Quick Install and Release Notes for Cisco Security MARS Appliance 4.1.5
Revised: April 26, 2006, 78-17564-01
These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Version 4.1.5 running on either a Local Controller or on a Global Controller. They provide the following information:
Version 4.1.5 is now available as a patch upgrade to 4.1.4 of your MARS appliance software. Registered SMARTnet users under the can obtain version 4.1.5 from the Cisco support website at:
The following table describes the most recent signatures supported for each product or technology:
Product
Signature Version Supported
Cisco IDS 4.1/IPS 5.x
S223
McAfee Entercept HIDS 4.1
Agent Version 40-56
ISS RealSecure Network Sensor 7.0
24.31
ISS RealSecure Server Sensor 7.0
24.31
McAfee IntruShield NIDS 1.8
1.8.71.3
Snort NIDS
2.3.3
Netscreen IDP 2.1
Idp2.1r3 Update 254
Enterasys Dragon 6.x
Latest signatures as of 04-05-2006
Symantec Manhunt
3.4.3 Update 53
Qualys QualysGuard 3.x
Latest Knowledge Base XML file as of 02-07-2005
Common Vulnerabilities and Exposures (CVE) Database
Latest as of 09-08-2005
Upgrade Instructions
The MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site weekly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.
For detailed instructions on planning and performing an upgrade or install, refer to Checklist for Upgrading the Appliance Software in the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System.
Important Upgrade Notes
To ensure that the upgrade from earlier versions is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.
Upgrade to 4.1.5
No important notes exist for the 4.1.5 upgrade.
Upgrade to 4.1.4
No important notes exist for the 4.1.4 upgrade.
Upgrade to 4.1.3
No important notes exist for the 4.1.3 upgrade.
Upgrade to 4.1.2(2042)
The following notes detail changes to the standard upgrade process:
•If you completed the 4.1.1 to 4.1.2 (2040) upgrade, verify whether the upgrade failed by entering `pnlog mailto <SMTP server> <sender> <recipient>' at the CLI. This commands mails the MARS Appliance logs to the recipient. Open the e-mailed file attachment, and then open the newest upgrade*.log found in /var/log/. Successful upgrades from 4.1.1 (2022) to 4.1.2 (2040) include the following line:
Opening file:
/etc/data/secondarytables/reports/Report.0.Resource-Issues--IOS-IPS-DTM---All-Events.x
ml
If you do not see this line, then a problem occurred during the upgrade regardless of whether the version command reports 4.1.2 (2040).
•To upgrade from 4.1.1 or a successful or unsuccessful 4.1.2 (2040) to 4.1.2 (2042), download the package, perform the upgrade as defined in Checklist for Upgrading the Appliance Software. If you are upgrading from 4.1.1, you must also execute the following command at the CLI of the upgraded MARS Appliance:
script -b patch_or_04_1_16.sh
The 4.1.2 (2042) image includes an additional command `script' that cleans the database of the data referenced in CSCsc31386. As a result of running the script, the total upgrade process from 4.1.1 to 4.1.2 (2042) may take much longer than previous releases; it depends on the amount of data stored on the MARS Appliance. For a MARS 200, it could double the normal upgrade time to two hours. To determine whether the script is still running, enter the following command and look for `patch_or_04_1_16.sh' anywhere in the output:
sysstatus -n 1 -b
Upgrade to 4.1.1
The following notes relate to changes in your system or configuration as a result of upgrading to MARS 4.1.1.
•Prior to the 4.1.1 release, CSA was identified by the device type name Cisco CSA 4.0. As part of an upgrade, any Cisco CSA 4.0 devices were renamed as Cisco CSA 4.x. This new name includes support for Cisco CSA 4.0 and 4.5.
•The new case management replaces the Escalate Incident functionality in MARS 3.4.4 and earlier. However, escalated incidents are not converted to cases during the upgrade process. Therefore, you must close all open escalations before upgrading to MARS 4.1.1 (CSCsb52057).
Required Upgrade Path
When upgrading from one software version to another, a prerequisite version is always required. This prerequisite version is the minimum level required to be running on the appliance before you can upgrade to the most recent version. Table 1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current version.
1An asterisk (*) next to a package name in this column identifies that this upgrade must be performed from the command line, as GUI support was lost with the closing of the upgrade.proteogonetwork.com website.
Upgrade images and supporting software are found on the CCO software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your MARS Appliance
Note If you are upgrading from a version earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip versions along the upgrade path.
For information on obtaining a CCO account, see the following URL:
•Do not to use DISTINCT or SAME in queries, and do not run multi-line queries in Release 4.1.5. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.
•For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.
•The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.
Compatibility Notes
Recent versions of Linus, such as RedHat Enterprise 4.0, Fedora Core 3 and 4, and Debian, have IPv6 mode enabled by default in the kernal module. This mode appends extra information to the event messages, such as sshd log messages pulled from a Linux client, resulting in an invalid source IP address being identifed by MARS. An example symptom is "::ffff:" prepended to the expected source IP address.
To ensure proper processing and correlation of the event data, disable IPv6 support.
Quick Install Notes
It is recommended that users read the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System. However, for those users who simply want to get the MARS Appliance up and running, the following two topics, taken from the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, summarize the hardware installation and initial software configuration:
Table 2 provides an overview of the installation and initial configuration process. Following installation and initial configuration, see the following publications for information on how to use a browser and the HTML interface to fully configure your MARS Appliance to provide the security threat mitigation (STM) services you want from this installation:
•User Guide for Cisco Security MARS Local Controller 4.1.x
•User Guide for Cisco Security MARS Global Controller 4.1.x
Table 2 Quick Reference
Task
References in Install Guide
Use the rack mount kit to install the MARS Appliance in a rack.
