some known limitations: responses, HTTPxxx, login and registration signals can now be processed by the agent

3.15.0 2018-11-27

  • Added foundational architecture for future support of Envoy Proxy
  • Improved logging to capture egress proxy settings and better troubleshoot future issues

3.14.0 2018-11-14

  • Upgraded from Golang 1.9 to 1.11
  • Updated Geo IP lookup to resolve a few cases of incorrect countries being reported
  • Updated Geo IP data: November 2018

3.13.0 2018-10-09

  • Fixed rare instance where uploader may crash while fetching CPU statistics
  • Updated Geo IP data: October 2018

3.12.1 2018-09-24

  • Fixed an issue where the upload service may crash on startup
  • Improved logging around agent service restarts on failure
  • Improved help/usage text

3.12.0 2018-09-06

  • Removed ulimit data and as 1gb constraint from upstart config. If needed, it is recommended to set to 1/4 the memory in /etc/init/sigsci-agent.override.
  • Added a statsd-metrics filter option
  • Improved config validation
  • Improved logging
  • Improved handling of file path separators in the configuration by normalizing them to the OS native format
  • Added properties (version, icon, etc.) to the Windows executable
  • Improved the Windows MSI packaging
  • Added support for configuring multiple reverse proxy listeners from the command line or environment
  • Improved CMDEXE inspection (false positives)
  • Instrumented more memory information
  • Documented experimental statsd-metrics descriptions
  • Added the ability to decorate signals with meta data
  • Fixed how path is decoded in URLs - do not decode + as a space
  • Updated third party dependencies
  • Updated September Geo IP

3.11.0 2018-08-08

  • Improved CMDEXE inspection (false positives and false negatives)
  • Improved SQLI inspection (false positives)
  • Improved defaults for max-procs, max-backlog, and max-records based on number of CPU cores detected - especially on larger machines
  • Improved performance of request/response context tracking
  • Improved performance of RPC service
  • Updated third party dependencies
  • Updated sigsci-module-golang with latest version for the reverse proxy
  • Updated August Geo IP

3.10.1 2018-07-17

  • Fixed 3.10.0 changelog typos
  • Fixed crash handling a fatal RPC listener service error
  • Improved logging and handling of all fatal service errors

3.10.0 2018-07-10

  • Updated the RPC address on Windows to use TCP by default (
  • Fixed race in quieting reverse proxy logging (upstream fix)
  • Updated third party dependencies
  • Updated July Geo IP

3.9.4 2018-06-26

  • Removed extraneous RPC warnings on startup

3.9.3 2018-06-25

  • Fixed issue where the older (deprecated) reverse proxy config, via reverse-proxy-* configuration options, was not setting the defaults for new configuration values. These values were getting assigned zero values and were not allowing for inspection of the body due to the new inspection-max-content-length option being zero.

3.9.2 2018-06-20

  • Reduced logging in reverse proxy by default
  • Improved ability to close upstream connections when downstream closes in reverse proxy

3.9.1 2018-06-19

  • Improved some testing tools
  • Updated sigsci-module-golang with latest version for the reverse proxy

3.9.0 2018-06-11

  • Improved generated agent documentation
  • Enhanced internal architecture without any external changes
  • Improved service restarts on configuration updates to allow manual control via new rpc-reload-on-update and revproxy-reload-on-update options
  • Added options to better configure inspection in reverse proxy mode: inspection-anomaly-duration, inspection-anomaly-size, inspection-debug, inspection-max-content-length, inspection-timeout
  • Adjusted default logging verbosity so that common TLS handshake issues do not fill up the logs
  • Updated third party dependencies
  • Updated June Geo IP

3.8.0 2018-05-02

  • Improved the usage text for the reverse proxy options
  • Improved generated agent configuration docs page, adding option links
  • Improved detection/logging of RPC errors
  • Adjusted max-backlog setting to scale with max-procs by default
  • Added response-header-timeout and request-timeout reverse proxy options
  • Improved CMDEXE false positives
  • Updated third party dependencies
  • Updated May Geo IP

3.7.0 2018-04-19

  • Added an option to the reverse proxy listener config to perform only a minimal set of header rewriting to the upstream: minimal-header-rewriting
  • Improved the usage text for the reverse proxy options

