Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Security Monitoring, Analysis and Response System

Release Notes for Cisco Security MARS Appliance 4.3.4

Downloads

Table Of Contents

Release Notes for Cisco Security MARS Appliance 4.3.4

Introduction

Supported Hardware

New Features

Miscellaneous Changes and Enhancements

New Vendor Signatures

Upgrade Instructions

Important Upgrade Notes

General Notes

Upgrade to 4.3.4

Upgrade to 4.3.3

Upgrade to 4.3.2

Upgrade to 4.3.1

Upgrade to 4.2.8

Upgrade to 4.2.7

Upgrade to 4.2.6

Upgrade to 4.2.5

Upgrade to 4.2.4

Upgrade to 4.2.3

Upgrade to 4.2.2

Upgrade to 4.2.1

Upgrade to 4.1.5

Upgrade to 4.1.4

Upgrade to 4.1.3

Upgrade to 4.1.2(2042)

Upgrade to 4.1.1

Required Upgrade Path

Downloading the Upgrade Package from CCO

Documentation Errata

Important Notes

Quick Install Notes

Installation Quick Reference

Checklist for Initial Configuration

Caveats

Open Caveats - Release 4.3.4

Resolved Caveats - Release 4.3.4

Resolved Caveats - Releases Prior to 4.3.4

Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco Security MARS Appliance 4.3.4

Revised: April 21, 2008, OL-16372-01

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Version 4.3.4 running on any supported Local Controller or Global Controller as defined in Supported Hardware. They provide the following information:

Introduction

Supported Hardware

New Features

Upgrade Instructions

Documentation Errata

Important Notes

Quick Install Notes

Caveats

Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

Version 4.3.4 is now available as an upgrade to 4.3.3 of your MARS Appliance software. Registered SMARTnet users under the can obtain version 4.3.4 from the Cisco support website at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars

Supported Hardware

Cisco Security MARS Version 4.3.4 supports the following Cisco Security MARS and Protego Networks MARS appliances:

Local Controller Appliances

Cisco Security MARS 20 (CS-MARS-20-K9)

Cisco Security MARS 20R (CS-MARS-20R-K9)

Cisco Security MARS 50 (CS-MARS-50-K9)

Cisco Security MARS 100 (CS-MARS-100-K9)

Cisco Security MARS 100e (CS-MARS-100E-K9)

Cisco Security MARS 200 (CS-MARS-200-K9)

Protego Networks PN-MARS 20

Protego Networks PN-MARS 50

Protego Networks PN-MARS 100

Protego Networks PN-MARS 100e

Protego Networks PN-MARS 200

Global Controller Appliances

Cisco Security MARS GC (CS-MARS-GC-K9)

Cisco Security MARS GCm (CS-MARS-GCM-K9)

Protego Networks PN-MARS GC

Protego Networks PN-MARS GCm

New Features

In addition to resolved caveats, this release includes the following new features:

Miscellaneous Changes and Enhancements

New Vendor Signatures

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in 4.3.4:

Improved CSM-MARS Linkage. With Security Manager 3.2 and MARS 4.3.4 and 5.3.4, you can modify access rules generating the MARS event seamlessly from the read-only policy table popup window, which displays all rules associated with an event, by clicking the highlighted access rule number without starting Security Manager separately. Similarly, you can navigate to the signature summary table in Security Manager from MARS events associated with IPS sensors and IOS IPS devices and alter the signature properties. This feature enables you to map a syslog message to the policy that triggered that message and modify it simultaneously, thereby reducing time spent configuring and troubleshooting access rules in large or complex networks.

Additional improved support includes:

Support for MARS to launch CSM and authenticate using stored login credentials.

Improved support for firewall and IPS policy rule lookups.

From Policy Query, you can edit a signature on an event or define a filter on the CSM device to perform device-side tuning.

Edit IPS signatures that fired an inspection rule.

Edit IPS signatures that fired an inspection rule.

Improved Global Controller-Local Controller Group Synchronization. In the x.3.4 releases, MARS changes how source and destination information found in Global Controller rules is shared with managed Local Controllers. (This change is in support of CSCse03237: Changes made to GC network groups are not propagated to active LC rules.)

In versions prior to x.3.4, all network groups, networks, and devices in the source and destination fields of rules and reports on the Global Controller were converted to IP addresses or IP address ranges prior to sending the rules/reports to the Local Controllers. This conversion removed links to the original objects. The effect was if a network group were edited and that group was referenced in a Global Controller rule, the changes never propagated to the Local Controller because it used a list of IP addresses, not a reference to the network group.

In the x.3.4 releases, the network groups, networks, and devices are passed to the Local Controller in the source and destination fields; they are no longer converted to IP addresses and IP address ranges. Therefore, the rules on the Local Controller now include the network group, network, or device name, not a list of IP addresses.

