Skip to content

Releases: Flowtriq/ftagent

v1.9.31

Choose a tag to compare

@jacob-masse jacob-masse released this 09 Jul 17:43

Changed

  • Local config.json as fallback for flow settings — Dashboard values still take priority when explicitly configured, but local config.json values now act as fallback instead of being silently overridden. A _dashboard section is written back to config.json showing which keys the server controls.

Fixed

  • NetFlow v9/IPFIX sampling rate not applied — The sample_rate configured in the dashboard was stored but never applied to parsed NetFlow v9 and IPFIX flow records, causing flow-derived PPS/BPS to report at 1/N of actual traffic when the upstream router uses packet sampling.
  • Safe handling of read-only config filesystems when writing dashboard overrides.

v1.9.30: Local config fallback for flow settings

Choose a tag to compare

@jacob-masse jacob-masse released this 09 Jul 17:36

Changed

  • Local config.json as fallback for flow settings — Dashboard values still take priority when explicitly configured, but local config.json values now act as fallback instead of being silently overridden. A _dashboard section is written back to config.json showing which keys the server controls, so users can see what's in effect and where to change it.

v1.9.29: Fix NetFlow v9/IPFIX sampling rate

Choose a tag to compare

@jacob-masse jacob-masse released this 09 Jul 17:28

Fixed

  • NetFlow v9/IPFIX sampling rate not applied - The sample_rate configured in the dashboard was stored but never applied to parsed NetFlow v9 and IPFIX flow records. This caused flow-derived PPS/BPS to report at 1/N of actual traffic when the upstream router uses packet sampling (e.g., 1:2048). sFlow and NetFlow v5 records already inflate counts during parsing and are unaffected.

v1.9.28

Choose a tag to compare

@jacob-masse jacob-masse released this 21 Jun 02:57
f4161e3

Resource Safety Hardening

7 fixes to prevent CPU/RAM/disk exhaustion on production servers:

  • PCAP disk cap enforced synchronously before every write (not just at periodic cleanup)
  • PCAP cleanup interval reduced from 5 minutes to 60 seconds
  • Disk space check added before tcpdump merge writes
  • L7 HTTP request buffer hard cap lowered from 100k to 20k entries
  • tcpdump restart: explicit process reap before respawn + exponential backoff
  • iptables rules batched via iptables-restore (single subprocess instead of N)
  • Mirror mode AF_PACKET fanout workers capped at 8, socket buffer size configurable
  • Flow template cache: LRU eviction at 50k entries with access-time refresh

v1.9.27

Choose a tag to compare

@jacob-masse jacob-masse released this 21 Jun 02:08

Security

  • Block shell injection in mitigation commands - $(), |, >, < now blocked in remote commands; execution switched from shell=True to shlex.split()
  • PCAP ring directory permissions - Changed from 0o777 to 0o700
  • Sysctl whitelist - Exact key matching instead of substring
  • Destructive command check - Token-level matching, catches bare -F/-X
  • Health endpoint - No longer exposes baseline threshold

Detection

  • HTTP/2 and HTTP/3 L7 detection - Protocol version parsing from access logs, h2_rapid_reset/h2_settings_flood/h2_continuation_flood/quic_flood subtypes
  • IP fragment tracking - Fragment count in protocol breakdown, fragment_flood family, udp_fragment_flood subtype
  • Attack classification overhaul - Added tcp_flood and protocol_flood families, eliminated most "unknown" classifications
  • IOC-aware classification - 28 tool/botnet signatures mapped, attack_tool in payloads, blocklist-aware threshold reduction
  • IPv6 sFlow support - Parse IPv6 raw headers instead of dropping them
  • IPv6 extension header traversal - Traverse hop-by-hop/routing/fragment/destination headers in mirror engine

Reliability

  • Auto-update integrity verification - Post-install version check, module import sanity, automatic rollback on failure
  • L7 log rotation - Reopen file handle when log file is deleted
  • Mirror engine thread safety - Lock around shared packet counter
  • Monotonic clock - L7 window tracking uses time.monotonic() instead of time.time()

v1.9.26

Choose a tag to compare

@jacob-masse jacob-masse released this 15 Jun 20:12

Reduced false positives & lighter resource footprint

  • Startup grace period: Agent now waits 90 seconds before triggering alerts on new deployments, giving the baseline time to warm up. Truly massive floods (>50K PPS) still trigger immediately.
  • Minimum 5K PPS threshold: Low-traffic servers (100 PPS normal) will no longer trigger false alerts on small spikes. The threshold never drops below 5000 PPS regardless of baseline calculations.
  • Lower memory in Scapy mode: Ring buffer reduced from 1000 to 200 packets (~50MB to ~10MB).
  • Faster /proc/net/tcp reads: Bulk binary read instead of line-by-line. Auto-scales read interval from 15s to 60s on servers with 50K+ connections.

v1.9.25

Choose a tag to compare

@jacob-masse jacob-masse released this 09 Jun 03:35

Fix tcpdump rotation (exit code 0 after 30s) being misdetected as crash. Restart counter now resets on healthy rotations.

v1.9.24

Choose a tag to compare

@jacob-masse jacob-masse released this 09 Jun 02:23

Add server-triggered forced update: set FTAGENT_FORCE_UPDATE in config to push updates to all agents

v1.9.23

Choose a tag to compare

@jacob-masse jacob-masse released this 09 Jun 02:17

Raise baseline default floor from 150 to 5000 PPS to eliminate false positives on low-traffic nodes

v1.9.22

Choose a tag to compare

@jacob-masse jacob-masse released this 09 Jun 01:33

Handle workspace suspension when billing inactive