3.6.1 2018-04-16

  • Improved CMDEXE false positives
  • Improved usage text to document proxy settings
  • Improved logging on startup when log-out is configured
  • Improved rule execution error handling

3.6.0 2018-04-04

  • Added more metrics around tracked contexts
  • Improved CMDEXE false positives
  • Updated April Geo IP
  • Updated third party dependencies

3.5.0 2018-03-27

  • Updated third party dependencies
  • Added support for proxying WebSockets in reverse proxy mode

3.4.0 2018-03-15

  • Improved error logging
  • Added multipart/form-data support to reverse proxy mode
  • Added more logging and TLS options to the reverse proxy listener config: log-all-errors, tls-ca-roots, and tls-verify-servername
  • Improved CMDEXE false positives

3.3.0 2018-03-08

  • Improved CMDEXE false positives
  • Cleaned and standardized agent release notes
  • Fixed Debian 9 (Stretch) systemd configuration issue
  • Updated Mar Geo IP

3.2.1 2018-03-01

  • Fixed potential crash on startup

3.2.0 2018-03-01

  • Upgraded to Golang 1.9
  • Improved runtime error logging
  • Added support for post data parse errors

3.1.0 2018-02-22

  • Updated Feb Geo IP
  • Cleaned up some config options
  • Allowed more flexibility in JSON parser
  • Improved performance of GEOIP lookups
  • Fixed issue with empty OS field on agents page
  • Improved CMDEXE and LFI detection

3.0.3 2018-02-01

  • Improved HTML5 parsing and XSS detection
  • Improved SQLi false positives
  • Updated geoip database

3.0.2 2018-01-12

  • Updated more error reporting metrics for better diagnostics

3.0.1 2018-01-11

  • Changed copyright year to 2018
  • Improved detection of a particular but invalid XSS
  • Updated some error reporting metrics for better diagnostics
  • Improved logging around detected agent service failure/restart

3.0.0 2018-01-08

  • Added support for local country code lookups
  • Added support for anonymizing IP addresses
  • Added support for multipart form POST
  • Expanded rule functionality in preparation for future rule updates
  • Expanded feature flagging to allow for easier feature rollouts
  • Expanded support for data redaction
  • Expanded processing metrics
  • Updated third party dependencies

2.2.1 2017-12-18

  • Expanded rule functionality in preparation for future rule updates
  • Fixed issue where ID/key was still required if in standalone mode

2.2.0 2017-12-04

  • Expanded rule functionality in preparation for future rule updates
  • Improved error handling of reverse proxy configurations on start and reload
  • Fixed minor race condition under heavy service restart loads
  • Updated third party dependencies

2.1.2 2017-11-14

  • Adjusted some log messages (some too verbose, some not enough)
  • Added ability for Windows installer to now start the agent service on installation, if agent.conf is already in place and contains required access keys
  • Added support in reverse proxy for multiple listeners and a new configuration syntax while still allowing backwards compatibility:
  • Improved automated agent configuration docs to be much more descriptive and easier to read:
  • Fixed issue with service startup on boot with older versions of Windows
  • Updated third party dependencies
  • Fixed issue when configuring the reverse proxy from ENV vars
  • Fixed double config reload on SIGHUP

2.1.1 2017-11-13

  • Temporarily reverted back to 2.0.1 (as 2.1.1) while investigating a reported issue with 2.1.0 on some platforms

2.1.0 2017-11-13

  • Adjusted some log messages (some too verbose, some not enough)
  • Added ability for Windows installer to now start the agent service on installation, if agent.conf is already in place and contains required access keys
  • Added support in reverse proxy for multiple listeners and a new configuration syntax while still allowing backwards compatibility:
  • Improved automated agent configuration docs to be much more descriptive and easier to read:
  • Fixed issue with service startup on boot with older versions of Windows
  • Updated third party dependencies

2.0.1 2017-10-31

  • Clarified release notes for 2.0.0
  • Improved XSS detection for both false positives and false negatives

