Release Notes

Version 1.5.0

Added

• Rate Limit is now a multi-tiered rule, where different actions can taken over various cases
• Content filter rules (signatures) now have tags, which helps group them by various categories
• Conten filter Policy supports diffrent rules in different operation modes (Active/Report/Ignored)
• Content filter rule supports category, subcategory and risk level added
• Content filter policy support custom decoding operation modes
• Content filter policy supports MIME (Content-type) validation
• Region and subregion support (geo:xxx autotags)
• When multiple security policies match an url, the longest match string (more specific) is selected

Updated

• build-docker-images.sh fails to update on macOS

Improved

• Rewrite of the default policy
• Rate limit can be based on the tag list
• Support for inverted regexp in matching
• Argument masking
• eu field in logging
• Content Filter Profile entries exclusion, now based on tags instead of Content Filter Rule names
• Order of Policies & Rules to better describe the flow of the request throughout the various processes and mechanisms

Removed

• Content Filter Rules Groups

Fixed

• [ui] Tag Rules adds an empty tag to each request
• [ui] Tag rules - we do not require at lease one tag
• [ui] Adding a third entry in Flow control presents an error
• [ui] Tag rule lists tags - we create tags twice for the same list
• [ui] Flow control - When creating a new sequence - we have only one section instead of two
• [ui] Fix bug where Security Policies were not savable in some cases
• ACL profiles - when tags at "deny bot" and "deny" columns, the evaluation flow is not as described at manual
• Global filters - Error at proxy log when we add list of ips from http source without comment
• Rate limits - "Event" by:Header/Cookie/Argument block, even when we don't pass this Header/Cookie/Argument in request
• Flow control - "Count by" attribute:tag doesn't work
• Logging failure when source IP is from an EU country
• Security policy second added rate limit is not enforced
• Tests fails because of invalid dependency in curieconfctl
• Rate limit - with Threshold = 0 does't added the tag to tags list of kibana logs
• Flow control "Count by" - We do not count by the selected attribute
• Rate limit\Tag rules 503 response code blocks with 403
• Rate Limits with Ban Action does not unlock a blocking at the end of blocking time
• Tags - after deleting lists and not using the tags in ACL anymore we still present the tags
• Make request.attributes consistent
• Disable all tag rules except API discovery by default
• Policies & Rules Search - ACLs are not listed
• Mask PII data
• ACL Policies Deny Bot and Allow Bot are both being checked when ACL is not active
• Rate Limits with Redirect Action does not work as expected
• If several decisions are reached during the rate limiting or flow control phase, the strongest one is chosen. Previously, an arbitrary decision was selected bug
• Empty regex no longer match any values, preventing content filter bypasses
• Logging messages related to ACL blocks is now more informative
• Non existing selectors for rate limiting / flow control will now cause the request to not be processed by the relevant rule, instead of being bundled in a "no selector" group

Enhanced

• [ui] Rate Limit - Include/Exclude should be changed to accept tags only
• [ui] Version Control - Add an option to undo a version revert
• [ui] Remove the blue top border from the header
• [ui] Toast status messages change
• Flow control, If 2 rules share the same last request, action initiated will be according to the hierarchy
• Add 'authority' to 'request' in log structure
• Implement a syslog input for curielogger

More information is available at curifense docs

Release Notes

Version 1.4.0

Added

• [e2e] Add back test_ipv4 which passes
• [e2e] Add support for fork repositories in github workflows
• [helm] Add curiefense to Istio-helm charts
• [docker] Add missing packages to curielogger (to run contrib scripts)
• [ui] Add options to configure links to Kibana & Grafana
• [curielogger] Add docker-compose e2e tests
• [e2e] Add tests to last missing components, fix referral bug in url maps editor, chang coverage thresholds, remove unused code
• [ui] Add autocomplete support to WAF Policies editor and resolve a bug in URL Maps editor
• [ui] Add a requirement of at least one tag for Tag Rule tags list in Tag Rules json schema
• [e2e] Add test of flow control editor in case of multiple limit option keys
• [helm] Add v2 deployment tests
• [e2e] Add test on fluentd
• [helm] Add filebeat to the helm deployment
• [curielogger] Add logrotate container
• [e2e] Add a testcase for pairwith limits
• [e2e] Add Rust formatting tests to Makefile
• Add configs and templates for Elasticsearch 6.x
• Add an nginx-ingress container
• Add map to define request_map
• Add knob to disable Kibana initialization (es6 init script)

