|
Table Of Contents
Release Notes for Cisco Security MARS Appliance 5.2.7
Miscellaneous Changes and Enhancements
Resolved Caveats - Release 5.2.7
Resolved Caveats - Releases Prior to 5.2.7
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Security MARS Appliance 5.2.7
Revised: October 25, 2007, OL-14222-01
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Version 5.2.7 running on any Local Controller or on any Global Controller. They provide the following information:
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Introduction
Version 5.2.7 is now available as an upgrade of 5.2.4 of your software release in support of the second generation MARS Appliance models as identified in Supported Hardware.
Caution Do not attempt to apply 5.2.x versions to MARS 20, 20R, 50, 110, 110e, 200, GC, or GCR models. It is supported exclusively by the models listed in Supported Hardware.
Registered SMARTnet users under the can obtain version 5.2.7 from the Cisco support website at:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars
Supported Hardware
Cisco Security MARS Version 5.2.7 supports the following Cisco Security MARS Appliance models:
Local Controller Appliances
•Cisco Security MARS 110 (CS-MARS-110-K9)
•Cisco Security MARS 110R (CS-MARS-110R-K9)
•Cisco Security MARS 210 (CS-MARS-210-K9)
Global Controller Appliances
•Cisco Security MARS GC2 (CS-MARS-GC2-K9)
New Features
In addition to resolved caveats, this release includes the following new features:
•Miscellaneous Changes and Enhancements
Miscellaneous Changes and Enhancements
The following changes and enhancements exist in 5.2.7:
•Oracle 10g Support. Previously, MARS supported only Oracle 9i. Support for 10g has been added.
•Snort 2.6 Support. Previously, MARS supported only Snort 2.0. Support has been added for versions up to and including 2.6; however, all versions of Snort are selected from using the same Snort 2.0 value in the drop down list when adding a software application to a host under Security and Monitoring Devices. No new options were defined.
•Update to 3rd-party vulnerability assessment signature sets. This release includes many new vendor signatures, updating the 3rd-party signature support. For more information on the updates, see New Vendor Signatures
•Bug fixes. For the list of resolved issues, see Resolved Caveats - Release 5.2.7.
New Vendor Signatures
The following table describes the most recent signatures supported for each product or technology:
Revised in 5.2.7 Product Signature Version SupportedYes
Cisco IDS 4.0,
Cisco IPS 5.x,
Cisco IOS 12.2Current through S291 signature release.
Yes
McAfee Entercept HIDS 6.x
Current through the June 11, 2007 signature release.
Yes
ISS RealSecure Network Sensor 6.5 and 7.0, and ISS RealSecure Server Sensor 6.5 and 7.0
XPU 27.010
Release date: May 8, 2007Yes
McAfee IntruShield NIDS 1.8
McAfee Network Intruvert v 2.1.9.1042.1.68.5
Release date: June 12, 2007Yes
Snort NIDS 2.6.1
Current through the May 14, 2007 signature release
No
Netscreen IDP 2.1
Signature version: 2.1 r7.
Release date: March 10, 2007Yes
Enterasys Dragon 6.x, 7.x
Current through the June 9, 2007 signature release.
No. EOS.
Symantec Manhunt 3.x
(See Symantec NIDS, v 4.0.)
3.4.3 Update 59
Current through the May 24, 2007 signature release.Yes
Symantec NIDS, v 4.0
Signature package: 80, 81
Release date: May 9, 2007, May 24, 2007 respectivelyYes
Qualys QualysGuard 3.x, 4.7.161-1
Current through the June 10, 2007 signature release.
Yes
E-Eye, Retina Scanner Vulnerability Software, version 5.61
Current through the June 11, 2007 signature release.
Yes
Foundstone, version 4.x
Current through the June 14, 2007 signature release.
Yes
CheckPoint Application Intelligence
(VPN-1 NG with Application Intelligence R55)
Current through the April 26, 2007 signature release
Yes
Common Vulnerabilities and Exposures (CVE) Database
Current with the May 10, 2007 definition update.
1 eEye REM 1.0 is supported in 4.2x.
Uprade Instructions
The MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site regularly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.
For detailed instructions on planning and performing an upgrade or install, refer to Checklist for Upgrading the Appliance Software in the Install and Setup Guide for Cisco Security MARS 5.x.
Important Upgrade Notes
To ensure that the upgrade from earlier versions is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.
Upgrade to 5.2.8 (2591)
CSCsk77372 - 5.2.7, 5.2.8 missing parameter file needed for archiving and restore
Issue: Customers who upgraded from MARS 5.2.4 (2487) to 5.2.7 (2555) and then to 5.2.8 (2590) are missing a parameter file required for the archiving feature.
