Mehmet D. İNCE from invictuseurope.com discovered several vulnerability related to the Xplico software. He identified three different vulnerability, two classified as “Hight severity” and one as “Medium severity”. The number assigned for this vulnerability of Xplico is CVE-2017-16666. More details here.
Thanks to Mehmet’s detail report and the collaboration of Mehmet and of Doug Burks of Security Onion Solutions, vulnerabilities have been resolved.
This release fix these issues. It is recommended and exhorts to upgrade your Xplico installations.
Thanks again to Mehmet D. İNCE and to Doug Burks.
As some of you might know CapAnalysis is open source. To analyze the pcap files CapAnalysis uses Xplico with some specific dissectors.
With this release of Xplico we complete the open source migration of CapAnalysis.
Everyone can use CapAnalysis not only by installing it but also by freely using it from the demo site. The demo gives the possibility to upload up to 20MB of PCAP files. No password is required and all data are deleted automatically at 00:00 UTC the day after the creation of dataset.
From the point of view of Xplico users this release doesn’t introduce new features.
The code can be found on GitHub.
- Performance improved
- nDPI updated
- IRC bug fixed
- HTTP bug fixed
- VoIP (SIP, RTP) bug fixed
- FTP bug fixed
- changed the FaceBook DB tables
- Null/Loopback dissector
- Cisco HDLC dissector
- Libero.it and RossoAlice WebMail decoding
- Yahoo messenger, Web and Mobile (Beta version)
- Dig using file signatures (for unknown flows)
A special thanks to:
- Telecom Italia for its WebMail service Alice
- Italiaonline for its WebMail service Libero
- Yahoo for its Messenger (Web and for Android)
… thank you for not using encryption in the [users] communications.
- nDPI integration
- performace improved
- FTP dissector improved
- Added the prism dissector
- CLI execution bug fixed
- PCAP-over-IP SSL encryption
- IRC dissector improved
- File reconstruction from Fragmented Payloads improved
- FaceBook Chat updated
- FaceBook Message (partial)
- HTTP without initial packets (packets lost)
- RTP dissector improved
- PCAP2WAV, RTP2WAV interface added
The VirtualBox image of Xplico 1.0.0 can be downloaded here.
Thanks to Carlos Gacimartín.
In recent days Daniel Borkmann has released a new version of net-sniff-ng, in this new version there are many improvements and new feature. With the last version 0.5.6 net-sniff-ng can be used with Xplico without apply any patch.
So we recommend to all Xplico users to use the last version of net-sniff-ng.
To use net-sniff-ng as a network probe for Xplico on the ethernet interface eth0, with the pcap files in /opt/xplico/pol_1/sol_1 (ie first case and first session in the first case) and with an acquisition time interval of 300 seconds (5 minutes) the command to be use is:
sudo netsniff-ng -i eth0 –out /opt/xplico/pol_1/sol_1/new –silent –jumbo-support –interval 300
Enjoy with net-sniff-ng!