The following behaviors should be noted:

If an object (network group, network, or device) specific to LC1 is passed to LC2, the object is removed from the source or destination list of the rule or report on LC2. It is removed because because LC2 has no knowledge of the object.

For user rules if the entire source or destination field is empty after the removal of devices unknown to that Local Controller, the rule status changes to INACTIVE and the empty field of the rule shows as none.

For system rules if the entire source or destination field is empty after the removal of devices not known to that Local Controller, the rule status changes to INACTIVE and the empty field of the rule shows as ANY.

Note When the src or dest field of a system rule is empty, the web interface does not allow you to edit that rule.

For reports if the entire source or destination field is empty after the removal of devices not known to that Local Controller, the report status changes to INACTIVE. Therefore, the report does not appear in the web interface of the Local Controller.

Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets. This release includes new vendor signatures, updating the 3rd-party signature support. For more information on the updates, see New Vendor Signatures

Bug fixes. For the list of resolved issues, see Resolved Caveats - Release 4.3.4.

New Vendor Signatures

The following table describes the most recent signatures supported for each product or technology:

Revised in 4.3.4
Product
Signature Version Supported
Intrusion Prevention and Detection Signatures

Yes

Cisco IDS 4.0,
Cisco IPS 5.x,
Cisco IOS 12.2

Current through S317 signature release.

Yes

Snort NIDS 2.6.1

Current through the February 12, 2008 signature release.

Latest signature mapped: 13415.

Yes

ISS RealSecure Network Sensor 6.5 and 7.0, and ISS RealSecure Server Sensor 6.5 and 7.0

XPU 28.010
Release date: January 8, 2008

Yes

McAfee IntruShield NIDS 1.5 and 1.8
McAfee Network Intruvert v. 2.5, 4.0

4.1.19.6
Release date: January 23, 2008

Yes

McAfee Entercept HIDS 2.5, 4.0

Current through the January 8, 2008 signature release.

Yes

CheckPoint Application Intelligence

(VPN-1 NG with Application Intelligence R55)

Current through the February 4, 2008 signature release

Yes

Netscreen IDP 2.1, 3.0, 3.1, 4.0, 4.1

Signature version: 4.1.
Release date: February 10, 2008

Yes

Enterasys Dragon 6.x, 7.x

Current through the February 8, 2008 signature release.

Yes

Symantec NIDS, v 4.0

Signature package: 92
Release date: December 17, 2007

No. EOS.

Symantec Manhunt 3.x

(See Symantec NIDS, v 4.0.)

3.4.3 Update 59
Current through the May 24, 2007 signature release.

Vulnerability Scanner Signatures

Yes

Qualys QualysGuard 3.x, 4.7.161-1

Current through the February 9, 2008 signature release.

Yes

E-Eye, Retina Scanner Vulnerability Software, version 5.61

Current through the February 10, 2008 signature release.

Yes

Foundstone, version 4.x

Current through the February 10, 2008 signature release.

Yes

Common Vulnerabilities and Exposures (CVE) Database

Current with the February 10, 2008 definition update.

Miscellaneous Support

No

Oracle 11g

Support for new AUDIT_ACTIONS.

1 eEye REM 1.0 is supported in 4.2.x.


Upgrade Instructions

The MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site regularly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.

For detailed instructions on planning and performing an upgrade or install, refer to Checklist for Upgrading the Appliance Software, page 6 in the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System.

Important Upgrade Notes

To ensure that the upgrade from earlier versions is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.

General Notes

The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met:

If the system has not been rebooted during the past 180 days.

If the system has been rebooted 30 times.

The fsck operation takes a long time to complete, which can result in significant unplanned downtime when rebooting the system after meeting a condition above. For example, a MARS 50 appliance can take up to 90 minutes to perform the operation.

Upgrade to 4.3.4

No important notes exist for the 4.3.4 upgrade.

In addressing CSCsm57453: Incident not created for some of same events, the behaviour now differs between 4.3.4 and 5.3.4. In the x.3.3 releases, inciddent firing was throttled at 100 inciddents for event bursts from a vulnderability assessement (VA) reporting device. In 5.3.4, incidents firing throttles at over 430 inciddents, and in 4.3.4, the incidents firing throttles at just over 220 incidents.

Upgrade to 4.3.3

No important notes exist for the 4.3.3 upgrade.

Upgrade to 4.3.2

The following important notes apply to the upgrade from 4.3.1 to 4.3.2:

Release-Note for CSCsk19730/CSCsk12130

If you've edited a system rule on a Global Controller, you may enounter one of two conditions where the rules on the Global Controller are out of sync with those on the Local Controller.

Symptom: The edited rule in the Global Controller disappears from the list of rules on the Local Controller. (CSCsk12130)

Condition: The user edited a rule on the Global Controller and then upgraded to a different version of the MARS system software and then added of a new Local Controller to the Global Controller.

Symptom: A rule that was edited in the Global Controller looks as if it is an empty rule in the Local Controller and be inactive. (CSCsk19730)

Condition: This occurs under in some cases where a Local Controller is added to a newly upgraded Global Controller.