Initial configuration of the appliance accomplishes several goals:
•Introduces the two user interfaces to MARS: the command line interface (CLI) and the web interface.
•Licenses the appliance.
•Prepares the appliance to monitor and communicate on your network.
•Configures the system time so that event correlation works properly.
•Ensures the system administrative account is configured properly.
•Ensures appliance is running the most recent version of software.
The following checklist describes the tasks required to initially configure your MARS Appliance. Each task might contain several steps; the tasks and steps within should be performed in order. The checklist contains references to the specific procedures used to perform each task.
Task
1. Establish a console connection to the appliance.
Initial configuration requires a console connection to access the CLI. You should establish this connection with the power turned off on the MARS Appliance. Three console connection options exist:
•A direct console connection to the appliance using a keyboard and monitor
•A standard serial console connection between a computer and the appliance using a terminal emulation package
•An Ethernet console connection between a computer and the appliance using a terminal emulation package
After you have chosen and configured your console connection, you must power up the appliance.
Result: The appliance is powered up and you can see the command line prompt through your console connection.
2. Command Line Configuration: Setting the system administrative account's default password and configuring the interfaces.
The command line configuration is separated into three tasks, each task being separated by a reboot of the appliance. The first task involves performing three to four procedures:
•Collect the information required to configure the appliance to operate optimally on your network.
•Log in to the appliance and change the password associated with the system administrative account (pnadmin).
•Configure the eth0 network interface, specifying the default gateway and IP address and network mask pair for that interface.
•(Optional) Configure the eth1 network interface, specifying the IP address and network mask pair for that interface.
Each MARS Appliance has two Ethernet interfaces: eth0 and eth1. The eth0 interface is the dedicated interface used for collecting event data and logs from your network. The eth1 interface is intended for use in an out-of-band management (OOBM) network or for a console connection. Therefore, your default gateway and IP address/mask values should focus on the network connections to be used to monitor the data streams of reporting devices, and these settings should be applied to eth0.
Note The MARS Appliance does not allow you to configure both of its interfaces on the same network.
Result: The default password is no longer associated with the system administrative account and the appliance is more secure. Also, the eth0 is configured to communicate on your network. When you complete the IP address configuration changes for either, the appliance reboots.
The second task of the CLI configuration involves setting the hostname of the appliance. The hostname is used to uniquely identify which appliance collects a specific log and which appliance fires an inspection rule. This unique identity is especially important in an environment where Global Controller is running. To complete this task, you must:
•Log in to the appliance using the system administrative account and the new password.
•Set the hostname of the appliance.
Result: The hostname is configured for the appliance. The appliance reboots.
The third and final task of the initial CLI configuration involves specifying those settings that help ensure the integrity of the event correlation and complete your network connection, allowing access to the appliance from other hosts on the network. In other words, after you complete this phase, you can connect to and complete the appliance configuration using a non-console connection from any host on your network. To complete this task, you must:
•Log in to the appliance using the system administrative account and the new password.
•Set any additional static routes.
•Set the clock.
•Set the NTP server settings.
•Set the DNS domain name.
•Connect the appliance to the network (that is, plug in the Cat 5 cables.)
Result: Now you have network connectivity. You can access the CLI interface using an Secure Shell (SSH) client on any host that can reach the appliance, and you can log in to the web interface to complete the initial configuration.
5. Complete initial configuration using the web interface.
After you have completed the cable connections to the MARS Appliance, defined the required network connection settings, and specified any additional default routes, you can start the web interface configuration process. Verify the configuration settings of your browser before configuring the MARS Appliance (see Web Browser Client Requirements).
During this phase, you configure the following:
•Appliance license
•Zone identification (Global Controller only)
•E-mail server identification
•DNS addresses
•E-mail address for the system administrative account (pnadmin)
•TACACS/AAA login prompt settings
Result: You have configured your appliance to communicate on the network, properly correlate events, and issue system e-mails to a monitored e-mail address.
6. Upgrade the appliance to the most recent software version.
The software version determines the currency of signatures, system inspection rules, features, and bug fixes. An important part of your security solution is ensuring that you maintain the most up-to-date software on the MARS Appliance. This process involves preparing an upgrade strategy and selecting a method, determining your current version, identifying the most recent version, and downloading and applying all intermediate versions of the software.
Result: The appliance is running the most recent version of software.
Issue: More control is needed over retrieve raw messages and cleanup
Description: Repeated use of the `Retrieve Raw Messages' feature results in the following error message:
ava.io.IOException: No space left on device.
This occurs if `Retrieve Raw Messages' is used excessively within a short period of time.
Workaround: None. These files are cleaned up automatically after 2 weeks time.
CSCse00251
Issue: process_inlinerep_srv ignores Rule Groups as selection/filtering criteria
Workaround: You can avoid this issue by defining a Rule Group for every rule that is to be used in a scheduled report.
CSCse00668
Issue: rule definition changes can lead to empty reports
Workaround: You can avoid this issue by defining a Rule Group for every rule that is to be used in a scheduled report.
CSCse00626
Issue: IP Management device group displays hosts only
Description: The View > Host option on Management >IP Management page filters all devices defined on the Security and Monitor Devices page from the IP Management page, including from Device groups, which in itself is expected behavior. However, this introduces an inconsistency as any type of device can be added to a Device Group through the Edit/Add Group button. After clicking Submit, the group lists only the Host entries, typically a subset of all devices belonging to a group, and this can be confusing to the user.