2.0.0 2017-10-17

  • Expanded rule functionality
  • Removed all deprecated agent configuration options: debug-log-rule-updates, site-keys
  • Improved config download failover error handling
  • Fixed a race condition when a very small download-interval is used

1.23.4 2017-09-29

  • Fixed false positive in CMDEXE

1.23.3 2017-09-28

  • Fixed false positive in CMDEXE

1.23.2 2017-09-27

  • Improved CMDEXE, SQLi and XSS detection
  • Fixed issue where redacted iban/guid was not marked with the redaction type

1.23.1 2017-09-07

  • Improved signal filtering
  • Added tracking of GCE cloud deployment
  • Reverted issue with RPC version compatibility

1.23.0 2017-09-06

  • Improved CMDEXE and SQLi detection
  • Added tracking of Azure cloud deployment
  • Fixed issue calculating the connection open metric
  • Fixed issue where redacted CC numbers were not marked with the redaction type
  • Added support for configuring a failover download url via download-failover-url
  • Fixed issue with RPC version compatibility
  • Changed order in which dynamic config is applied allowing local overriding
  • Changed log timestamps to microsecond resolution

1.22.0 2017-08-15

  • Improved SQLi detection
  • Improved reverse proxy config reload
  • Prepped for upcoming HTTP/2 support in reverse proxy
  • Allowed setting custom HTTP request headers via custom-request-headers
  • Removed hardcoded logic to clear signals on allowlist - logic now in rule updates

1.21.0 2017-07-21

  • Improved SQLi detection
  • Removed old reverse proxy system in favor of the new system
  • Disabled keepalives when the reverse proxy config is being reloaded to force new transactions onto the new configuration. In addition, the default timeout for this was moved from 10s to 30s.
  • Updated which reverse proxy messages are logged to the UI

1.20.1 2017-06-27

  • Added more metrics around inspection
  • Fixed issue where reverse proxy was not honoring the sample-percent

1.20.0 2017-06-27

  • Added more metrics to reverse proxy
  • Added a max-inspecting config option to control the max transactions the WAF engine can be inspecting in parallel (currently reverse proxy only)

1.19.0 2017-06-19

  • Cleaned up the reported server and module version when using reverse proxy mode
  • Fixed issue where dynamic config was not applied on SIGHUP
  • Allowed more dynamic service configuration (e.g., change from RPC to revproxy and back with SIGHUP)
  • Added ability to log full stack trace and restart service should any service encounter a fatal error
  • Isolated reverse proxy from agent errors
  • Fixed race between downloader/SIGHUP handlers under heavy config change load
  • Changed default ‘download-interval’ to 30s from 1m
  • Improved SQLi detection

1.18.2 2017-05-02

  • Added ability to reload the local config on a SIGHUP
  • Added ability to log when a config option is changed, but not reloadable
  • Added optional field RPCMsgIn#RequestID that allows a module to pass a RequestID (24 char hex) to use

1.18.1 2017-04-27

  • Disabled restarting (zero downtime) reverse proxy on Windows due to inconsistent support
  • Fixed potential panic with beta reverse proxy startup on Windows
  • Quieted down some logging

1.18.0 2017-04-24

  • Added ability to parse XML for processing via the agent

1.17.3 2017-04-20

  • Fixed resource leak in configuration reload
  • Fixed redaction of ID/key in log when using two argument form of CLI flags
  • Removed deprecated sigsci-configure utility

1.17.2 2017-04-11

  • Improved handling of Windows platform for zero-downtime restarts
  • Made restarts less verbose

1.17.1 2017-04-06

  • Added ability to restart (zero downtime) reverse proxy on config download

1.17.0 2017-03-27

  • Fixed TLS reverse proxy listener handshake delivering HTTP
  • Required the TLS 1.2 mandatory TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite
  • Improved compatibility in TLS HTTP handshake
  • Added configurable reverse proxy listener read/write/idle timeouts
  • Enabled versioned configuration by default
  • Improved CMDEXE and PHP code injection functions

1.16.0 2017-03-14

  • Improved JSON parser
  • Defaulted to no access log in reverse proxy mode, reverse-proxy-accesslog will enable this feature
  • Updated TLS ciphers to latest supported
  • Reduced time till serving requests when starting in reverse proxy mode (typically under 10ms)

