April 18, 2013
Added support for Windows Server 2012 and SQL Server logins. Includes the new Access Report feature and many usability improvements. For more information, see the release notes.
New engine features
Windows Server 2012 is now fully supported.
A new SQL Server login detector to detect SQL Server login failures and successes. (To avoid unwanted side effects in common environments with shared web servers and shared database servers, the initial catch-all rule is disabled by default.)
All kinds of detector rules (SQL, Windows and Exchange SMTP) can now be enabled and disabled.
Various fixes to improve stability.
New data features and usability improvements
The new Access report settings panel allows finding patterns in login failures to track common attack approaches, see the spread of IP addresses and usernames.
Syspeace customer Jeff Walton:
“The access reports section has been a bit of an eye-opener regarding the number of addresses that hit us multiple times per day but never in fast succession. I created a rule that looks back over a 10 day period and have been catching a lot of attempts that are only one or two tries during different times of the day but occur several times each week. I found one that appears to have started a dictionary attack and successive tries have picked up where they left off days earlier.”
Global blacklist blocks are more clearly marked as such in the main window and in the Live blocks settings panel.
The Live blocks settings panel now explains what caused a block to be triggered. (Only applicable to new blocks.)
The settings panel list now shows indicators of how many rules are currently enabled. If no rules are enabled, the indicator is grey to show that no protection is provided, otherwise it is green.
A status screen is shown as Syspeace starts up.
The Attack control settings panel can export the current data to a CSV file.
A clarification has been added to the Mail settings, noting that mail servers using Windows integrated authentication (like Exchange SMTP) might require prefixing the username with the domain name.