Updated

• [ui] Update dependencies with found security vulnerabilities.
• [ui] Update version to 1.3.0 to match the achieved milestone and overall* system version
• [docker] Update Envoy configuration version to v3
• [e2e] Update log patterns
• [docker] Update Istio image to use Envoy binary for 1.9.2
• [helm] Update curiefense EnvoyFilters to v3
• [docker] Update Envoy binary for Istio
• [ci] Update minikube to fix CI
• [e2e] Update Rust unit tests to include urldecode
• [curieproxy] Update iptools.so in curieproxy with new url decode function
• Update iptools.so for lua
• Update iptools.so with fixed urldecode
• Update with new urldecode algorithm

Improved

• [e2e] Improve general coverage of UI unit tests in DocumentEditor.vue and Publish.Vue for a total coverage of 89%+
• [e2e] Improve general coverage of UI unit tests, add types to unit tests, fix small issues throughout the UI

Removed

• [helm] Remove helm install
• [e2e] Remove test for feature that does not exist anymore
• [helm] Remove references & variables for postgres & curielogserver
• [deploy] Remove remaining postgres configuration values
• Remove the ROADMAP.md file in favor of RELEASES.md
• Remove ILM for ES 6.x as it was added in 7.x
• Remove logstashs' from e2e-ci.yml

Fixed

• [ci] use more recent shellcheck version, fix remaining errors
• [e2e] Fix ratelimit countby tests
• [e2e] Fix WAF Rules tests
• [e2e] Fix arguments passed to deploy.sh. Fixes e2e tests.
• [e2e] Fix elasticsearch port for tests on minikube
• [ci] Fix deployment & tests following Istio update
• [e2e] Fix latency tests (deploy-gke.sh)
• [ci] Fix environment for rust & lua tests
• [docker-compose] Fix curieproxy metrics scrape
• [ui] Fix referral bug in url maps editor
• [curielogger] Fix test_logs Elasticsearch query
• [docker-compose] Fix CI
• [curielogger] Fix tag rules logging
• [curieproxy] fix geo-related ratelimit counters
• [curieproxy] fix geo-related ratelimit scope checks
• Fix challenge in flow control
• Fix start_curiefense script
• Fix flow checks tags
• Fix default return codes
• Fix nginx failure with unknown remote ip
• Fix curiefense/images/uiserver/Dockerfile to reduce vulnerabilities

Enhanced

• N/A

---

• https://docs.curiefense.io/v/1.4.0/reference/release-notes
• https://www.curiefense.io/blog/announcing-NGINX-integration/

Release Notes

Version 1.3.0

Enhanced

• [curieconf] Enhance API to allow requesting specific properties of documents

Added

• [curieproxy] Add continent data and more country data
• [curieproxy] Add geolocation for requests when data is present
• [curielogger] Add config file structure
• [curieproxy] Add continent data and more country data
• [ui] Added 3 categories to tags (legitimate, malicious, neutral)
• [curieconf, ui] Added mask boolean field to WAF policy Cookie/Header/Argument
• [ui] Added is-single-input-column prop to ResponseAction component
• [ui] Added more tests to DocumentSearch component (98%+ Coverage)
• [ui] Added routing to document editor page per the following schema: /config/branch/doc_type/doc_id
• [ui] Added search page for documents
• [ui] Added units suffix (seconds) to TTL in RateLimitsEditor.vue
• [ui] Added units suffix (seconds) to TTL in FlowControlEditor.vue
• [ui] Added ace json editor to DB editor screen
• [ui] Added default textarea json editor when failing to load ace json editor
• [ui] Added indicator for missing data in DocumentEditor.vue
• [ui] Added indicator for loading data in DocumentEditor.vue
• [ui] Added indicator for missing data in DBEditor.vue
• [ui] Added indicator for loading data in DBEditor.vue
• [ui] Added scrollbar to Burma’s dropdown menu item with max height of 12rem
• [confserver] Added an example flow control document to bootstrap data
• [confserver] Added basic tags to bootstrap data
• [confserver] Add geolite2 city
• [curielogger] elasticsearch index: add timestamp field
• [images] add fluentd image
• [helm] add fluentd support
• [helm] add elasticsearch support
• [docker-compose] add ELK containers
• [helm] deployments: add support for google storage buckets
• [helm] deployment: add variables to disable parts of the chart
• [curieproxy] add missing lua dependency
• [curielogger] Added alpha fluentd support
• [curielogger] Added logstash support
• [curielogger] Added elasticsearch dumb client
• [curieproxy] Added envoy-1.16.2 binary with symbols for lua
• [curieconf] Added in-place entry edition in curieconf (server, client, CLI)
• [curietasker] Added 'update_and_publish' task
• [curietasker] Added 'publish' task
• [docker-compose] ELASTICSEARCH_URL added to curielogger entry in compose yaml
• [curieproxy] tests branch configuration added
• [curieconf] tests branch configuration added
• [ui] added links to side menu
• [curieproxy] benchmark and tests added
• [curieproxy] added debug message for Rust Sig
• [curieproxy] rust calls with debug -- :add instead of .add
• [curieproxy] debug messages added
• [curietasker] log info added for remote debugging
• [curietasker] adding jsonschema to setup.y install_requires
• [curieproxy] debug added to tagging matching points

