Sandfly 3.3 - Reporting, SSO, Veracode Certified, Suspicious IP Detection and More

Sandfly 3.3.0 has been released with major updates across the board. Some of the new features include:

  • Single Sign-On (SSO) support

  • Veracode Verified

  • Reporting

  • Configurable data retention period

  • Postgres replication

  • Unconventional/obfuscated IP detection signatures

  • Host scanning compatibility improvements

  • Improved email notification support

  • API example scripts

  • Much more!

Single Sign-On (SSO) Support

Sandfly Enterprise licensed users can now use SSO with Sandfly. The new SSO configuration option allows for easy setup and connection to your chosen SSO provider:

Configuring SSO Provider for Sandfly

Once configured with your SSO information, you can add users with admin or user roles:

Configuring SSO Users for Sandfly

Veracode Verified

Sandfly is Veracode Verified Coding Standard

All Sandfly code is now verified by Veracode to a very strict standard for secure coding and vulnerabilities. Certification for each build is available to customers who wish to review the details and our proactive security stance.


Users can now access reports showing historical scan status over time and host asset views. The host asset view will show you critical information about your Linux systems such as:

  • Linux distribution name

  • Linux kernel version

  • System uptimes

  • CPU Architectures

  • Host tags

  • Online/offline status and more

Linux Host Asset Tracking View

Sandfly works on Intel, AMD, Arm and MIPS Linux architectures seamlessly.

Scan performance reports will show information such as:

  • Total scans completed over time

  • Total alerts/pass/error events

  • Number of Sandfly checks run across all hosts

  • Hourly performance graphs

  • Alerts by Mitre ATT&CK and Sandfly Type

The new reporting features also allows you to easily print or save reports as PDF format as needed.

Sandfly Hourly Performance

Configurable Data Retention

Fully licensed users can set the period of time to retain data inside Sandfly. The old limit was set to 72 hours, but now you can extend this time out to 31 days if desired (and your drive space allows).

Extending data retention days.

Postgres Data Replication

Just like with our Elasticsearch support, customers can now setup an external Postgres database to take in alerts for long-term storage and analysis independent of Sandfly. Customers wishing to retain data for threat hunting, trend analysis or more can now easily send this data to Postgres to analyze and retain indefinitely.

Postgresql Database Replication

New Sandfly Detection Updates

Unconventional and Obfuscated IP Address Detection

Did you know the following are legitimate URLs for the IP address

Hex = http://0xc0a80001/
Octal = http://0300.0250.0000.0001/
Binary = http://11000000.10101000.00000000.00000001/

Obfuscating an IP address with hex, octal or binary is virtually always malicious regardless of the IP address. We'll now tell you when we see it on your hosts. We sweep critical system areas such as the following for signs that someone is trying to use an obfuscated IP address: 

  • System init scripts

  • System rc scripts

  • User histories

  • Processes

  • Crontab entries

  • At job entries

Sandfly will alert you if we see this activity in critical areas like below:

Obfuscated IP Address for Linux Crontab Persistence

Obfuscated IP Address for Linux Crontab Persistence Raw JSON

Improvements to Sandfly REGEX Anti-Evasion

We have made many improvements across all Sandfly modules to make detection wider and evasion harder. REGEX has been optimized as well to make it faster and more accurate.

SSH Private Key Hunting for Users

We have new checks to find SSH private keys hanging out in the root user's home directory. Plus, new policy and incident response checks that will sweep for private keys under any user's home directory on the system.

SSH private keys can be a large security threat and easily enable lateral movement. Sandfly can let you know if critical systems have SSH keys where they shouldn't be.

Host Scanning Compatibility Improvements

We have made changes to home directory discovery algorithms inside Sandfly. Sandfly will now try multiple areas to initiate a scan when we discover a host. The discovery will try standard user home directories first and then fall back to /dev/shm if a suitable area cannot be found. This update means we now work across systems with NFS mounted home directories or home directories with restricted execution access. 

Improved E-Mail, API Scripts and Postgres Auto-Tuning

We have improved e-mail notifications which support a wider range of authentication types. We have also included sample scripts in the setup directory to demonstrate how to use the Sandfly API from the command line. The scripts can be used to help with SOAR playbook automation and more.

Further, start-up scripts will now auto-tune Postgres parameters based on available CPU and RAM in the Sandfly server for optimal performance out of the box. 

Seamless, Free Upgrade to 3.3

All free and paid customers can upgrade today. Please see the upgrade documentation for instructions on how to quickly and easily upgrade.

Protect 500 Linux Systems Now for Free

Sandfly v3.3 is still offered for free to help you immediately start monitoring and protecting your Linux fleet. Get it online now with an instant no-obligation license.

Original post: