Mehmet D. İNCE from invictuseurope.com discovered several vulnerability related to the Xplico software. He identified three different vulnerability, two classified as “Hight severity” and one as “Medium severity”. The number assigned for this vulnerability of Xplico is CVE-2017-16666. More details here.
Thanks to Mehmet’s detail report and the collaboration of Mehmet and of Doug Burks of Security Onion Solutions, vulnerabilities have been resolved.
This release fix these issues. It is recommended and exhorts to upgrade your Xplico installations.
Thanks again to Mehmet D. İNCE and to Doug Burks.
As some of you might know CapAnalysis is open source. To analyze the pcap files CapAnalysis uses Xplico with some specific dissectors.
With this release of Xplico we complete the open source migration of CapAnalysis.
Everyone can use CapAnalysis not only by installing it but also by freely using it from the demo site. The demo gives the possibility to upload up to 20MB of PCAP files. No password is required and all data are deleted automatically at 00:00 UTC the day after the creation of dataset.
From the point of view of Xplico users this release doesn’t introduce new features.
The code can be found on GitHub.
- Performance improved
- nDPI updated
- IRC bug fixed
- HTTP bug fixed
- VoIP (SIP, RTP) bug fixed
- FTP bug fixed
- changed the FaceBook DB tables
- Null/Loopback dissector
- Cisco HDLC dissector
- Libero.it and RossoAlice WebMail decoding
- Yahoo messenger, Web and Mobile (Beta version)
- Dig using file signatures (for unknown flows)
A special thanks to:
- Telecom Italia for its WebMail service Alice
- Italiaonline for its WebMail service Libero
- Yahoo for its Messenger (Web and for Android)
… thank you for not using encryption in the [users] communications.
- nDPI integration
- performace improved
- FTP dissector improved
- Added the prism dissector
- CLI execution bug fixed
- PCAP-over-IP SSL encryption
- IRC dissector improved
- File reconstruction from Fragmented Payloads improved
- FaceBook Chat updated
- FaceBook Message (partial)
- HTTP without initial packets (packets lost)
- RTP dissector improved
- PCAP2WAV, RTP2WAV interface added
The VirtualBox image of Xplico 1.0.0 can be downloaded here.
Thanks to Carlos Gacimartín.
In recent days Daniel Borkmann has released a new version of net-sniff-ng, in this new version there are many improvements and new feature. With the last version 0.5.6 net-sniff-ng can be used with Xplico without apply any patch.
So we recommend to all Xplico users to use the last version of net-sniff-ng.
To use net-sniff-ng as a network probe for Xplico on the ethernet interface eth0, with the pcap files in /opt/xplico/pol_1/sol_1 (ie first case and first session in the first case) and with an acquisition time interval of 300 seconds (5 minutes) the command to be use is:
sudo netsniff-ng -i eth0 –out /opt/xplico/pol_1/sol_1/new –silent –jumbo-support –interval 300
Enjoy with net-sniff-ng!
Xplico 1.0.0 is now available!
- SQLite dispatcher performance improved
- added the PPI dissector
- added the syslog dissector
- added “Bogus IP length” correction with checksum verification disabled
- new Facebook Chat dissector for the new Facebook chat protocol
- SIP dissector improved
- IMAP dissector improved and bugs fixed
- DNS dissector PIPI improved
- Yahoo Webmail bugs fixed
- Live/Hotmail WebMail Spanish version
- GeoMap improved
Xplico Repository (Ubuntu 11.04 or higher)
To install Xplico in your Ubuntu Server or in your Desktop now you can use the official Xplico repository. With four simple steps you can have Xplico running and updated.
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico
- Stack Overflow users.
- Erika Noerenberg for her analysis in the post “Brief overview of 4 NFATs”
- Victor Oppleman to suggest us to add PCap-over-IP