Workaround: To view the actual contents of a group, Select a device group and click the Edit Group button.
CSCsd96070
Issue: Data refreshes can take a long time when attempting to view the report data associated with that case.
Description: Due to the issues identified in CSCsd96067, viewing all of the data contained in a case that contains multiple reports can take a long time to load.
By default, reports attached to cases limit their results to 25 per page. Due to each report having its own paging value and the issues identified in CSCsd96067, attempting to view all of the data in each report attached to a case by changing to paging to something larger can take a long time.
Workaround: Limit the number of reports attached to a case and restrict the number of events returned to only that which is required.
CSCsd96067
Issue: Report e-mails can become large when selecting the raw message format for all matching events.
Description: Because MARS now allows reports to return up to 5000 events, rather than the previous limit of 1000 events, the report size can be much larger than previously experienced (10-15 MB, depending on the data returned).
Workaround: To avoid this issue, define exact report parameters and restrict the number of events returned to only that which is required.
CSCsd96048
Issue: When using case management, choosing to e-mail case data can generate very large e-mails.
Description: Due to the issues identified in CSCsd96067, choosing to e-mail a case that contains multiple reports can compound the problem of large e-mails.
Workaround: Limit the number of reports attached to a case and restrict the number of events returned to only that which is required.
CSCsd95582
Issue: Both successful/failed mitigation reports show same results
Description: For 4.1.5 release, a query based on either the "CS-MARS Host Mitigation - Failure - All Events" or "CS-MARS Host Mitigation - Success - All Events" report retrieve all events associated with a session, which explains why both report types display both failed and successful raw messages.
Workaround: None.
CSCsd93235
Issue: MARS can take up to 1 hour to connect to all IPS devices (when there are 60 or more devices) the first time the process comes up.
Workaround: None.
CSCsd92285
Issue: MARS does not perform a duplicate IP address check in the Admin > Security and Monitor Devices page
Description: In the 4.1.5 release, MARS does not perform a duplicate IP address check for agents, sensors, and firewalls matching one of the following host-based applications:
•CheckPoint Opsec NG FP3
•Cisco CSA 4.x
•Enterasys Dragon 6.x
•Entercept Entercept 2.5
•Entercept Entercept 4.0
•IntruVert IntruShield 1.5
•NetScreen IDP 2.1
•Symantec Anti Virus 9.x
As such, avoid using a duplicate IP addresses to prevent event correlation issues with your MARS Appliance. In addition, when you add or edit a new host using the Security and Monitor Devices page, no duplicate IP address checks are performed. Avoid using existing IP address as the host IP address when adding or editing a host.
Workaround: MARS does perform a duplicate IP address check on the IP Management page. We recommend that you add or edit the IP address of hosts using this page and that you add components to such defined hosts using the Security and Monitor Devices page. You must manually avoid the use of duplicate IDs when defining the host-based reporting devices listed above.
CSCsd89457
Issue: Incorrect handling of time range for rules that fire periodically
Description: To reduce false positives, the first time a rule first a time interval of 5 minutes must elapse before events being received can trigger the rule to fire again. After the second time a rule fires, the time interval is extended to 10 minutes. The fire count value is reset to 0 when no event that matches the rule is received within a past window of <time range> seconds.
For rules that fire once every 5 or 10 minutes, events greater than the rule count can accumulate, which is by design. Among these accumulated events, the first <count> number of events in an offset should be within the time range of the rule; however, this is not true and the result is a a higher false positive rate for incidents.
Workaround. None.
CSCsd86896
Issue: When editing the query type, clicking Clear does not work.
Description: When editing a query type, clicking Clear can actually commit changes to the query type definition rather than clearing any changes made by the user.
Workaround: None.
CSCsd84094
Issue: Problems occur when a report definition contains a rule as a selection criteria and the rule definition is later changed.
Description: This issue occurs as each changed rule is provide a new rule ID. The old rule ID is inactivated so that it does not fire, but the report definition points to the stale ID rather than the new ID created when the rule definition was changed. As a result of this stale reference, no results appear for the affected reports even though a new query based on the same criteria returns results.
Workaround: Use rule groups, instead of direct rule reference, in report definitions. The group will always point to the current rule definition instead of pointing to a stale rule definition.
CSCsd79730
Issue: Device Groups created on Global Controller do not show up in Global Controller drop down list of groups
Description: If you define a Device Group in Global Controller, the group is propagated to its monitored Local Controllers, but the new group does not appear in the Select Group list on the Management > IP Management page of the Global Controller web interface.
Workaround: None.
CSCsd74283
Issue: Report results are purged after a fixed time period.
Description: In releases 4.1.4 and earlier, report results were retained in the database for up to 365 days. However, as of 4.1.5, the maximum number of stored report results was increased from 100 to 1,000 for ranking reports and 1,000 to 5,000 for event/session reports. As a result, the retention period was reduced to 3 months for MARS 20 and MARS 50 models and to 6 months for the MARS 100, MARS 200, MARS GC, and MARS GCm models.
Workaround: None.
CSCsd69137
Issue: Default Group in Scheduler need to be made to Run On Demand
Description: The Default Group in Scheduler is currently set to run on 1st day of every month. Any devices/Networks added in the web interface or discovered are automatically added to this group. Thus, this discovery often returns more devices than desired.
The default behavior of this group is such that MARS learns of additional networks through user input and each discovery operation. Therefore, this default scheduled group can progressively discovery new devices via subsequent discoveries.
Workaround: Under Admin > System Setup > Topology/Monitored Device Update Scheduler, edit the Default Discovery Group and change the schedule to Run On Demand Only.