Updated

• [curielogger] Update deployment configs/files
• [helm] Update logstash pipeline configuration
• [curielogger] Update cflog format and add pg back
• [curielogger] Update curielogger for new format
• [docker-compose] update env variables for curielogger
• [helm] update chart following changes in curielogger
• [bootstrap-script] updated version to 1.2.10
• [bootstrap-script] Updated axios version to avoid security vulnerability
• [confserver] update bootstrap waf signatures
• [confserver]: update profiling lists for confdb bootstrap bundle

Improved

• [ui] Improved performance for EntriesRelationList prop validator
• [ui] Replaced all download functions with a new downloadFile function in Utils
• [curieconf] Enhance api to allow requesting specific properties of documents
• [ui] Use the new enhanced api to drastically improve loading time of “Search Document” page
• [ui] Added scrollbar to Burma’s dropdown menu item with max height of 12rem
• [ui] Fixed download button in AccessLog component
• [ui] Changed colors of JSON Editor menu and mode selector to greyscale
• [ui] Hiding "Clear all sections" button in tagrules when source of list is not "self-managed"
• [ui] Fix indentation of WAF policy editor and WAF signature viewer content
• [ui] Fix bug preventing docs from being downloaded
• [ui] Fix name of all download buttons (removed unneeded 'x')
• [ui] Now using new document defaults for missing props of documents

Removed

• [curielogger] Removed postgres support in favor or elasticsearch
• [ui] Flow Control - Removed the regex symbol next to Method, Host, and Path
• [curielogger] removed addition of hardcoded path to logstash url
• [curieproxy] removed reference to bt
• [curieproxy] schema removed, waf sig corrected
• [curieproxy] Removed old unused schema files
• [confserver] Removed unneeded params from bootstrap flow control action prop
• [ui] Removed unneeded module from dependencies
• [ui] Removed inline styling, !important, tag
• [ui] Added main.scss containing general classes
• [ui] Removed unneeded whitespace
• [ui] Improvements to the ui - general alignment of components throughout the system
• [ui] Removed deprecated html tag
• [curieproxy] removed logs
• [curieproxy] hscan.lus removed
• [curieproxy] globals.WAF removed
• [ui] Removed unnecessary card wrapper
• [ui] Removed conversion of old entries + relation data structure to the new structure, should be received from server in correct new structure
• [curietasker] return false removed
• [curietasker] removed some more debug prints
• [curieconf] remove references to now removed mongobackend package
• [curieconf] Removed outdated mongo backend
• [curieconf] Removed any loose API calls
• [curieconf] Removed duplicated API call in AccessLog.vue

Fixed

• [curielogger] Fix indexpatter for non data stream environments
• [deploy, docker-compose] fix use of fluentd
• [deploy] deploy-dev.sh: fix log check step
• [currielogger] elasticsearch mapping: fix types for arrays
• [curielogger] omit keys in upstream when there is not upstream (fixes ES)
• [ui] fix jest global window
• [curielogger] fix json names
• [curielogger, helm] elasticsearch: deployment fixes
• [ui] Fixed Bug - When creating multiple documents in a row throws an error
• [curielogger] Fixed missing fields in request attribute structure
• [curieproxy] waf exclude restrict bug fixed
• [curieproxy] acl bug fixed
• [curieproxy] more debug messages -- bad data type number error fixed
• [ui] Fixed download button in AccessLog component
• [curieproxy] exclude sig new format bug fixed
• [ui] waf reason UI fixed
• [images] grafana image: fix permissions for provisioned dashboards & datasources
• [ui] Fix indentation of WAF policy editor and WAF signature viewer content
• [ui] Fix bug preventing docs from being downloaded
• [ui] Fix name of all download buttons (removed unneeded 'x')
• [ui] Fix bug where first load of document editor page would not load docs correctly
• [confserver] Fixed wrong bucket name in bootstrap data (duplicated prod instead of prod + devops)
• [ui] Fix bug where first load of document editor page would not load docs correctly

---

• https://docs.curiefense.io/v/1.3.0/reference/release-notes
• https://www.curiefense.io/post/curiefense-ga-1-3-0-released-project-joins-cncf-sandbox-launches-new-learning-platform-and-more