Work Arounds: If the Local Controller is deleted from and re-added to the Global Controller under x.3.2, the issue should resolve itself. However, in conditions with a large topology or many custom rules, we recommend contacting technical support for a work around that avoids the need to delete and re-add the Local Controller.

Another possible work around if the number of edited rules are small is to edit and make further changes to the rule and activate. In this case, the issue should be resolved for that rule.

Upgrade of IOS 12.3 and 12.4 devices. In previous releases, these devices were supported under the IOS 12.2 release when defining the device type in theMARS web interface. After you upgrade to 4.3.2, the next discovery of such a device will automatically upgrade the version to its correct value.

For example, an IOS 12.4 device is added to MARS 4.3.1 as 12.2 and after the upgrade to 4.3.2, when the discovery occurs for that device, the device type is automatically updated to IOS 12.4. The same is true for devices that are running IOS 12.3. However, if you have not enabled device discovery, use the Change Version feature to change between IOS 12.2, 12.3, and 12.4.

Wireless LAN Controller Support is restricted to the 5.3.x train. To enable support for wireless access points via the Cisco Wireless LAN Controller, you must use the 5.3.2 or later software, which also restricts the appliance models that can be used.

Juniper/NetScreen IDP 3.x and 4.x Support is incomplete. While device support has been added, the signature/data work portion of these devices will be provided in a future release of MARS software.

Renaming of QualysGuard 3.x device type. During the upgrade, any QualysGuard devices defined under Security and Monitoring Devices will changed their device type from QualysGuard 3.x to QualysGuard ANY.

Upgrade to 4.3.1

Beginning with the 4.3.1 and 5.3.1 releases, the dynamic IPS signature updates (if enabled) is an aspect of the version of software running on a MARS Appliance. Therefore, in addition to running the same MARS software versions on the Global Controller and Local Controller, the IPS signature version must match or the communications fail.

In a Global Controller-Local Controller deployment, configure the dynamic signature URL and all relevant settings on the Global Controller. When the Global Controller pulls the new signatures from CCO, all managed Local Controllers download the new signatures from the Global Controller.

In addition, CSCsk90015 states that any reporting device representing a Cisco ACS 3.x device that exists prior to the 4.3.1 upgrade is deleted during the upgrade. To resolve the issue after upgrade, you must the remove the reporting device from the host and re-add that device again as Cisco Secure ACS 3.x.

An example process is as follows:

1. Click Admin > Security and Monitor Devices, select the host with Cisco ACS 3.x as a reporting application and click Edit.

2. Select the Reporting Applications tab, and then blank link and click Remove.

3. After removing the blank link, re-add Cisco Secure ACS 3.x application to that host and click Activate.

Upgrade to 4.2.8

No important notes exist for the 4.2.8 upgrade.

Upgrade to 4.2.7

No important notes exist for the 4.2.7 upgrade.

Upgrade to 4.2.6

No important notes exist for the 4.2.6 upgrade.

Upgrade to 4.2.5

The 4.2.4(2432) patch was released to address an issue with the MARS system timezone patch in 4.2.4 (2428). The 4.2.5 update includes the patch, and therefore, you are not required to apply the 4.2.4(2432) patch if you are currently running 4.2.4 (2428). This issue, detailed in CSCsi08897, only affects a few timezones; therefore, many customers would never experience the issue.

Upgrade to 4.2.4

No important notes exist for the 4.2.4 upgrade.

Upgrade to 4.2.3

The 4.2.3 upgrade package is approximately 1.6 GB due to the large number of signatures updated and due to the inclusion of a patch to the database software, which was added to address CSCsg02873. Downloading the PKG file may take up to 7 times longer than previous packages.

Note Enable archiving on the MARS Appliance for two to three days before you perform you attempt to upgrade from 4.2.2 to the 4.2.3 release. This precaution is strongly recommended in case reinstallation is required due to any encountered errors.

To upgrade from 4.2.2 to 4.2.3, follow these steps:

Step 1 Verify that your MARS Appliance does not have hard drives that are degraded or rebuilding by performing the following steps:

a. At the CLI, enter the following command:

raidstatus

Tip For more information on accessing the CLI, see the "Establishing a Console Connection" section in Chapter 5, Initial MARS Appliance Configuration, of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

For more information on the raidstatus command, see "raidstatus" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

b. Verify that hard drives are neither in rebuilding nor degraded status. If they are, please wait until all hard drives have finished rebuilding before attempting an upgrade.

Step 2 Verify that the MARS Appliance has at least 3GB of space available on the partition /u01 by performing the following steps:

a. At the CLI, enter the following command:

diskuage

One of the lines should describe the /u01 partition: 

Filesystem            Size  Used Avail Use% Mounted on

/dev/md3               16G  4.6G   10G  31% /u01

For more information on the diskusage command, see "diskusage" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

b. Verify at least 3 GB available is available (the example has 10G available).