CSCsd69063
Issue: A MARS custom parser cannot parse a reported user field that contains a single quote character.
Workaround: None.
CSCsd61749
Issue: pnrestore does not restore some configuration settings
Description: Settings that are specific to the operating system and not configurable within the MARS HTML interface are not stored in the database, and therefore, they are not restored during pnrestore operation.
For example, pnrestore command does not restore static routes or NTP server settings defined at the CLI.
Workaround: Manually re-enter these settings from the command line.
CSCsd53173
Issue: Retrieve raw messages doesn't properly update the progress percentage
Description: When retrieving raw messages using Admin > System Maintenance > Retrieve Raw Messages, a percentage complete is displayed. This interface is not properly updated.
Workaround: Please wait for the task to complete.
CSCsd22832
Issue: Some networks cannot be removed from the IP Management tab of the Management section of the Web interface.
Description: The attempt fails with error message: "You cannot delete this network as it is used in discovery."
The error occurs when trying to delete a network that was added into the MARS automatically during device discovery. Those networks cannot be deleted in currently available versions.
Workaround: None.
CSCsc89884
Issue: MARS does not pull log from a Windows box if both pull/push are checked
Description: If only pulling or pushing is checked, either works fine. But when both pulling and checking are checked in MARS GUI for a windows machine, MARS does not pull windows event logs for this device.
Workaround: Verify that only one of the options is selected.
CSCsc59363
Issue: Multi-line rules are difficult to edit.
Description: Editing multi-line rules can be confusing, particularly if you want to remove a line from a rule.
Workaround:
1. In the line above the line that you wish to remove, click on the link taking you to the "Severity" cell.
2. Click Next.
A dialog box appears, prompting whether you are finished defining the rule conditions.
3. Click Yes.
A warning message appears stating that the subsequent lines will be removed from the rule.
4. To remove all lines underneath the selected one, click OK to confirm the warning.
CSCsc50636, CSCsc50652
Issues: pnids50_srv process runs at 99% CPU when pulling large IP Logs
pnids50_srv process reaches 1GB in memory used when pulling IP Logs
These related issues, are specific to pulling IP logs from Cisco IDS/ IPS devices. The symptom is that the pnids50_srv and pnids40_srv services consume the system resources on the MARS Appliance. As an improper configuration of the sensor can significantly degrade the sensor performance as well as that of MARS.
Workaround: Ensure that settings for IP log creation on the sensor limit the size of the IP log (in terms of number of bytes or number of packets captured). Also, verify that IP packet logging is enabled only for signatures of interest and not for all signatures.
In addition, a 100 file maximum is enforced for the log file queue when the MARS is configured to pull IP log files. Therefore, it may not pull every IP log file. In addition, the complete IP Log file may not be pulled, instead, data is pulled from he file starting 5 minutes before the alert was generated through the end of the file.
CSCsc49248
Issue: A drop rule for "inactive reporting device" does not work.
Description: There are six internally generated event types in CS-MARS 4.1.x:
1. Sudden traffic increase event
2. Resource high usage event
3. Inactive reporting device detection event
4. VA integration event
5. Mitigation result event
6. DTM event
Events generated for items 4, 5 and 6 are processed against drop rules. However, items 1, 2 and 3 cannot be dropped as they are not processed against drop rules by design. Items 1, 2 and 3 record the history of what happened on the network and are retained in the database.
Workaround: You can delete the inactive device from CS-MARS or ensure that it is reachable by CS-MARS. For other event types, there is no workaround.
CSCsc23874
Issue: Resource Utilization reports are incorrectly available to be run as a query.
Workaround: Do not attempt to run any of the following reports as an On Demand query or to use them as part of a user-defined group: Resource Utilization:
•Bandwidth: Inbound - Top Interfaces Resource
•Utilization: CPU - Top Devices Resource
•Utilization: Bandwidth: Outbound - Top Interfaces Resource
•Utilization: Concurrent Connections - Top Devices Resource
•Utilization: Errors: Inbound - Top Interfaces Resource
•Utilization: Errors: Outbound - Top Interfaces Resource
•Utilization: Memory - Top Devices
CSCsc04484
Issue: The rule or report list on a Local Controller (LC) appears empty after deleting a Global Controller (GC) report or rule group.
1. From the Rules or Reports page in the GC HTML interface, create a rule or report group with some elements in it.
2. Activate to push the group down to the monitored LC.
3. From the Rules or Reports page of a LC HTML interface, select the newly-created GC group in the filter list.
Result: The members of that group are listed.
4. Select the Summary page.
5. Select the Rule or Report page.
Result: The group is still selected as the "filter" for that page
6. Select the Summary page.
7. In the GC HTML interface, delete the rule/report group.
8. Activate to push changes down to the monitored Local Controllers.
9. In the LC HTML interface, navigate back to rule/report page.
Result: The filter list has "All" selected, but no rules or reports appear on the page.
Workaround:
1. Select another option in the filter list, and then All.
Result: The list of all rules/reports appears.
CSCsb80082
Issue: When you remove/delete a Local Controller from a Global Controller, the Local Controller should revert to the Standalone mode. However, if you add the Local Controller to the Global Controller and delete it before you exchange certificates between the two appliances, then the mode does not revert.
Workaround: You can work around this issue by ensuring that you always import the certificate from the Local Controller before you attempt to remove it form in the Global Controller.
CSCsb77550
Issue: Re-importing CSA or Symantec agents fails.
When the user tries to agents from a CSV seed file, the following error message appears:
Error Occurred:
Status: DbDevice
Result: The error message fails.
