March brings the most recent version of GREYCORTEX MENDEL; Version 3.0. As part of this release, MENDEL 3.0 brings several new features SOC administrators will love, as well as continued expansion for SCADA networks and upgraded hardware support.

Specifically, MENDEL now supports the latest in DELL Rx40 hardware. Those in SCADA network environments will enjoy updates to the MENDEL IDS system. Version 3.0 also includes visibility for the NFS (Network File System) and IEC 60870 5 101/104 protocols. SOC users will note that dashboards have been adjusted to better accommodate multiple sensors, and that the overall capacity for sensors connected to one collector has been increased to 30. Finally, MENDEL’s capabilities have been expanded to include the ability to add your own blacklist file, as well as export files to IBM Qradar SIEM via the LEEF format.
New Features

• GREYCORTEX has added support for the latest Dell servers (Rx40) so users will now be able to use the latest hardware.
• SCADA support continues, with updates to the MENDEL IDS engine to include visibility IEC 60870 5 101/104 protocols – bringing new security for professionals in the energy infrastructure sector.
• SOC administrators will appreciate several new features in version 3.0, including new dashboard settings suitable for multiple sensors for better SOC visualization, as well as the ability to add up to 30 sensors on one collector, and finally; LEEF expert format for events exported to IBM Qradar SIEM, and the ability to upload users’ own blacklists in .csv file.

Improvements
Several MENDEL features were improved. These included easier license extension, host identification, decryption performance, status monitoring, and data export.
Bug Fixes

In general, our development team focused on improving the user experience and reporting.

Please note that updating to version 3.0 requires appliance restart and may take up to one hour.

Contact your local GREYCORTEX partner to find out how you can put MENDEL v3.0 to work for you.

GREYCORTEX launched a new 2.3 version MENDEL Analyst. It added standardized support of NetFlow and IPFIX, new ways of data presentation and several performance improvements and more.
New features

• New tool in GUI “Network Analysis” – user defined aggregated statistics for better analysis of network traffic and security incidents
• Standardized NetFlow with IPFIX fully supported
• New user account administration page
• Changelog page with history and enhanced updating using RPM packaging system

Improvements

• Major performance improvements of signature-based detection engine
• Improved DNS cache with TTL support for better hostname resolution
• Improved algorithm for matching hosts with Active Directory users
• Inserted GUI URLs kept after login
• Improved export of charts
• Enhanced system log management with filtering by time and a system component

GREYCORTEX is happy to announce the latest version of GREYCORTEX MENDEL; Version 2.9.0. This version includes several new important features: the first is the Flow Exporter, which gives you the possibility to export flows from MENDEL to your SIEM solution. The second important feature is the ability to execute script commands to other devices e.g. a firewall systems in order to block communications. SCADA network protocols Modbus and DNP3 L7 visibility have also been added, as has the ability to audit commands executed from ssh connections.
New Features

• Added a Flow Export feature, which allows you to export flows from MENDEL to your favorite SIEM tool. This allows you to have the same data detail of a much more expensive SIEM-specific flow export tool, at a fraction of the cost.
• Added ability to execute and send scripts, e.g. to a firewall – which means you can identify and stop incoming malware at the firewall, without ever leaving MENDEL.
• Added integrated Modbus and DNP3 SCADA protocol visibility. Think of it as MENDEL for the industrial control systems. GREYCORTEX takes its next steps into protecting not just “traditional” networks, but also SCADA systems as well with these protocols.
• Added SSH auditing (turn on the SSH audit signature in status monitor signatures)
• Added possibility to filter by group of entities (subnet, host, mac, user) to extend filtering options using comma “,”, e.g. src:172.16.9.20,172.16.9.21 & dst:1.2.3.4 which shows communication between source IPs 172.16.9.20 or 172.16.9.21 and destination IP 8.8.8.8. In a nutshell: much more efficient filtering capabilities are now yours. Identify communication from not just one source and destination, but several hosts to a single destination, so complicated attacks are now clear.
• MENDEL is powerful and detailed, but now it works just as well for the T1 Security Analyst. New installations and newly created users will see new default dashboards with Overview, Performance, and Security tabs included, for ease of use by everyone.

Improvements
Several different features of MENDEL were improved. These included improvements to the installation and update process, optimization of flows, and detection features – including the ability to choose your favorite IDS ruleset, or better L7 application service recognition.
Bug Fixes
In general, our development team focused on repairing inconsistencies in user experience and connectivity.