1.15.3 2017-02-28

  • Fixed issue where agent internal services may stop on error
  • Fixed issue where agent could not startup in standalone mode

1.15.2 2017-02-27

  • Fixed potential crash when the reverse proxy didn’t have permission to write to the access log

1.15.1 2017-02-25

  • Fixed potential crash when RPC is under load during startup

1.15.0 2017-02-24

  • Disabled requirement of WAF config download before starting, allowing faster startup
  • Added accesslog for reverse proxy mode via reverse-proxy-accesslog
  • Added support for multiple reverse proxy upstreams
  • Improved processing of client-ip-header
  • Added local-networks option for more accurate client IP parsing
  • Enabled specifying time durations as string vs nanosecs (e.g., “10s” vs 10000000000)
  • Added ability to shutdown reverse proxies gracefully (see reverse-proxy-shutdown-timeout)
  • Allowed config of all reverse proxy network parameters
  • Allowed config of reverse proxy TLS min version, cipher suites, etc
  • Allowed internal/self-signed certs on the upstream (default false) reverse-proxy-insecure-skip-verify
  • Allowed more dynamic configuration of agent for future UI work
  • Enabled restart of periodic services (uploader, downloader, etc.) on reconfiguration
  • Corrected various minor SQLi false positive issues
  • Deprecated use of site-keys option, support will be removed in a future release
  • Updated third party dependencies

1.14.4 2016-12-16

  • Improved stats collection via sigsci-agent-diag
  • Improved separation of Windows and Unix code
  • Improved upcoming config download versioning

1.14.3 2016-12-09

  • Improved SQLi false positives
  • Added more performance related stats collection to sigsci-agent-diag
  • Added ability to collect agent profiling data via sigsci-agent-diag
  • Improved handling of large POST and JSON payloads

1.14.2 2016-11-21

  • Improved parsing of client-ip-header values

1.14.1 2016-11-15

  • Improved SQLi detection
  • Moved generic Linux and Windows artifacts to Linux/Windows directories

1.14.0 2016-11-10

  • Added support for new config download format and versioning
  • Improved SQLi detection
  • Prepped for future custom rule expansions and detector ordering enhancements
  • Added more performance related stats collection to sigsci-agent-diag
  • Added metric to monitor context misses due to expired context
  • Enabled adjusting the context expiration (context-expiration)

1.13.4 2016-10-03

  • Internal release
  • Fixed CHANGELOG release date for 1.13.3

1.13.3 2016-09-28

  • Fail open more gracefully by returning an “OK” agent response when agent is “off”
  • Added logging of sample-percent setting on agent startup
  • Added logging of request processing mode changes (e.g., agent mode changed in UI)

1.13.2 2016-09-21

  • Added set path in URI when using custom redactions with SetPath

1.13.1 2016-09-13

  • Improved CentOS 5 initscripts
  • Added new engine function: SetPath which allows for custom redactions of the path
  • Updated third party dependencies

1.13.0 2016-09-09

  • Added initial support for using TLS in reverse proxy mode
  • Removed binaries from archive generated by sigsci-agent-diag
  • Fixed container detection in sigsci-configure on systemd platforms
  • Improved to allow only user/group access to read the config after using sigsci-configure
  • Updated third party dependencies
  • Added ability to collect log configured with log-out in sigsci-agent-diag

1.12.1 2016-08-23

  • Fixed error displayed when running sigsci-configure on some platforms
  • Added more diagnostics around docker/container installs to sigsci-agent-diag

1.12.0 2016-08-22

  • Added diagnostics utility sigsci-agent-diag to help troubleshoot install issues
  • Added Alpine Linux support! The released tarball (sigsci-agent-version.tar.gz) now contains a 100% static binary that will work on all Linux operating systems. In addition, this agent is compiled under Golang 1.7.0. Existing deb/rpm based packaging continue under 1.6.3.
  • Updated third-party libraries to latest

1.11.4 2016-08-18

  • Updated third party dependencies

1.11.3 2016-07-21

  • Improved systemd support to start on reboot
  • Added ability to automatically start agent on initial install and reboot