Workaround: If you import an agent list once, you must manually synchronize the agent list. To re-import the list of agents will not work.
CSCsb71309
Issue: In Cisco Security Monitoring, Analysis and Response System (MARS) release 3.4.4 and earlier, queries that are run from a Global Controller (GC) which have no results returned from any of the attached Local Controllers (LCs) will show up as "In Progress" in the GUI.
This occurs in a GC/LC environment, and only when a global query returns 0 results from every one of the LCs.
Workaround: You may have to wait up to 10 minutes for a GC Query status to be marked as "Finished", after all LCs have finished running the query.
CSCsb71298
Issue: In Cisco Security Monitoring, Analysis and Response System (MARS) Release 3.4, queries submitted from a Global Controller (GC) that are less than 10 minutes in length will appear as being "In Progress" on the GC, even after the attached Local Controllers (LCs) have finished running the query.
This will only occur in a GC/LC environment if a query is run over a duration less than 10 minutes.
Workaround: Query over time ranges that are no less than 10 minutes in length.
CSCsb67871
Issue: After re-installing a Local Controller, the zone and device data is lost in the Global Controller.
Workaround: Before you re-install (using a Recovery DVD) a Local Controller, you must delete that Local Controller and zone from the managing Global Controller.
CSCsb64587
Issue: After Global Controller restore, the Local Controller certificates are missing.
Workaround: After restoring a Global Controller, you must re-import the certificates of each managed Local Controller before communications are restored.
CSCpn03077
Issue: Global Controller generates a system error when you add a Local Controller that was added already
Workaround: Before adding a Local Controller, verify that you have not previously added it to the Global Controller. If you do encounter this error, restart the GUI by closing your web browser and logging in again.
CSCpn03074
Issue: On the Incidents page of a Global Controller, the View and Show buttons do not work for incidents pushed up from the monitored Local Controllers.
CSCpn03070
Issue: If you upgrade a Global Controller/Local Controller pair, the Local Controller may appear offline for the first 10 minutes after the appliances reboot. The scheduler wakes up and re-syncs 10 minutes after startup.
Resolution: If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface.
CSCpn03057
Issue: Copied rules have shortened year in front, which is confusing (e.g., 05.04.19) When you duplicate a system rule, the newly created rule has a timestamp appended to it. The date format is unclear, but it is YY.MM.DD.
CSCpn03052
Issue: JBoss 'OutOfMemoryError ' when accessing Management/Event Management tab.
Workaround: Avoid using the 10,000 items per page on the Event Management page.
CSCpn02976
Issue: GC:LC - Communication issues after time zone change. After initial configuration, if you change the timezone of a communication GC:LC, there may be problems with communications between the GC and LC.
Workaround: If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface.
CSCpn02973
Issue: Not able to downgrade a Security Analyst to Notification only user. When you define a user account with the Security Analyst role, you cannot downgrade that role to Notification only.
CSCpn02968
Issue: Network group search is not working for "All IP addresses". If you select All IP addresses as the search space, the results may be inconsistent with the expected results.
CSCpn02901
Issue: GC/LC, rule does not display user <cxu> but allows such cfg
Workaround: Avoid using special characters in the keyword search for rules. The list of special characters not supported is as follows:
•less-than (<) <
•greater than (>) >
•ampersand (&) &
CSCpn02883
Issue: Event management search works only for event description. You cannot search on other fields, such as Event ID.
CSCpn02869
Issue: Rules editing: changing entry for select window drop-down list after error message results in the state not being saved.
Workaround: This issue appears when you have attempted to define an invalid rule and an error message appears. For example, while editing a user inspection rule"
1. Click Sources field.
2. Remove all sources.
3. Click Submit.
Result: Dialog box appears and prompts "please select one".
4. In the select window drop-down list, select "All Devices"
Result: Rule submission window appears and contains a blank Sources field.
To work around this issue, click one of the top tabs to cancel your work and redo your edit without submitting an invalid rule (as shown in Step 3).
CSCpn02804
Issue: Replay History feature not working correctly. When you configure a query that triggers replay history, the results are usually incorrect. The following cases will trigger a replay history:
•a query that uses AND or Followed By
•a query that uses the $ variables, such as $EventType, $Device1, etc.
•a query uses NOT EQUAL TO a service
If you define an invalid query, MARS will be in a compromised state where queries will continue to fail, even if they are constructed correctly after the invalid query. To resolve this issue, log in to the CLI and pnstop/pnstart the MARS system, then re-run your valid query.
CSCpn02688
Issue: Viewing a report on a Global Controller and viewing the corresponding report on the Local Controller may differ in time slightly.
CSCpn02666
Issue: The email sent when a batch query completes may not have data in the graph if the query only returns one result.
CSCpn02656
Issue: Leaving the browser on the Summary page for an extended period of time (several days) may occasionally run into an error.
Workaround: Refresh the page to return to the GUI.
CSCpn02653
Issue: No way to specify "!Keyword" without a good "keyword"
Workaround: Keyword search requires two keywords to use the "NOT" operator. For example, you cannot specify `NOT nimda'; instead, you must specify something like `virus NOT nimda'.
CSCpn02594
Issue: Clicking on the Path/Mitigate link in an incident that was fired from a device that has since been deleted may result in an error.
CSCpn02574
Issue: Having different times on the Global Controller and its associated Local Controllers may cause synchronization problems.
Workaround: Use the CLI to configure NTP or manually set the date and time to be the same on the Global Controller and Local Controllers.
CSCpn02566
Issue: Rebooting the MARS while the box is in the upgrading state may cause system configuration errors.