We are happy to announce the latest version of GREYCORTEX MENDEL. Version 2.8 includes three new important features: the first is the Event Collector. Released as part of v2.7 (a limited release), the Event Collector offers the opportunity to centrally monitor events from several remote GREYCORTEX MENDEL collectors. The second major new feature is the Correlation Engine. This tool correlates individual, less-serious events – which together may be indicative of attacks within the network, to more effectively alert security analysts. Finally, MENDEL 2.8 includes proxy pairing functionality which identifies source or destination addresses hidden by proxy servers, which will allow security analysts to better identify potential issues on the network and provide even greater visibility.
New Features

• Added a beta version of the Correlation Engine, including seven tuned rules which further increase security (The feature may be turned on by going to Settings->System Components)
• Added a proxy pairing feature to display source or destination addresses hidden by a proxy server

Improvements

• Optimized the display of charts and tables in the Network module
• Added information about the type of key exchange algorithms in HTTPS and TLS flows
• Improved the calculation of flow metrics to show values valid for specific parts

Bug Fixes

• Fixed issues with disabling deep packet inspection and enabling rules in IDS
• Fixed an issue with updates to older installations
• Fixed issues with MS-SQL protocol parsing at higher speeds
• Fixed an issue with displaying current values on the Network Services tab
• Fixed an issue with displaying multiple VLAN IDs in a single flow
• Fixed issues with parsing SMB flows
• Fixed issues with editing export definitions
• Fixed an issue with pagination results in the Peers graph
• Fixed issues with restarting services
• Fixed an issue with filtering by protocol type
• Fixed an issue with deleting user-defined filters
• Fixed an issue with saving user-created or user-defined filters
• Fixed an issue with displaying VLAN statistics in the Analysis module
• Fixed an issue with exporting records in CEF and Syslog formats
• Fixed an issue with long hostnames
• Fixed issues with calculating the minimum and maximum duration of flows
• Fixed link formatting in Exports
• Fixed an issue with displaying ASN names in flows
• Fixed an issue with displaying host information in the Analysis module
• Fixed the calculation of RTT and ART metrics in long term flows with unfinished communication
• Fixed an issue with the validation of row counts in Column Manager

In the newest version of GREYCORTEX MENDEL (2.6.1) we have implemented several new features to improve performance, including a new flow scheme. This new scheme will also store more flow data and metrics. Existing data will be automatically transferred into this new scheme to ensure its continued usability. This data transfer process will run in the background, allowing you to continue to work with new flow data. Depending on the amount of existing flow data, the transfer may take few days, but it will not affect system usability.
We have also added a new DHCP application parser. This means you can now use DHCP data to identify hosts by their hostnames, giving you better knowledge/information about hosts; for better and more effective action.
Additional Features

• Added new aggregated flow structures and their visualizations to achieve better performance
• Added an additional severity decision mechanism for outlier detection to better highlight larger anomalies
• Added a new DHCP application parser
• Added the capability to display unfinished flows
• Added an additional metric:  UET – User Experience Time – to network flows

Improvements

• Improved database query performance
• Improved the precision of the Round Trip Time and Server Application Response Time metrics computation
• Optimized the performance of the Peers graph for faster loading
• Upgraded the database to achieve greater performance
• Set default log interval in log reporting to 7 days

Bugs Fixed

• Fixed SMB protocol identification
• Fixed network services model calculation
• Removed queries to root DNS servers
• Fixed missing DNS server configurations, which occurred in rare cases
• Fixed settings for RX queues in network drivers
• Fixed timezone usage
• Fixed filtering issues in Incident Management
• Fixed data inconsistency between Peers and Hosts graphs
• Fixed report generation where data fields did not display correctly
• Fixed hyperscan support on non-Intel architectures
• Fixed password escaping issue
• Fixed custom server certificate handling
• Fixed system monitoring data propagation
• Fixed DNS server settings
• Fixed ICMP event and flow pairing
• Fixed MS-SQL protocol parser
• Fixed time handling in False Positives for different time zones
• Fixed color configuration for Port Sweep detection
• Fixed flows search in Outlier events
• Fixed issue with duplicate hostnames
• Fixed flow search in limit events
• Fixed network configuration calculation
• Fixed Url Share functionality in the comments field in Incident Management
• Fixed filtering issue in Incident Management
• Fixed pagination in Incident Management
• Fixed issue in Url Share
• Fixed transfer data calculation in the Peers graph
• Fixed firewall autoconfiguration when enabling Netflow source
• Fixed events filtering by name
• Fixed subnet traffic calculation
• Fixed allow/deny configuration description
• Fixed the “To Filter” button in Peers graph
• Fixed port and service name filtering
• Fixed other issues related to Incident Management
• Fixed subnet icons in Events
• Fixed vulnerability to CVE-2016-2183
• Fixed empty service description editing
• Fixed false positives value editing
• Fixed ICMP flow filtering on services
• Fixed the assignment of hosts into incorrect subnets
• Fixed host information display in the Analysis module
• Fixed invalid DHCP transaction IDs in individual flows
• Fixed DHCP parsing issues on flows from the DHCP relay
• Fixed the password warning message when the password is shown as invalid during installation
• Fixed the event payload display in IDS events
• Fixed issues with special characters during installation
• Fixed an issue with filtering port number and service name together
• Fixed an issue with flow duration calculation
• Fixed cancel button functionality in Flows view
• Fixed calculation of the number of subnets in Events
• Fixed the use of an incorrect filter in subnet to filter function in the Events tab
• Fixed the filling service in False Positive
• Fixed traffic information in incident links