Verify Issue: To confirm you have upgraded from 5.2.4 (2487) to 5.2.7 (2555) or from 5.2.7 (2555) to 5.2.8 (2590), enter the following command at the command console and check the last line of the output
pnupgrade log
Resolution: A new 5.2.7 (2556) upgrade package and a new 5.2.8 (2591) patch is available for customers who have downloaded and applied the faulty 5.2.7 (2555) and 5.2.8 (2590) upgrade packages. All packages can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars
To apply these new packages, follow this step:
•If you are running 5.2.8 (2590), download and upgrade to the package named
csmars-5.2.8.2591.pkg
.Verify the system is running version 5.2.8 (2591).
Upgrade to 5.2.7 (2556)
Note There were no upgrades to 5.2.5 or 5.2.6; only 5.2.4 directly to 5.2.7.
CSCsk77372 - 5.2.7, 5.2.8 missing parameter file needed for archiving and restore
Issue: Customers who upgraded from MARS 5.2.4 (2487) to 5.2.7 (2555) and then to 5.2.8 (2590) are missing a parameter file required for the archiving feature.
Verify Issue: To confirm you have upgraded from 5.2.4 (2487) to 5.2.7 (2555) or from 5.2.7 (2555) to 5.2.8 (2590), enter the following command at the command console and check the last line of the output
pnupgrade log
Resolution: A new 5.2.7 (2556) upgrade package and a new 5.2.8 (2591) patch is available for customers who have downloaded and applied the faulty 5.2.7 (2555) and 5.2.8 (2590) upgrade packages. All packages can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars
To apply these new packages, follow the appropriate step:
•If you are running 5.2.4 (2487), when upgrading to 5.2.7, download and upgrade using the package named
csmars-5.2.7.2556.pkg
.Verify the system is running version 5.2.7 (2556).
If desired, you can then upgrade to the package named
csmars-5.2.8.2591.pkg
.•If you are running 5.2.7 (2555), download and upgrade to the package named
csmars-5.2.7.2556.pkg
.
Note The time to upgrade from 5.2.7 (2555) to 5.2.7 (2556) is shorter than the normal because it only patches the files that must be updated.
Verify the system is running version 5.2.7 (2556).
If desired, you can then upgrade to the package named
csmars-5.2.8.2591.pkg
.
Note If the archive was running on the appliance prior to the upgrade, you must manually restart the archive process after this patch is applied. To restart the archive process, click Start on the Data Archiving page, which is accessible via Admin > System Maintenance > Data Archiving.
Required Upgrade Path
When upgrading from one software version to another, a prerequisite version is always required. This prerequisite version is the minimum level required to be running on the appliance before you can upgrade to the most recent version. Table 1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current version.
Table 1 Upgrade Path Matrix
From Version Upgrade To Upgrade Package5.2.4
5.2.7
csmars-5.2.7.2556.pkg
Important Notes
The following notes apply to the MARS 5.2.4 and later releases:
•To enable monitoring support of Cisco Secure ACS, you must use pnLog Agent version 1.1 or later. Earlier versions of pnLog Agent will not work with the MARS 5.2.4 and later releases.
•Interfaces ethernet3 and ethernet4 are always down.
•USB keyboard does not work while re-imaging with DVD. Use the PS/2 port for keyboard support.
The following notes apply to the MARS 4.x and later releases:
•The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.
•Do not to use DISTINCT or SAME in queries, and do not run multi-line queries. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.
•For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.
•The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.
The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.
Caveats
This section describes the open and resolved caveats with respect to this release.
•Resolved Caveats - Release 5.2.7
•Resolved Caveats - Releases Prior to 5.2.7
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 5.2.7
The following caveats affect this release and are part of supported devices or compatible products:
The following caveats affect this release and are part of MARS.
Resolved Caveats - Release 5.2.7
The following customer found or previously release noted caveats have been resolved in this release.
Resolved Caveats - Releases Prior to 5.2.7
For the list of caveats resolved in releases prior to this one, see the following documents:
http://www.cisco.com/en/US/products/ps6241/prod_release_notes_list.html
Product Documentation
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Cisco Secure MARS Documentation Guide and Warranty
http://www.cisco.com/en/US/products/ps6241/products_documentation_roadmaps_list.html
Lists document set that supports the MARS release and summarizes contents of each document.
For general product information, see:
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0612R)
© 2007 Cisco Systems, Inc. All rights reserved.