Releases: Flowtriq/ftagent
Releases · Flowtriq/ftagent
Release list
v1.9.31
Changed
- Local config.json as fallback for flow settings — Dashboard values still take priority when explicitly configured, but local config.json values now act as fallback instead of being silently overridden. A
_dashboardsection is written back to config.json showing which keys the server controls.
Fixed
- NetFlow v9/IPFIX sampling rate not applied — The
sample_rateconfigured in the dashboard was stored but never applied to parsed NetFlow v9 and IPFIX flow records, causing flow-derived PPS/BPS to report at 1/N of actual traffic when the upstream router uses packet sampling. - Safe handling of read-only config filesystems when writing dashboard overrides.
v1.9.30: Local config fallback for flow settings
Changed
- Local config.json as fallback for flow settings — Dashboard values still take priority when explicitly configured, but local config.json values now act as fallback instead of being silently overridden. A
_dashboardsection is written back to config.json showing which keys the server controls, so users can see what's in effect and where to change it.
v1.9.29: Fix NetFlow v9/IPFIX sampling rate
Fixed
- NetFlow v9/IPFIX sampling rate not applied - The
sample_rateconfigured in the dashboard was stored but never applied to parsed NetFlow v9 and IPFIX flow records. This caused flow-derived PPS/BPS to report at 1/N of actual traffic when the upstream router uses packet sampling (e.g., 1:2048). sFlow and NetFlow v5 records already inflate counts during parsing and are unaffected.
v1.9.28
Resource Safety Hardening
7 fixes to prevent CPU/RAM/disk exhaustion on production servers:
- PCAP disk cap enforced synchronously before every write (not just at periodic cleanup)
- PCAP cleanup interval reduced from 5 minutes to 60 seconds
- Disk space check added before tcpdump merge writes
- L7 HTTP request buffer hard cap lowered from 100k to 20k entries
- tcpdump restart: explicit process reap before respawn + exponential backoff
- iptables rules batched via iptables-restore (single subprocess instead of N)
- Mirror mode AF_PACKET fanout workers capped at 8, socket buffer size configurable
- Flow template cache: LRU eviction at 50k entries with access-time refresh
v1.9.27
Security
- Block shell injection in mitigation commands -
$(),|,>,<now blocked in remote commands; execution switched fromshell=Truetoshlex.split() - PCAP ring directory permissions - Changed from 0o777 to 0o700
- Sysctl whitelist - Exact key matching instead of substring
- Destructive command check - Token-level matching, catches bare
-F/-X - Health endpoint - No longer exposes baseline threshold
Detection
- HTTP/2 and HTTP/3 L7 detection - Protocol version parsing from access logs, h2_rapid_reset/h2_settings_flood/h2_continuation_flood/quic_flood subtypes
- IP fragment tracking - Fragment count in protocol breakdown, fragment_flood family, udp_fragment_flood subtype
- Attack classification overhaul - Added tcp_flood and protocol_flood families, eliminated most "unknown" classifications
- IOC-aware classification - 28 tool/botnet signatures mapped, attack_tool in payloads, blocklist-aware threshold reduction
- IPv6 sFlow support - Parse IPv6 raw headers instead of dropping them
- IPv6 extension header traversal - Traverse hop-by-hop/routing/fragment/destination headers in mirror engine
Reliability
- Auto-update integrity verification - Post-install version check, module import sanity, automatic rollback on failure
- L7 log rotation - Reopen file handle when log file is deleted
- Mirror engine thread safety - Lock around shared packet counter
- Monotonic clock - L7 window tracking uses time.monotonic() instead of time.time()
v1.9.26
Reduced false positives & lighter resource footprint
- Startup grace period: Agent now waits 90 seconds before triggering alerts on new deployments, giving the baseline time to warm up. Truly massive floods (>50K PPS) still trigger immediately.
- Minimum 5K PPS threshold: Low-traffic servers (100 PPS normal) will no longer trigger false alerts on small spikes. The threshold never drops below 5000 PPS regardless of baseline calculations.
- Lower memory in Scapy mode: Ring buffer reduced from 1000 to 200 packets (~50MB to ~10MB).
- Faster /proc/net/tcp reads: Bulk binary read instead of line-by-line. Auto-scales read interval from 15s to 60s on servers with 50K+ connections.
v1.9.25
Fix tcpdump rotation (exit code 0 after 30s) being misdetected as crash. Restart counter now resets on healthy rotations.
v1.9.24
Add server-triggered forced update: set FTAGENT_FORCE_UPDATE in config to push updates to all agents
v1.9.23
Raise baseline default floor from 150 to 5000 PPS to eliminate false positives on low-traffic nodes
v1.9.22
Handle workspace suspension when billing inactive