1.11.2 2016-07-20

1.11.1 2016-07-19

  • Corrected version number reporting
  • Updated third-party dependencies

1.11.0 2016-07-14

  • Added support for Ubuntu 16.04
  • Switched to SemVer

1.10.8048 2016-07-05

  • Improved SQLi detection
  • Added Rules Engine v2 containing the following new functions
    • SetClientIP
    • SetProtocol
    • SetTLSProtocol
    • SetTLSCipher
    • Reverse
    • StringReverse
    • DeepEqual
    • AddrIsPrivate
    • AddrInNetwork
    • AddrIsValid
    • NewGlobMatcher
  • Updated third-party dependencies

1.9.8026 2016-07-05

  • Improved cleanup routines to be more efficient for higher capacity sites
  • Allowed control of RPC workers via rpc-workers (default rpc-workers=max-procs)
  • Added profiling option via debug-profile=cpu|mem|block[,dir]
  • Cleaned up help text
  • Cleaned up logging
  • Improved Windows service support
  • Updated third-party dependencies
  • Fixed potential CPU metrics concurrency issue

1.9.7763 2016-06-07

  • Improved agent startup messages for better diagnostics
  • Added more agent logs to upload for better diagnostics
  • Removed some extraneous cleanup on agent startup

1.9.7753 2016-06-06

  • Improved agent startup messages to aid in debugging
  • Added additional information on the agent’s cgroup to be collected (Linux)
  • Improved detection if running inside a docker container
  • Improved Windows support
  • Fixed stray logging call
  • Updated third-party dependencies

1.9.7623 2016-05-24

  • Changed the default listener address to unix:/var/run/sigsci.sock
  • Started an additional legacy listener on the old unix:/tmp/sigsci-lua socket to aid in migrating modules
  • Added support for more redaction types in the agent
  • Improved redaction so the query string is now removed instead of confusingly replacing with “?redacted”
  • Added experimental reverse proxy support to agent currently targeted at demos only
  • Allowed the agent to better scale across available CPU cores by default by basing the default max-procs setting on total cores available: 1-3: max-procs=1, 4-5: max-procs=2, 6-15: max-procs=3, 16+: max-procs=4
  • Added support for a new RPC.ModulInit call for future module use allowing better version tracking without requiring traffic
  • Moved tagging of HTTP codes to the rules, which can be updated dynamically
  • Upgraded some third party dependencies

1.8.7087 2016-04-10

  • Added support for RHEL/CentOS 5
  • Updated third-party dependencies

1.8.7007 2016-04-06

  • Fixed bug in RPM packaging script for EL7 to make sure the systemd daemon config is reloaded on install/upgrade

1.8.6993 2016-04-05

  • Added a more informative hello message to be displayed on agent start
  • Added more control headers for testing with -debug-rpc-test-harness
  • Fixed bug in RPCv1 protocol (e.g., -rpc-version=1) that could deadlock when connections were reused
  • Added ability to export an agent PID metric to the collector
  • Added new metric agent.upload_metadata_failures for number of http failures uploading data to the collector

1.8.6480 2016-02-26

  • Added improvements to the RPCv1 (e.g., -rpc-version=1) protocol, including support for persistent connections from module to agent when supported by the module

1.8.6347 2016-02-17

  • Added new flag, -debug-rpc-test-harness enables a mode to test RPC calls

1.8.6055 2016-02-03

  • Fixed SQLi false positive involving a common English phrase
  • Removed XSS false positive that occurred in unfortunate base64 encoded strings
  • Made packaging fixes

1.8.5758 2016-01-19

  • Added new flag, using -debug-log-dropped-connections=1 which produces errors messages on why a connection was dropped.
  • Added new flag, -max-backlog which controls the number of request that can be backlogged, currently defaults to 100
  • Renamed flag, -max-queue to -max-records to better describe what it is: the maximum number of records that can be stored before being sent to the collector

1.8.5694 2016-01-13

  • Made internal improvements in CPU utilization
  • Improved handling of upload / download timeouts (followup from 1.8.5041)
  • Added additional sanity checks around Unix domain socket listener to prevent multiple agents running concurrently
  • Improved XSS false positives with clients uploading fully formed HTML or XML documents
  • Fixed incorrect start command for upstart in sigsci-configure script