CSCpn02558
Issue: After adding and deleting an agent or sensor to a host, adding a sensor with the same name and type as the previously deleted one back to that host will not work.
Workaround: Use a different agent/sensor name the second time around.
CSCpn02549
Issue: When viewing report results, clicking on "Edit" or "Clear" in the query summary at the top of the page results in a JavaScript error.
Workaround: Click directly on the "Report type" link to edit the query.
CSCpn02511
Issue: In migrating "Microsoft, Windows, Generic" device type to three new Windows device types, errors in affected OS could affect data migration and cause confusion about appropriate selection.
Workaround: When migrating data, you should make the following mappings for the OS name:
•Map "2000" to "Windows 2000"
•Map "Windows 2000 Professional Server" to either "Windows 2000 Professional" or "Windows 2000 Server" after verifying the data.
•Map "NT" to "Windows NT"
•Map "Microsoft Windows NT 4.0" to "Windows NT". Microsoft should be in vendor field and 4.0 should be in version field.
CSCpn02470
Issue: Using passwords with the "," (comma) or "'" (quote) characters may cause problems with loading devices from csv files.
Workaround: Avoid using passwords with these characters for the time being.
CSCpn02414
Issue: Long keyword strings in rules or reports can cause parts of the GUI layout to be pushed out of the browser window's edges.
CSCpn02410
Issue: The MARS stores reported user names in a case-sensitive fashion. Devices that report case-insensitive user names can behave counter-intuitively if they report names inconsistently.
CSCpn02398
Issue: Reserved XML characters are not supported in the Keyword Search on the Rule page
Workaround: Avoid using special characters in the keyword search for rules. The list of special characters not supported is as follows:
•less-than (<) <
•greater than (>) >
•ampersand (&) &
CSCpn02385
Issue: Applying $VAR variables to queries on a Global Controller causes GUI errors and may not return correct results.
CSCpn02383
Issue: An IIS web server cannot be added to the MARS as a generic web server. When configuring the MARS to receive IIS logs, adding generic web server in Reporting Applications does not work.
Workaround: Choose windows operating system under general tab.
CSCpn02333
Issue: After performing a "pnreset -g" (which cleans up the GC data on the LC - a copy will be made of all GC data used by rules and reports while all other GC data will be deleted), the LC still shows the old zone name by which it was monitored from the GC. When adding that LC back to a GC that was re-installed from the recovery DVD, problems can occur if the zone names for the GC and LC do not match the ones used before.
Workaround: Use the same "old" GC name during the GC configuration. Use the same zone names when re-adding LCs to the GC.
CSCpn02251
Issue: After upgrading from a MARS 100e to MARS 100, pnstop and pnstart need to be run for the change to take effect.
CSCpn02177
Issue: Every 22nd reboot, the MARS file system is checked for consistency. This takes time to complete, and happens before connecting to the network. While this is happening, it may appear that the box simply isn't starting.
Workaround: Attach a console to the MARS to verify that checking is happening if the system does not seem to start after a reboot.
CSCpn02175
Issue: Data computed or stored on a standalone MARS while in standalone mode will not be transferred to a GC. Only data computed on an LC that is currently monitored by a GC will be pushed up.
CSCpn02073
Issue: After renaming a cloud, clicking the cloud again causes an error.
Workaround: Refresh the page before clicking a renamed cloud.
CSCpn02061
Issue: Saving CSV files from reports with IE 6 under Windows XP SP2 causes the file to default to an .htm extension, not .csv extension.
Workaround: Select "All types" from the drop-down list while saving, and rename the file to have a .csv extension.
CSCpn02011
Issue: Certain special characters do not work in password fields. The characters are " ' ; (double-quote, single-quote and semi-colon).
Workaround: Use passwords that do not contain these characters.
CSCpn01489
Issue: Query summary doesn't mention "severity" if it's a criterion
When the user configures a batch query with a severity as one of the criteria (Red, Yellow, Green), this criterion doesn't appear in the "query summary" of the batch query page. However, the query is run with the correct criteria. When the results are viewed, the severity can be seen in the query details at the top of the page.
CSCpn01438
Issue: When running batch queries under a high system load and over a time range containing a large amount of data, the batch query might not complete. If the Progress Completed status stays at 0% for an extended period of time (a day), try stopping any other batch queries you have running or stopping and resubmitting your batch query with narrower criteria. If neither of these works, please contact Cisco Support.
CSCpn01416
Issue: Select: Temp paging fix on Notification-SNMP. All pages that display large numbers of items need to have paging implemented.
Workaround: Use the search window to locate desired object.
CSCpn01398
Issue: Unable to shutdown an interface: the customer should be able to shutdown an interface on CLI or GUI.1.
Workaround: Do not connect the second network interface to your network.
CSCpn01382
Issue: When you create a new group (MANAGEMENT > IP Management > Add Group) with a combination of Networks, Devices, and IP addresses and then select that group from the pull-down menu, only the Networks in the group appear, even though the Devices and IP addresses are in the group.
CSCpn01319
Issue: The pnreset command indicates that system will reboot after execution, however the system does not reboot. Also, you may find that the cursor does not return from the command—it is locked in the status indication (a string of periods).
Workaround: Before running the pnreset command, you must disconnect the appliance from the network by unplugging the Ethernet cable from the appliance. Disconnecting it from the network ensures that the cursor will return from the command upon completion. In addition, you must manually reboot the appliance using the reboot command when the cursor returns from the pnreset command.