GREYCORTEX has just released MENDEL 2.5. In this most recent version, we have made several additions to further improve performance, including a new detection method for forbidden services, faster pattern processing for IDS rules (requires Intel architecture), and HTTPS traffic decryption capabilities (with imported private key). The full changelog for MENDEL 2.5 is provided below.
Additional Features

• Added a new detection method for forbidden services
• Added faster pattern processing for IDS rules (requires Intel architecture)
• Added new traffic direction types for better filtering
• Added system self-reporting for additional functionality support
• Added HTTPS traffic decryption capabilities (with imported private key)

Improvements

• System components have been upgraded to their newest versions
• VoIP protocol parsers have been included for better performance
• Improved system hardening
• Improved query performance in the Flows tab

Bugs Fixed

• Fixed IDS stability problems
• Fixed IP address settings for new interfaces
• Fixed disabling parsing IDS rules and DPI
• Fixed issues with system log rotation, maintenance, and removal
• Fixed truncated application requests within flow data
• Fixed ICMP codes reporting in flow records
• Fixed the reporting service type in outlier analysis methods
• Fixed upgrade log downloading via the GUI
• Fixed false positive matching for countries
• Fixed issues in Incident Management
• Fixed displaying colored, blacklisted IP addresses on the Peers tab
• Fixed support for IPv6 filtering
• Fixed computation functionality in the Peers graph
• Fixed the computation of severity in the Toplists dashboard
• Fixed invalid filter value handling
• Fixed an issue with user rights in the reporting module
• Fixed autocomplete in Host filtering
• Fixed time limit for false positive application
• Fixed status monitor event information
• Fixed filtering by timestamp in event lightboxes
• Fixed filtering false positives in “Table by Service or Port”

User Note
To further improve performance, it is strongly suggested that users turn off unused ports.

GREYCORTEX has launched version 2.4.1 of its MENDEL solution. This release adds a couple of new features and several bug fixes to help you better and more efficiently identify threats within your network.
The full list of additional features, improvements, and repairs is provided here:
Features

• New background report generation with historical download capability
• Extended IDS signature information with integrated description

Bugs Fixed

• Fixed DNS cache parameters to improve hostname record display in network flows
• Fixed system timeout issue during transmission of large reports via email
• Fixed data update when downloading via proxy server
• Fixed false positive detection for specific time periods
• Fixed boundary display in network model
• Fixed invalid time window in incident management link
• Fixed data traffic display for selected hosts in graphs displayed on the Peers tab
• Reduced system load following upgrade, including service restart
• Fixed issue with IDS service restart after system reboot
• Fixed database upgrade

GREYCORTEX has launched version 2.4 of its MENDEL solution. This release features several changes to help you better and more efficiently identify threats within your network. We have added a new incident management feature, as well as new MS-SQL and SIP parsers, multiple false positive elimination in IDS/NBA categories, and support for connecting multiple sensors to one collector. We have enhanced the detection and performance capabilities of our Network Behavior Analysis and Intrusion Detection System engines.
The full list of additional features, improvements, and repairs is below.
Additional Features

• Added a brand new incident management feature
• Added MS-SQL and SIP parsers
• Added multiple false positive elimination in IDS/NBA categories
• Added support for connecting multiple sensors to one collector
• Added support for separate modification of IDS signatures per sensor
• Added dynamic dashboard responsiveness
• Added support for fail-safe connection and data recovery for remote sensors
• Added support for deployment in Hyper-V virtualization environment
• Added license change and renew capabilities
• Added support for HTTP fields in IPFIX format
• Added an automatic validity check for ISO installation files

Improvements

• Highlighted parsed L7 data in flows
• Improved detection and performance of NBA methods
• Improved the IDS core engine
• Optimized Netflow processing up to 100,000 flows per second
• Improved support for Netflow processing for most Cisco, Mikrotik, HP, and other network devices
• Improved logging capabilities using syslog-ng
• Improved the flow searching algorithm for the event detail field
• Added a cookies field in HTTP parsers
• Improved time synchronization using ntpd
• Added a sensor column in network services
• Tuned NBA method settings for DNS services
• Improved dashboard descriptions

Bugs Fixed

• Fixed update planning to avoid updating too frequently
• Fixed an error in saving flows caused by data truncation
• Fixed an export issue in CEF format
• Fixed the filter for ipv6, ipv4 protocols, and tunneled traffic
• Fixed network model visualization for the selected subnet/host
• Fixed bigger packet processing
• Fixed the displaying filter in dashboard component settings
• Fixed severity for IP addresses in top lists by traffic
• Fixed searching in false positive management
• Fixed report generation
• Fixed event calculation in dashboards
• Fixed network configuration for setting IP address, network mode, and dns servers
• Fixed editing network metric limits for hosts
• Fixed user data export/import
• Fixed typos in the event status monitor
• Fixed the license information display
• Fixed firewall editing rules