Table Of Contents
Release Notes for Cisco Security MARS Appliance 5.2.4
Revised: May 29, 2007, OL-13016-01
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Version 5.2.4 running on any Local Controller or on any Global Controller. They provide the following information:
Version 5.2.4 is now available as an initial software release in support of the second generation MARS Appliance models as identified in Supported Hardware.
Caution Do not attempt to apply 5.2.x versions to MARS 20, 20R, 50, 110, 110e, 200, GC, or GCR models. It is supported exclusively by the models listed in Supported Hardware.
Registered SMARTnet users under the can obtain version 5.2.4 from the Cisco support website at:
Cisco Security MARS Version 5.2.4 supports the following Cisco Security MARS Appliance models:
Local Controller Appliances
•Cisco Security MARS 110 (CS-MARS-110-K9)
•Cisco Security MARS 110R (CS-MARS-110R-K9)
•Cisco Security MARS 210 (CS-MARS-210-K9)
Global Controller Appliances
•Cisco Security MARS GC2 (CS-MARS-GC2-K9)
In addition to resolved caveats, this release includes the following new features:
Miscellaneous Changes and Enhancements
The following changes and enhancements exist in 5.2.4:
•Support for new hardware model.s. Cisco Security MARS Version 5.2.4 supports the new hardware models as defined in Supported Hardware.
•New license scheme for upgrade. The license scheme now supports a software only license upgrade from restricted models, such as the 110R, to full versions, such as the 110. This feature allows you to gradually grow your MARS deployment without costly hardware upgrades, and it protects your investment in time, configuration, and existing hardware.
•Support for Extended Daylight Savings Time. On March 11, 2007, the United States will adjust to Daylight Saving Time (DST) three weeks earlier than previous years and will end one week later on November 4, 2007. As per the Energy Policy Act of 2005, MARS supports this change in 5.2.4.
•Enhanced Raw Message Size Support. Raw messages up to a variable size of 1.5 MB can now be stored.
•Enhanced Raw Message Retrieval. A new background process, keywordQuerySrv, runs in the background to index and process raw message queries. This process improves the response time. In additon, the display has been enhanced to display large events in a secondary window.
•IP Log and Trigger Packet Enhancement. Complete IPS events are stored in native XML format. A version field appears in the Packet data event header. IP logs are stored as base64-encoded text. Trigger packet data events (event type 6) and context data events (event type 7) are no longer created for new IDS/IPS events. Instead, they appear as links within the corresponding IDS/IPS event.
Note Keyword searches for strings will not match the IDS/IPS events unless those search strings are formatted as XML
•New CLI Commands. The show healthinfo and show inventory commands are exclusive to the second generation hardware.
•Updated CLI Commands. The following commands have been updated for the second generation hardware: raidstatus, hotswap, pnstatus, and pnrestore. In addition, pnrestore now supports restoring data in time slices.
•Bug fixes. For the list of resolved issues, see Resolved Caveats - Release 5.2.4.
New Vendor Signatures
The 5.2.4 release supports the same signature set as the 4.2.4 release. For details on that support, refer to the corresponding release notes as identified in Product Documentation.
The following notes apply to the MARS 5.2.4 and later releases:
•To enable monitoring support of Cisco Secure ACS, you must use pnLog Agent version 1.1 or later. Earlier versions of pnLog Agent will not work with the MARS 5.2.4 and later releases.
•Interfaces ethernet3 and ethernet4 are always down.
•USB keyboard does not work while re-imaging with DVD. Use the PS/2 port for keyboard support.
The following notes apply to the MARS 4.x and later releases:
•The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.
•Do not to use DISTINCT or SAME in queries, and do not run multi-line queries. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.
•For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.
•The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.
The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
Open Caveats - Release 5.2.4
The following caveats affect this release and are part of supported devices or compatible products:
The following caveats affect this release and are part of MARS.
Resolved Caveats - Release 5.2.4
The following customer found or previously release noted caveats have been resolved in this release.
Resolved Caveats - Releases Prior to 5.2.4
For the list of caveats resolved in releases prior to this one, see the following documents:
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Cisco Secure MARS Documentation Guide and Warranty
Lists document set that supports the MARS release and summarizes contents of each document.
For general product information, see:
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0612R)
© 2007 Cisco Systems, Inc. All rights reserved.