CSCpn01293
Issue: When administering MARS, it is possible to select an unsupported OS from the pull-down menu when adding or editing a host for logging. If you select an OS that does not contain the string "Microsoft Windows" or "Sun Solaris" when you save the Pull host log or Receive hostlog parameters, (for example, if you select "Sun Cobalt"), then the GUI does not work correctly.
CSCpn01270
Issue: The free-form search may not work for the following devices:
•Check Point Opsec NG FP3
•Cisco CSA, 4.0
•Cisco, IDS, 3.1 and 4.0
•ISS, RealSecure, 6.5 and 7.0
•Entercept Entercept, 2.5 and 4.0
•IntruVert IntruShield, 1.5
CSCpn01219
(re-opened)
Issue: If you create a user in the MARS GUI and select New Provider but do not enter a Pager number, qpage.com fails to run because it has an empty entry, and pnmonitor continually tries to restart the daemon that attempts to access qpage.com.
Resolution: Open each user profile and click Submit to ensure all the required fields are populated.
CSCpn01134
Issue: The cloud name input box accepts invalid characters. To reproduce this behavior, click on the Large Graph link on the Hotspot graph. Click on a cloud. Click Change name and enter invalid characters into the input field (for example, ~!# or ###). Sometimes the page returns an error message such as error: Error: Invalid or No Security Perimeter. The graph rendering fails with the IE status bar message "not well formed, line #:column#".
CSCpn01051
Issue: Logging into a MARS from a non-supported browser and leaving the GUI open will prevent other users from logging into that MARS.
Resolution: If you log in to MARS using a supported browser and see a message saying that your browser is unsupported, please check if another user has logged into the MARS with an unsupported browser and not closed his browser window.
CSCpn01045
Issue: Entering an incorrect IP address or directory path for the data archiving feature will result in a cryptic error message.
Resolution: If you see a message of type "Status: PN-0002: No message for PN-0216" after configuring data archiving, please click "Back to Archiving" and check your IP address and directory.
CSCpn01019
Issue: When utilizing the data archiving feature, you may experience data loss if your network link is slow or if your archive server does not have the capacity to handle high throughput.
CSCpn00908
Issue: "Domain" in Configuration page - no use
Workaround: This issue was overcome by other events. This field no longer exists, however, you can specific the e-mail domain on the Configuration page to identify the default domain from which e-mail notifications are delivered by the appliance.
CSCpn00877
Issue: When you submit a name that is associated with a device type to the system, changes to its device type can cause issues to incorrectly display some of its configuration information.
Resolution: When adding a device, take care to give it its proper device type.
CSCpn00610
Issue: Backend logs can be out of order in the view page because the numbers are reused. Timestamps should be used as report identifiers.
CSCpn00596
Issue: On a freshly installed machine starting to get events and sessions, you can get a negative Data Reduction where there are more sessions than events. This is due to the fact that events are written to the database more frequently than sessions.
Resolution: Wait for some time to pass, as events gradually outnumber sessions this number will become increasingly accurate.
CSCpn00586
Issue: If you are investigating a false positive, and you see a message telling you that a service has crashed, this could be due to vulnerability scanning by the MARS appliance. You may have to re-start the service.
Resolution: It is strongly recommended that you patch the security hole to eliminate this vulnerability.
CSCpn00455
Issue: If clouds are renamed through diagrams, the system might not display those names.
Resolution: Here are some work around steps to rename clouds:
1. Click the cloud you want to rename.
2. Enter in the new name in the text field near the top of the popup window.
3. Click "Change".
4. Once it's done, click "Close".
5. Click the "Large Graph" button in the Hotspot Graph.
6. Return to the Summary page.
CSCpn00293
Issue: When tabbing over three-digit entries in IP fields on the Configuration Information page, the cursor can disappear.
Resolution: Use your mouse to move between fields on this screen when editing IP addresses.
CSCpn00259
Issue: On the Setting Runtime Logging Levels page, if you set the level for GUI to Trace and save, it is saved as Debug.
Resolution: Do not change settings on the Setting Runtime Logging Levels page without a Cisco Support representative.
CSCpn00247
Issue: The automatic time-out feature built into the GUI does not work when the Summary page is left open with automatic refresh selected.
Resolution: Please log out of the system when you are no longer using it.
CSCpn00212
Issue: Diagrams on the Summary pages occasionally do not display.
Resolution: Exit the browser. The next time you log on, the diagrams should have re-drawn.
CSCpn00183
Issue: Adding many devices (more than 20) without activating those devices can cause messy output in the diagrams.
Resolution: Click the Activate button after adding many devices.
CSCpn00173
Issue: Nessus should check pre-NAT address instead of Post-NAT address.
CSCpn00166
Issue: The use of ANY in queries and rules is slightly inconsistent. When selecting ANY in the Query page, if other items are selected at the same time for that field, the ANY is ignored. When selecting ANY on the Rules page, if other items are selected at the same time for that field, the other items are ignored and ANY is the selection.
CSCpn00146
Issue: Identical reports differed by slashes and dashes result in conflicting reports. When you have reports with identical names differing only by slashes (/) and dashes (-), running and viewing the reports causes them to get confused and point at the other.
Resolution: Do not use slashes or dashes in your rule configuration.
Resolved Caveats - Release 4.1.5
The following customer found or previously release noted caveats have been resolved in this release.
Reference Number
Description
CSCse06174
csdam must be disabled on GC
CSCse00542
Device groups on MARS GC disappear - created but not listed
Description: As a result of the fixes in place for 4.1.5, the IP Management device group displays hosts only. The View > Host option on Management >IP Management page filters all devices defined on the Security and Monitor Devices page from the IP Management page, including from Device groups, which in itself is expected behavior. However, this introduces an inconsistency as any type of device can be added to a Device Group through the Edit/Add Group button. After clicking Submit, the group lists only the Host entries, typically a subset of all devices belonging to a group, and this can be confusing to the user
Workaround: To view the actual contents of a group, Select a device group and click the Edit Group button.