A nightly process runs to clean up any files that accumulate on this partition. If you have less than 3 GB, there is an issue with your appliance that you must resolve prior to upgrading.

Step 3 Perform the software upgrade. The CLI method is strongly recommended.

Note While the GUI upgrade works, it does not show progress of the upgrade. Use the CLI instead to ensure the progress of the update is known. Do not reboot the appliance until the upgrade has completed.

For more information on performing the upgrade using the command line, see the following information:

"Checklist for Upgrading Appliance Software" in Chapter 6, Administering the MARS Appliance of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

"pnupgrade" command in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

"Upgrading from the CLI" in Chapter 6, Administering the MARS Appliance of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

Step 4 After the automatic system reboot, verify the upgrade by performing the following steps:

a. At the CLI, enter the following command:

pnstatus

For more information on the pnstatus command, see "pnstatus" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

b. Verify that all processes are running.

If some processes are not running, you must troubleshoot that issue before proceeding with the upgrade.

c. Enter the following command:

pnupgrade log

For more information on the pnupgrade log command, see "pnupgrade" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

d. Verify that the output looks like the following: 

[pnadmin]$ pnupgrade log

--------------------------------------

   4.2.2 2303   -->  4.2.3 2403

--------------------------------------

1 Preparing upgrade start

  1.1 Load the step table start

  1.1 Load the step table end

  1.2 Stop pnmonitor start

  1.2 Stop pnmonitor end

  1.3 Stop jboss start

  1.3 Stop jboss end

  1.4 Stop other applications start

  1.4 Stop other applications end

1 Preparing upgrade end

2 Upgrade OS start

  2.1 Patch OS start

  2.1 Patch OS end

  2.2 Patch Oracle start

  2.2 Patch Oracle end

2 Upgrade OS end

3 Upgrade schema start

  3.1 Run upgrade schema script start

  3.1 Run upgrade schema script end

  3.2 Backup schema script start

  3.2 Backup schema script end

3 Upgrade schema end

4 Upgrade MARS applications start

  4.1 Untar MARS executable binary start

  4.2 Untar MARS executable binary end

  4.3 Modify janus.conf start

  4.3 Modify janus.conf end

  4.4 Swap MARS executable binary start

  4.4 Swap MARS executable binary end

  4.5 Run post-unpack-deployment start

  4.5 Run post-unpack-deployment end

4 Upgrade MARS applications end

5 Upgrade data start

  5.1 Start jboss start

  5.1 Start jboss end

  5.2 Importing signature data start

  5.2 Importing signature data end

  5.3 Missing-id fix start

  5.3 Missing-id fix end

5 Upgrade data end

6 reboot ...

Upgrade from 4.2.2 2303 to 4.2.3 2403 finished.

If the log does not include the "Upgrade from 4.2.2 2303 to 4.2.3 2403 finished" line, then a problem occurred during the upgrade regardless of whether the version command reports 4.2.3 (2403).

Special Note for Post Upgrade of a Global Controller/Local Controller Deployment

In a Global Controller/Local Controller deployment upgraded from 4.2.2 to 4.2.3, the communication states between the Global Controller and one or more Local Controllers can be out of sync. This issue is detailed in CSCsh38818.

The Global Controller identifies the Local Controller as Active, and the Local Controller identifies itself as Offline. Toggling "Suspend/Resume" from the Global Controller's Local Controller Management page toggles both states, causing the Global Controller to consider the Local Controller as Suspended while the Local Controller considers itself as Online and resumes pushing information to the Global Controller.

This "out of sync" state affects Global Controller/Local Controller deployments that are upgraded from 4.2.2 to 4.2.3.

To determine whether a Global Controller/Local Controller pair is in this error state, follow these steps:

Step 1 The Global Controller and all associated Local Controllers are upgraded from 4.2.2 to 4.2.3 (see upgrade instructions in Upgrade to 4.2.3).

Step 2 Log into the Global Controller web interface, and select Admin > System Setup >- Local Controller Management.

Step 3 For each Local Controller, select the Local Controller checkbox and click Details.

Step 4 Verify that there is a discrepancy between the status on the Global Controller and the status of the Local Controller. Specifically, the status on the Global Controller shows that an Local Controller is "Active", while the Local Controller web interface shows that the Local Controller is Offline in the header - "CS-MARS Local Controller (Offline)". Confirm the Local Controller status by logging into the Local Controller via its web interface.

Step 5 Note each Local Controller that is in this "out of sync" state.

Once the error has been identified, follow these steps to exit the error state:

Step 1 Log into the Global Controller web interface, and select Admin > System Setup >- Local Controller Management.

Step 2 Select each Local Controller that is in this "out of sync" state, and click Suspend/Resume. Repeat until all Local Controllers in this "out of sync" state have been suspended.