1.8.5304 2015-12-14

  • Added ability to sample input requests via -sample-percent flag
  • Added additional metrics collected on bytes read and written to web server, and CPU performance
  • Improved XSS detection

1.8.5217 2015-12-09

  • Improved performance and latency
  • Reduced amount of data sent back, improving performance
  • Made under the hood adjustments to enable future custom rules

1.8.5041 2015-12-01

  • Reduced amount of data transmitted from agent to collector by up to 90%, resulting in better performance and latency
  • Made rule updates gracefully timeout and retry if the network is stalled
  • Added detection for MariaDB-specific SQLi

1.8.5016 2015-11-30

1.8.4972 2015-11-23

  • Improved connection timeout handling for collector uploads

1.8.4891 2015-11-18

  • Improved Agent Off mode to do even less work
  • Fixed XSS false positive for inputs with benign embedded HTML involving background images
  • Added new flag, -max-connections to control the number of simultaneous connections the agent can process. If the number is exceeded the connection is dropped. By default, there is no limit, but may change in the future.
  • Added additional metrics collection on connections and request types that will appear on agent dashboards
  • Partially restructured internal locking to reduce latency under high loads and concurrency
  • Refreshed internally-used, third-party libraries (from the command line type agent -legal for the bill of materials)

1.8.4405 2015-10-21

  • Changed it so agent now tokenizes the query string and post data in two ways simultaneously to handle platform differences (Ruby, Python, Golang uses one way, and PHP, Node.Js, .Net. does it another) to minimize false negatives
  • Fixed AgentAddress incorrectly being passed back, removing the TCP/IP port or UDS name
  • Changed it so low quality SQLi signals are now tagged separately

1.8.4284 2015-10-13

  • Added redaction of query string in HTTP response header Location
  • Added ability for “off mode” to still count number of requests coming in, which helps agents in debugging and in estimation of load
  • Added inspection of top level JSON arrays (JSON objects already unpacked). For example input of foo=bar&obj=["something", "apple"] the values in the obj are now inspected for attacks. Input of foo=bar&obj={"something", "apple"} was already being inspected correctly. This improves reduction of both false positives and false negatives.
  • Added redaction of sensitive data in the unlikely corner case of an “attack in the URI path (not the query string!) that contained a credit card”
  • Included Golang runtime version in the Bill of Materials (agent -legal)
  • Changed AgentEnabled to now indicate if the agent is processing requests or not; 0 means off, while 1 means it’s processing requests normally

1.8.4201 2015-10-08

  • Fixed XSS false positive in fully formed XML documents that are POSTed

1.8.4186 2015-10-06

  • Improved agent “off mode” to do even less work
  • Added Bill of Materials reporting in agent, from the command line type agent -legal for details
  • Added additional system metrics collection to aid in debugging
  • (1.8.4180 and 4182 were redacted)

1.8.4053 2015-09-25

  • Fixed configuration field parsing issue

1.8.4015 2015-09-21

  • Added support for multiple sites on a single agent
  • Migrated configuration file format from INI style to TOML
  • Removed deprecated agent flags: ssnet-active, ssnet-address, server-address, server-active, server-timeout

1.8.3900 2015-09-03

  • Fixed incorrect provides declaration in SysV init script

1.8.3874 2015-09-02

  • Improved detection of XSS and SQLI in the URL path
  • Improved XSS accuracy and performance
  • Added ability to explicitly change number of CPUs used via command line -max-procs
  • Added ability to manage maximum memory used by limit internal queue size via -queue-length
  • Improved serialization
  • Added and improved various agent metrics
  • Improved ability to create more flexible blocking or blocklist rules

1.8.3719 2015-08-24

  • Fixed incorrectly set response times of pure 404 errors
  • Improved debug logging

1.8.3704 2015-08-24

  • Fixed regression in 3611 release where 404 errors were not being recorded
  • Made major improvement in concurrency which may provide up to 75% performance boost on high volume websites
  • Started major rules engine upgrade

