diff --git a/changelog.md b/changelog.md index 43fabc8176d..cdaa0359847 100644 --- a/changelog.md +++ b/changelog.md @@ -1,6 +1,20 @@ ### [28.01.2026] -* Search optimization: General search terms now use exact match by default for better MongoDB performance. - * Use regex characters (e.g., `^ $ | ? * + ( ) [ ] { }`) to trigger a regex search. +* CAPE Agent: + * Ported to Golang for improved stealth, performance, and zero-dependency deployment. + * Implemented strict host-only security (localhost blocking) and optional Token Authentication. + * Added secure `/push` endpoint for host-driven file retrieval. + * Added `/update` endpoint for seamless remote agent updates. +* Distributed Cluster: + * New Go Fast-Fetcher: High-concurrency retrieval module supporting direct NFS copy. + * Added JSON configuration support for the fetcher to secure database credentials. + * Added `ignore_patterns` support for optimized cluster reporting. +* Web UI / UX Improvements: + * Fixed badge readability: Enforced high-contrast text (e.g., black on yellow/info) and fixed unreadable hover states. + * Categorized search help table into logical groups (General, File, Network, Behavior). + * Fixed search box highlight color to match the theme. +* Search Optimization: + * General search terms are now handled as strings (exact match) by default instead of regex to significantly improve database performance. + * Regex search is automatically triggered when using special characters (e.g., `^ $ | ? * + ( ) [ ] { }`). * Updated search UI help and placeholders. ### [16.01.2026] CAPE v2.5 diff --git a/web/static/css/style.css b/web/static/css/style.css index 24a4614ba4f..3aba87a1b13 100644 --- a/web/static/css/style.css +++ b/web/static/css/style.css @@ -104,10 +104,20 @@ a:hover { background-color: #29aba1 !important; } -.badge.bg-primary, .badge.bg-info, .badge.bg-danger, .badge.bg-success { +.badge.bg-primary, .badge.bg-danger, .badge.bg-success { color: #fff !important; } +.badge.bg-warning, .badge.bg-info { + color: #000 !important; +} + +a.badge:hover, .badge a:hover { + color: inherit !important; + text-decoration: none; + opacity: 0.8; +} + .btn-link { color: red } @@ -511,6 +521,12 @@ a:not(.btn, [class*="btn"]):hover { box-shadow: 0 0 0 .25rem rgba(108,117,125,.25); } +/* Fix green highlight on search box focus */ +.form-control:focus { + border-color: #5ebcf3; + box-shadow: 0 0 0 0.2rem rgba(94, 188, 243, 0.25); +} + /* Disabled */ .form-control[type="file"]:disabled{ background-color: #1c1f23; diff --git a/web/templates/analysis/search.html b/web/templates/analysis/search.html index 18b21ce3017..5a28ae8acda 100644 --- a/web/templates/analysis/search.html +++ b/web/templates/analysis/search.html @@ -6,7 +6,7 @@
- +
@@ -34,37 +34,54 @@
Search Help< - target_sha256:sha256 + + General & Metadata + id:Task ID (e.g., id:1) + ids:List of Task IDs (e.g., ids:1,2,3) + options:Task options (e.g., options:function=DllMain) + tags_tasks:Task tags (e.g., tags_tasks:mytag) + package:Analysis package (e.g., package:ps1) + machinename:Target Machine Name + machinelabel:Target Machine Label + custom:Custom data field + comment:Analysis Comments configs:Extracted config value - id:task_id (e.g., id:1) - ids:task_ids (e.g., ids:1,2,3,4,5) - options:x=y (e.g., options:function=DllMain) - tags_tasks:my_tag (e.g., tags_tasks:mytag) - package:package (e.g., package:ps1) + + + File Properties & Static Analysis + target_sha256:Target file SHA256 name:File name pattern type:File type/format - ssdeep:Fuzzy hash + ssdeep:Fuzzy hash (SSDeep) crc32:CRC32 hash imphash:PE Imphash iconhash:Exact icon hash iconfuzzy:Fuzzy icon hash - file:Open files matching pattern - command:Executed commands matching pattern - resolvedapi:APIs resolved at runtime - key:Open registry keys matching pattern - mutex:Open mutexes matching pattern - sport:Source port (e.g., sport:X) - dport:Destination port (e.g., dport:443) - port:Source or Destination port + dhash:Icon dhash + die:Detect It Easy (DIE) signature (e.g., die:obsidium) + extracted_tool:Extracted tool (e.g., InnoExtract) + virustotal:VirusTotal Detected Name + clamav:Local ClamAV detections + yaraname:Yara Rule Name (binary folder) + capeyara:Yara Rule Name (cape folder) + procdumpyara:Yara Rule Name (process dumps) + procmemyara:Yara Rule Name (memory dumps) + + + Network Analysis ip:Contacted IP address domain:Contacted domain - url:CAPE Sandbox URL analysis - signame:Signature names - signature:Signature descriptions - detections:Malware family detections - surimsg:Suricata Alerts MSG - surialert:Suricata Alerts - surisid:Suricata Alerts SID + url:Contacted URL or URL Analysis Target + port:Source or Destination port + sport:Source port + dport:Destination port + ja3_string:JA3 string + ja3_hash:JA3 hash + asn:AS ID (e.g., asn:AS15169) + asn_name:ASN name (e.g., asn_name:Google LLC) + surimsg:Suricata Alert Message + surialert:Suricata Alert Category + surisid:Suricata Alert SID suriurl:Suricata HTTP URL suriua:Suricata HTTP User-Agent surireferrer:Suricata HTTP Referrer @@ -72,27 +89,21 @@
Search Help< suritlssubject:Suricata TLS Subject suritlsissuerdn:Suricata TLS Issuer DN suritlsfingerprint:Suricata TLS Fingerprint - suritls:Suricata TLS - surihttp:Suricata HTTP - ja3_string:ja3 string - ja3_hash:ja3 hash - clamav:Local ClamAV detections - yaraname:Yara Rule Name (binary folder) - capeyara:Yara Rule Name (cape folder) - procdumpyara:Yara Rule Name (process dumps) - procmemyara:Yara Rule Name (memory dumps) - virustotal:VirusTotal Detected Name - machinename:Target Machine Name - machinelabel:Target Machine Label - custom:Custom data - comment:Analysis Comments + suritls:Suricata TLS Generic + surihttp:Suricata HTTP Generic + + + Behavior & Execution + file:Open files matching pattern + command:Executed commands matching pattern + resolvedapi:APIs resolved at runtime + key:Open registry keys matching pattern + mutex:Open mutexes matching pattern + signame:CAPE Signature names + signature:CAPE Signature descriptions + detections:Malware family detections malscore:Malscore > value - ttp:TTP ID (e.g., T1053) - dhash:Hash - die:DIE (e.g., die:obsidium) - extracted_tool:Extracted tool (e.g., InnoExtract) - asn:AS ID (e.g., asn:AS15169) - asn_name:ASN name (e.g., asn_name:Google LLC) + ttp:TTP ID (e.g., T1053)