You can verify that the Global Controller sees each Local Controller as "Suspended" by clicking "Details" for that Local Controller to see if it shows that the Local Controller is no longer Offline - "CS-MARS Local Controller: [hostname]/[zone name]"

Step 3 On the Local Controller Management page of the Global Controller web interface, select Refresh Rate "1 minute" from the pull-down menu.

Step 4 Select Admin > System Maintenance > License Key. and verify that the correct number of Local Controllers (20/50s, and 100/200s) are counted by the Global Controller under "used".

Step 5 Select Admin > System Setup > Local Controller Management in the Global Controller browser window

Step 6 Perform Step 7 through Step 10 for each Local Controller that is in this "out of sync" state.

Step 7 Open an SSH shell to the Local Controller, and enter the following command:

pnreset -j

Step 8 Enter yes to confirm the pnreset operation.

Step 9 Within 20 seconds of entering the pnreset -j command, switch back to the Global Controller browser window and click the browser refresh button every 3 seconds until the Status message for that Local Controller displays "Not responding". This is needed to re synchronize communication between the Global Controller and Local Controller.

Step 10 Wait for the Local Controller Management page to refresh and verify that the Local Controller's status is now "Active" and the web interface for that Local Controller shows the Local Controller is Active (not Offline). Confirm the Local Controller status by logging into the Local Controller via its web interface.

Upgrade to 4.2.2

The following issues can occur during the standard upgrade process of a MARS Appliance:

If you re-image your MARS Appliance from 3.4.3 to 4.2.2, your 3.x license key does not work on the new image. See CSCsg74922 for details.

The following issues can occur when upgrading your reporting devices:

If you upgrade your Cisco FWSM modules to software version 3.1.2, you will be unable to parse the events identified in CSCsg31072.

Upgrade to 4.2.1

As identified in CSCse17864, CSCse22610 and CSCse22617, the changes in the case management feature requires that you close all cases before upgrading from MARS 4.1.x to 4.2.1. By closing the cases, you ensure that the device, report, and query information is copied to the case, assuming it still exists in the database.

Upgrade to 4.1.5

No important notes exist for the 4.1.4 upgrade.

Upgrade to 4.1.4

No important notes exist for the 4.1.4 upgrade.

Upgrade to 4.1.3

No important notes exist for the 4.1.3 upgrade.

Upgrade to 4.1.2(2042)

The following notes detail changes to the standard upgrade process:

If you completed the 4.1.1 to 4.1.2 (2040) upgrade, verify whether the upgrade failed by entering `pnlog mailto <SMTP server> <sender> <recipient>' at the CLI. This commands mails the MARS Appliance logs to the recipient. Open the e-mailed file attachment, and then open the newest upgrade*.log found in /var/log/. Successful upgrades from 4.1.1 (2022) to 4.1.2 (2040) include the following line: 

Opening file: 
/etc/data/secondarytables/reports/Report.0.Resource-Issues--IOS-IPS-DTM---All-Events.x
ml

If you do not see this line, then a problem occurred during the upgrade regardless of whether the version command reports 4.1.2 (2040).

To upgrade from 4.1.1 or a successful or unsuccessful 4.1.2 (2040) to 4.1.2 (2042), download the package, perform the upgrade as defined in Checklist for Upgrading the Appliance Software, page 6-6. If you are upgrading from 4.1.1, you must also execute the following command at the CLI of the upgraded MARS Appliance:

script -b patch_or_04_1_16.sh

The 4.1.2 (2042) image includes an additional command `script' that cleans the database of the data referenced in CSCsc31386. As a result of running the script, the total upgrade process from 4.1.1 to 4.1.2 (2042) may take much longer than previous releases; it depends on the amount of data stored on the MARS Appliance. For a MARS 200, it could double the normal upgrade time to two hours. To determine whether the script is still running, enter the following command and look for `patch_or_04_1_16.sh' anywhere in the output:

sysstatus -n 1 -b

Upgrade to 4.1.1

The following notes relate to changes in your system or configuration as a result of upgrading to MARS 4.1.1.

Prior to the 4.1.1 release, CSA was identified by the device type name Cisco CSA 4.0. As part of an upgrade, any Cisco CSA 4.0 devices were renamed as Cisco CSA 4.x. This new name includes support for Cisco CSA 4.0 and 4.5.

The new case management replaces the Escalate Incident functionality in MARS 3.4.4 and earlier. However, escalated incidents are not converted to cases during the upgrade process. Therefore, you must close all open escalations before upgrading to MARS 4.1.1 (CSCsb52057).

Required Upgrade Path

When upgrading from one software version to another, a prerequisite version is always required. This prerequisite version is the minimum level required to be running on the appliance before you can upgrade to the most recent version. Table 1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current version.