CSCsd99437
Slow network connection to NFS server causes archiving failure
CSCsd94848
graphgen mem limit need to be increased to 2.5 G in GC
CSCsd93052
Raid Controller debugging information displayed on MARS console
CSCsd80458
Error in PnParsedEvent serialization could cause event data corruption
CSCsd79070
errors after re-adding an LC to a GC
CSCsd79063
Deleting reports without activating causes inlinerep_srv to stop working sgurupra
CSCsd78818
Add agents popup window goes forever
CSCsd77644
IDSM device configuration not shown in the graphgen log
CSCsd70459
Takes about 5 minutes to display the first page of device
CSCsd69984
High memory usage for pnmac and graphgen when there are 100k GUI hosts
CSCsd69932
"Add sw application on existing host" doesn't work if 100k existing host
CSCsd68465
Devices added on LCs can not be pushed up to GC
CSCsd67052
Grapgen: graphviz goes in to infinite loop trying to display 2000 router
CSCsd65065
Case Management add inline query only add abt 2000 records
CSCsd65054
Case Management 4.1.5 with Closed Case only shows 25 lines of report
CSCsd65049
Case Management reports don't work with new paging
CSCsd63437
Many "false alarm" errors in Rule/Report import into MARS
CSCsd59102
rpcclient2 is incorrect in the current CD packages
CSCsd48544
Port 8444 required for GC/LC communication
CSCsd48097
Processes restart continuously if pnparser creates shared buffers first
CSCsd44868
CSA agents list in CSA console is not scalable
CSCsd40008
New Daylight Saving Time in Australia
CSCsd35354
Anomaly Profiling does not include denies and other non-pix flow events
CSCsd31392
CS-MARS CLI Privilege Escalation
CSCsd31377
CS-MARS CLI Privilege Escalation
CSCsd31371
CS-MARS CLI Privilege Escalation
CSCsd29348
MARS doc about expert command incorrect
CSCsd29176
Unnecessary programs installed on OS
CSCsd29111
CS-MARS CLI Privilege Escalation
CSCsd29082
CLI: SSH allows interactive prompt
CSCsd29060
CLI: telnet allows invoking an external shell
CSCsd29028
CLI: Telnet allows writing files
CSCsd28495
Pnmonitor: restart processes if swap space too low for too long
CSCsd28489
improve handling of missing event/session in db in postfire
CSCsd28304
CLI: Telnet allows reading and writing environment variables
CSCsd26168
Mem usage for graphgen for loading Routes need to be optimized
CSCsd26159
optimize Oracle calls used during system bootup/restart
CSCsd26154,CSCpn02362
Only Routers and devices that are reporting to directly need to be loaded
CSCsd26018
Pnparser uses more than High CPU doing sessionization from FWSM events
CSCsd25400
GC Topology Sync scalability issue
CSCsd25395
Fix GUI errors caused by 0 id in report database tables
CSCsd25393
Increase returned query result sets from 100/1000 to 5000
CSCsd25377
Reduce pnesloader CPU usage - optimize unnecessary DB calls
CSCsd25151
adding indexes to optimize DbClient::retrieveParserDeviceInfo()
CSCsd25120
pnparser: loadDevice Info DbApi is not optimized
CSCsd25094
DebCredential implementation needs optimization for decrypting password
CSCsd25027
Pink box in Device page due to missing agent info
CSCsd23835
GC - Local Controler Management link hangs when LC has connecting proble
CSCsd22457
Increase the swap space for MARS100/200 another 2G for total of 4G
CSCsd22395
Grep command not supported but show in doc
CSCsd16636
Firewalling denies explicitly, it should deny all and permit explicitly
CSCsd16597
pnpasswd reveals fixed cisco half of the expert passwrd
CSCsd16256
Four default Oracle database accounts
CSCsd16112
Remote ssh client can be used to bypass firewall filtering
CSCsd14107
SMS alert doc specifies improper field format
CSCsd14101
Missing Win XP Pro Windows service for Unix steps for archiving
CSCsd07993
Issue: MARS not parsing Manhunt 3.0 snmp trap messages
CSCsd06811
Doc - LC 4.1 Figure 16-20 incorrect
CSCsd05234
Enhancing the verification of uniqie host names
CSCsd04931
Archiving shows some error logs in the "janus_log" file
CSCsc80067, CSCsc80092
Issue: Some signatures are not properly parsed based on the Cisco IDS signature set.
When MARS receives an event from an IPS/IDS sensor with a Signature ID of 3304-0 or 5422-0, it reports it as a 'TCP Unknown Device Event Type'. This signature was added in the S149 signature update, and MARS 4.1.2 (2042) supports up to S197
Workaround: None.
CSCsc79860
Unused jboss ports need to be blocked in the system config file
CSCsc63406
MARS - mismatch in results between batch and inline queries
CSCsc60969
MARS - Base 64 not seen correctly for IDS-IPS events
CSCsb44868
CSA agants list in CSA console is not scalable
CSCpn02623
Issue: Sudden traffic increase does not process ICMP events.
While MARS does process ICMP events on the parsing side, the sudden traffic rule does not fire based on ICMP events.
Resolved Caveats - Releases Prior to 4.1.5
For the list of caveats resolved in releases prior to this one, see the following documents:
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0612R)
Obtaining Support, and Security Guidelines