1.8.3611 2015-08-17

  • Added ability to capture HTTP request and response headers (minus sensitive ones)
  • Allowed custom rules (part 1)
  • Fixed long outstanding bug of Agent not reporting the module or server version when it changes
  • Simplified module API slightly, and initialized appropriately
  • Improved performance and memory usage
  • Improved SQLI and XSS detection

1.8.3385 2015-07-30

  • Changed all internal counters to 64-bit integers, which allows long running agents to handle more than 4 billion requests and very large file outputs to be properly handled
  • Made sure all errors get properly trapped and sent upstream, which will aid in remote debugging and better visibility on the dashboard
  • Improved precision and accuracy in detecting SQLi attacks
  • Added ability to receive URL scheme information (i.e. http or https)
  • Added ability to receive TLS (SSL) protocol and cipher suite information from modules. For best results update the module to at least:
    • Apache 214
    • NGINX 1.0.0+346

1.8.3186 2015-07-22

  • Added ability for agent (along with module) to set X-SigSci-Tags request headers indicating what tags or signals where detected in the request. For best results upgrade the module to at least:
    • Apache 207
    • NGINX 1.0.0+343
  • Improved precision and accuracy in detecting SQLi

1.8.2964 2015-07-06

  • Made internal changes to enable upcoming features

1.8.2950 2015-07-02

  • Fixed sigsci-configure to now return the correct start command for the init system in use on installed system
  • Added password_confirmation to built-in list of fields to redact
  • -debugStandalone flag changed from true, false to 0 (normal behavior), 1 (no downloads), 2 (no uploads), and 3 (no network connections at all)

1.8.2718 2015-06-14

  • Fixed issues where the Signal Sciences dashboard would show an incorrect “Agent Response” of 0. For best results, please upgrade the module to
  • Apache 2.2.139 or Apache 2.4.139
  • NGINX 1.0.0+320

1.8.2681 2015-06-10

  • Improved documentation and help of command line flags and -help
  • Reduced SQLi false positives

1.8.2327 2015-05-15

  • Made allowlisting bug fixes and improvements
  • Made data redaction bug fixes and improvements
  • Removed legacy communication protocol

1.7 2015-04-16

  • Added IntervalSet stuff to agent
    • #1689 sensitive parameter sanitization
    • #447 Inspection of JSON
    • #1720 improvements in libinjection to reduce false positives for SQLI
    • #1744 ditto for XSS
    • #1799 performance improvements in 400, 500 http errors
    • #1797 debug log improvements
    • #1851 XSS false positives

1.6 2015-02-13

  • Added new agent payload data and gosh versioning
  • #1538 - Improved logging around what is uploaded with -delog-log-uploads 0,1,2 (0 = off, 1-min json, 2= pretty json)
  • #1498 - Improved logging around WAF rule updates with -debug-log-rule-updates 0,1,2 (0=off, 1=updates only, 2=more…)
  • #1141 - Made libinjection enhancements to detect certain attacks on IBM servers
  • #741 - Added ability for agent to return timezone and zone offset information

1.5 2015-01-22

  • Bumped minor version number to reflect new build process

1.4 2015-01-15

  • Made minor performance improvement
  • Fixed libinjection xss
  • Fixed agent to no longer send back entire query string #861
  • Added various new stats
  • Added ability to send back cli args #1140
  • Added ability to send back localtime and utc time #749

1.3 2015-01-15

  • Implemented major stability improvements

1.2.1 2015-01-13

  • Added ability to set which request header contains the requesting client IP, see flag -client-ip-header

1.2 2015-01-13

  • Added new option -debug-log-all-the-things, which turns on all logging (expensive!)
  • Renamed option -log-uploads to -debug-log-uploads

1.1.1 2015-01-08

  • Added new network code, matches module ver 0.06
  • Changed connection to collector from TLS 1.0 to TLS 1.2
  • Changed -debug-log-web-inputs and -debug-log-web-outputs from booleans, now it takes 0,1,2

1.1.0 2014-12-23

  • Bumped minor version for Golang 1.4

1.0.4 2014-11-29

  • UDS
  • Dropped json

1.0.3 2014-11-29

  • Added more errors to be logged and sent upstream

1.0.2 2014-11-29

  • Added AgentBuildID to meta data
  • Made other changes to the WAF agent