Table 1 Upgrade Path Matrix

From Version
Upgrade To1
Upgrade Package

releases prior to 2.5.6

Contact Cisco Support

n/a

2.5.6

3.1.1

pn-3.1.1.pkg

3.1.1

3.2.1

pn-3.2.1.pkg

3.2.1

3.2.2

pn-3.2.2.pkg

3.2.2 or 3.3.2 Beta

3.3.3*

pn-3.3.3.pkg

3.3.3

3.3.4*

pn-3.3.4.pkg

3.3.4

3.3.5*

pn-3.3.5.pkg

3.3.5

3.4.1*

pn-3.4.1.pkg

3.4.1

3.4.2

pn-3.4.2.pkg

3.4.2

3.4.3

pn-3.4.3.pkg

3.4.3

3.4.4

pn-3.4.4.pkg

3.4.4

4.1.1

csmars-4.1.1.pkg

4.1.1

4.1.2 (2042) + script command

csmars-4.1.2.pkg2

4.1.2 (2040) without error

4.1.2 (2042)

csmars-4.1.2.pkg2

4.1.2 (2042)

4.1.3

csmars-4.1.3.pkg

4.1.3

4.1.4

csmars-4.1.4.pkg

4.1.4

4.1.5

csmars-4.1.5.pkg

4.1.5

4.2.1

csmars-4.2.1.pkg

4.2.1

4.2.2

csmars-4.2.2.pkg

4.2.2

4.2.3

csmars-4.2.3.pkg3

4.2.3

4.2.4 (2428)

csmars-4.2.4.pkg

4.2.4 (2428) or (2432)

4.2.5

csmars-4.2.5.pkg

4.2.5

4.2.6

csmars-4.2.6.pkg

4.2.6

4.2.7

csmars-4.2.7.pkg

4.2.7

4.2.8

csmars-4.2.8.pkg

4.2.8

4.3.1

csmars-4.3.1.pkg

4.3.1

4.3.2

csmars-4.3.2.pkg

4.3.2

4.3.3

csmars-4.3.3.pkg

4.3.3

4.3.4

csmars-4.3.4.pkg

1 An asterisk (*) next to a package name in this column identifies that this upgrade must be performed from the command line, as GUI support was lost with the closing of the upgrade.proteogonetwork.com website.

2 To upgrade from 4.1.1 or 4.1.2 (2040) to 4.1.2(2042), please review the special upgrade notes in the Quick Install and Release Notes for Cisco Security MARS Appliance 4.1.2 (2042).

3 The 4.2.3 upgrade package is approximately 1.6 GB due to the large number of signatures updated and due to the inclusion of a patch to the database software. Downloading the ISO image may take longer than previous packages.


Downloading the Upgrade Package from CCO

Upgrade images and supporting software are found on the CCO software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your MARS Appliance

Top-level page: http://www.cisco.com/pcgi-bin/tablebuild.pl?topic=279644034

Upgrade files: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars

Recovery image files: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars-recovery

Supporting files: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars-misc

Note If you are upgrading from a version earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip versions along the upgrade path.

For information on obtaining a CCO account, see the following URL:

http://www.cisco.com/en/US/applicat/cdcrgstr/applications_overview.html

Documentation Errata

CSCsl14244. User guide does not discuss role of Nessus in the MARS system.

To determine whether specific incidents are false positives, MARS uses Nessus 2.x GPL plug-ins and custom scripts mapped to specific MARS event types. MARS does not use Nessus to perform vulnerability assessments or related reporting.

CSCsk77546. Discovery Device with SSH 512 module not supported.

The OpenSSH client used by MARS does not support modulus sizes smaller than 768. For example, you cannot discover a device using a SSH login that has 512-byte key.

Important Notes

The following notes apply to the MARS 4.1.x, 4.2.x, and 4.3.x releases:

If the client system used to access the MARS GUI is not on the same side of the NAT boundary as the a MARS appliance and the Security Manager server, you can perform policy lookup in read-only mode. However, you cannot start the Security Manager client from the read-only policy lookup table to modify matching policies. The client system must be on the same side of the NAT as the MARS appliance and the Security Manager if you want to the Security Manager client from MARS to modify the matching policy.

Security Manager client must be on the same side of the NAT boundary as the MARS appliance and the Security Manager server to query MARS events from policies.

The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.

Do not to use DISTINCT or SAME in queries, and do not run multi-line queries in Release 4.3.4. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.

For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.

The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.

The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.

Reference Number
Description

CSCsc50636, CSCsc50652

Issues: Backend IPS process runs at 99% CPU when pulling large IP Logs

The backend IPS process reaches 1GB in memory used when pulling IP Logs. The process names depending on the version on MARS that is running:

In version 4.2.1 and earlier, the process names are pnids50_srv and pnids40_srv.

In version 4.2.2 and later, the process is named csips.

These related issues, are specific to pulling IP logs from Cisco IDS/ IPS devices. The symptom is that the backend IPS service consumes the system resources on the MARS Appliance. As an improper configuration of the sensor can significantly degrade the sensor performance as well as that of MARS.

