v1.4.0

Release Notes

New features

• support for rules Read more
• fuzzy matching operators Read more
• process ancestry filtering Read more
• ability to pass arguments to filaments Read more

Enhancements

• add exe parameter to CreateThread events
• add thread.pid filter field for matching the target thread's process id
• case-insensitive variants of in, startswith, and endswith operators
• upgrade Go toolchain to 1.16

Bug fixes

• inform about bad string escape in filter compile error messages
• fix retrieving executable path for system processes

v1.2.0

Release Notes

New features

• filament for identifying an executable or script file remotely downloaded via a TeamViewer transfer session
• reverse DNS lookups
• function support in filters and initial cidr_contains and md5 functions
• dip.names and sip.names filter fields
• unary not operator in filters
• matches and imatches string matching operators
• make the use of fields possible in both LHS/RHS filter expressions
• full and slim MSI-based Windows installers

Enhancements

• introduce a new file.extension filter field
• documentation website tweaking
• make all string operators evaluable against lists
• tests refactoring
• satisfy all code linters
• upgrade to the latest go-yara package
• improvements in the handle interceptor when publishing deferred CreateHandle events
• reduce the pressure on the TdhGetPropertySize API call for static parameter types
• prettify fibratus version output
• modularize and improve signal handling

Bug fixes

• circumvent data races in kcap reader/writer
• prevent data races in the AMQP connection
• yara scanner should allocate a new scanner for each run
• fix RecvUDPv4 event type GUID
• the handle interceptor should return the CloseHandle event when entering the deferred map

1.0.0

The new generation Fibratus tool release!

v0.7.2

• fixes skips filtering on Windows 7 (fs / dll events)
• kstreamc now keeps a separate thread map to bind thread to its process

v0.7.1

• spying on a specific process image (--image flag)
• file system output
• configuration file validation through schema definition
• fixed C to Python data type castings

v0.7.0

• integration with YARA tool
• standalone Windows installer
• minor bug fixes and code refactoring

v0.6.1

• support for RenameFile and SetFileInformation kernel events
• pid and file_object fields in file system events
• filament processing in thread context
• several bug fixes

v0.6.0

• high performance GIL-free kernel event stream collector
• image meta registry provides PE (Portable Exectuable) headers, sections, imports, file information, etc
• streaming kernel events to multiple output sinks
• switched to logbook for detailed startup logging info

v0.4.1

• authentication support for elasticsearch output adapter

v0.4.0

• per-pid process spying support (--pid command line flag)
• excluding processes from the trace through the configuration file
• ElasticSearch output adapter
• performance improvements on the kernel stream collector