Workaround: Ensure that settings for IP log creation on the sensor limit the size of the IP log (in terms of number of bytes or number of packets captured). Also, verify that IP packet logging is enabled only for signatures of interest and not for all signatures.

In addition, the following release-specific maximums are enforced:

In 4.2.1, a 100 file maximum is enforced for the log file queue when the MARS is configured to pull IP log files. Therefore, it may not pull every IP log file. In addition, the complete IP Log file may not be pulled, instead, data is pulled from the file starting 5 minutes before the alert was generated through the end of the file.

In 4.2.2, a 1,000 file maximum (up from 100 in 4.2.1) is enforced for the log file queue when the MARS is configured to pull IP log files. The complete IP Log file may not be pulled, instead, data is pulled from the file starting 1 minute (down from 5 minutes in 4.2.1) before the alert was generated through the end of the file. And last, 100KB is the maximum IP log size that can be pulled from a MARS Appliance.

CSCpn02175

Issue: Data computed or stored on a standalone MARS while in standalone mode will not be transferred to a Global Controller. Only data computed on an Local Controller that is currently monitored by a Global Controller will be pushed up.

CSCpn02073

Issue: After renaming a cloud, clicking the cloud again causes an error.

Workaround: Refresh the page before clicking a renamed cloud.

CSCpn01270

Issue: The free-form search may not work for the following devices:

Check Point Opsec NG FP3

Cisco CSA, 4.0

Cisco, IDS, 3.1 and 4.0

ISS, RealSecure, 6.5 and 7.0

Entercept Entercept, 2.5 and 4.0

IntruVert IntruShield, 1.5

CSCpn00247

Issue: The automatic time-out feature built into the GUI does not work when the Summary page is left open with automatic refresh selected.

Resolution: Please log out of the system when you are no longer using it.


Quick Install Notes

It is recommended that users read the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System. However, for those users who simply want to get the MARS Appliance up and running, the following two topics, taken from the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, summarize the hardware installation and initial software configuration:

1. Installation Quick Reference

2. Checklist for Initial Configuration

Installation Quick Reference

Table 2 provides an overview of the installation and initial configuration process. Following installation and initial configuration, see the following publications for information on how to use a browser and the HTML interface to fully configure your MARS Appliance to provide the security threat mitigation (STM) services you want from this installation:

User Guide for CS-MARS Local Controller Version 4.2.x

User Guide for CS-MARS Global Controller Version 4.2.x

Table 2 Quick Reference 

Task
References in Install Guide

Use the rack mount kit to install the MARS Appliance in a rack.

Installing the MARS Appliance in a Rack, page 2

Connect the MARS Appliance to an AC power source.

Connecting to the AC Power Source, page 7

Connect network and console cables.

Connecting Cables, page 8

Turn on the appliance.

Powering on the Appliance and Verifying Hardware Operation, page 8

Verify initial power up.

Powering on the Appliance and Verifying Hardware Operation, page 8

Perform initial configuration of the MARS Appliance.

Checklist for Initial Configuration

Configure the MARS Appliance to monitor reporting devices.

Next Steps, page 17


Checklist for Initial Configuration

Initial configuration of the appliance accomplishes several goals:

Introduces the two user interfaces to MARS: the command line interface (CLI) and the web interface.

Licenses the appliance.

Prepares the appliance to monitor and communicate on your network.

Configures the system time so that event correlation works properly.

Ensures the system administrative account is configured properly.

Ensures appliance is running the most recent version of software.

The following checklist describes the tasks required to initially configure your MARS Appliance. Each task might contain several steps; the tasks and steps within should be performed in order. The checklist contains references to the specific procedures used to perform each task.

Task

1. Establish a console connection to the appliance.

Initial configuration requires a console connection to access the CLI. You should establish this connection with the power turned off on the MARS Appliance. Three console connection options exist:

A direct console connection to the appliance using a keyboard and monitor

A standard serial console connection between a computer and the appliance using a terminal emulation package

An Ethernet console connection between a computer and the appliance using a terminal emulation package

After you have chosen and configured your console connection, you must power up the appliance.

Result: The appliance is powered up and you can see the command line prompt through your console connection.

For more information, see:

Establishing a Console Connection, page 4

2. Command Line Configuration: Setting the system administrative account's default password and configuring the interfaces.

The command line configuration is separated into three tasks, each task being separated by a reboot of the appliance. The first task involves performing three to four procedures:

Collect the information required to configure the appliance to operate optimally on your network.

Log in to the appliance and change the password associated with the system administrative account (pnadmin).

Configure the eth0 network interface, specifying the default gateway and IP address and network mask pair for that interface.

(Optional) Configure the eth1 network interface, specifying the IP address and network mask pair for that interface.

Each MARS Appliance has two Ethernet interfaces: eth0 and eth1. The eth0 interface is the dedicated interface used for collecting event data and logs from your network. The eth1 interface is intended for use in an out-of-band management (OOBM) network or for a console connection. Therefore, your default gateway and IP address/mask values should focus on the network connections to be used to monitor the data streams of reporting devices, and these settings should be applied to eth0.

Note The MARS Appliance does not allow you to configure both of its interfaces on the same network.

Result: The default password is no longer associated with the system administrative account and the appliance is more secure. Also, the eth0 is configured to communicate on your network. When you complete the IP address configuration changes for either, the appliance reboots.

For more information, see:

Configuring Basic Network Settings at the Command Line, page 6

Change the Default Password of the System Administrative Account, page 6

Specify the IP address and Default Gateway for the Eth0 Interface, page 7.

(Optional) Specify the IP Address and Default Gateway for the Eth1 Interface, page 8

3. Command Line Configuration.

The second task of the CLI configuration involves setting the hostname of the appliance. The hostname is used to uniquely identify which appliance collects a specific log and which appliance fires an inspection rule. This unique identity is especially important in an environment where Global Controller is running. To complete this task, you must:

Log in to the appliance using the system administrative account and the new password.

Set the hostname of the appliance.

Result: The hostname is configured for the appliance. The appliance reboots.

For more information, see:

Specify the Appliance Hostname, page 9.

4. Command Line Configuration.

The third and final task of the initial CLI configuration involves specifying those settings that help ensure the integrity of the event correlation and complete your network connection, allowing access to the appliance from other hosts on the network. In other words, after you complete this phase, you can connect to and complete the appliance configuration using a non-console connection from any host on your network. To complete this task, you must:

Log in to the appliance using the system administrative account and the new password.

Set any additional static routes.

Set the clock.

Set the NTP server settings.

Set the DNS domain name.

Connect the appliance to the network (that is, plug in the Cat 5 cables.)

Result: Now you have network connectivity. You can access the CLI interface using an Secure Shell (SSH) client on any host that can reach the appliance, and you can log in to the web interface to complete the initial configuration.

For more information, see:

Specify the Time Settings, page 10

Set Up Additional Routes, page 9

Completing the Cable Connections, page 11

5. Complete initial configuration using the web interface.

After you have completed the cable connections to the MARS Appliance, defined the required network connection settings, and specified any additional default routes, you can start the web interface configuration process. Verify the configuration settings of your browser before configuring the MARS Appliance (see Web Browser Client Requirements, page 9).

During this phase, you configure the following:

Appliance license

Zone identification (Global Controller only)

E-mail server identification

DNS addresses

E-mail address for the system administrative account (pnadmin)

TACACS/AAA login prompt settings

Result: You have configured your appliance to communicate on the network, properly correlate events, and issue system e-mails to a monitored e-mail address.

For more information, see:

Completing the Configuration using MARS web interface, page 11

Licensing the Appliance, page 11

Verifying and Updating Network Settings, page 13

Specifying the DNS Settings, page 15

Configure E-mail Settings for the System Administrative Account, page 16

Configure TACACS/AAA Login Prompts, page 17

6. Upgrade the appliance to the most recent software version.

The software version determines the currency of signatures, system inspection rules, features, and bug fixes. An important part of your security solution is ensuring that you maintain the most up-to-date software on the MARS Appliance. This process involves preparing an upgrade strategy and selecting a method, determining your current version, identifying the most recent version, and downloading and applying all intermediate versions of the software.

Result: The appliance is running the most recent version of software.

For more information, see:

Checklist for Upgrading the Appliance Software, page 6


Caveats

This section describes the open and resolved caveats with respect to this release.

Open Caveats - Release 4.3.4

Resolved Caveats - Release 4.3.4

Resolved Caveats - Releases Prior to 4.3.4

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do

Open Caveats - Release 4.3.4

The following caveats affect this release and are part of supported devices or compatible products:

Reference Number
Description
Cisco Security Manager

CSCso16735

xCSM: P->E with CS Mgr credentials fails in cross-launched CSM client

CSCsm94630

Policy query icon is not shown at times in Real time viewer

CSCso09134

'Keyword limit exceeded' error during events lookup from Security Mgr

CSCso11900

Keyword field dimmed in Query page after events lookup from Security Mgr

CSCsm96376

Policy lookup icon not shown if device is deleted from MARS

CSCsm14585

Read-only policy page takes a long time to display for realtime events

CSCsm92008

Security Manager not reachable error displayed after long time

CSCsm94537

Policy lookup icon not shown for a device deleted and readded to MARS

CSCsl54107

Security Manager policy lookup for ICMP connection teardown syslog fails

CSCsm43237

Minimum password length for Security Manager account in MARS

CSCso38232

Host not shown in topology graph if Security Manager is added on it

CSCsf31401

MARS query does not highlight rules inside any policy group named Local

Firewall Services Module

CSCsl27574

FWSM Syslog message FWSM-6-302013 with wrong Real and Mapped IP