Table Of Contents
Release Notes for Cisco Security MARS Appliance 5.3.1
Revised: October 30, 2007, OL-14669-01
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Version 5.3.1 running on any supported Local Controller or Global Controller as defined in Supported Hardware. They provide the following information:
Version 5.3.1 is now available as an upgrade of 5.2.8 of your software release in support of the second generation MARS Appliance models as identified in Supported Hardware.
Caution Do not attempt to apply 5.3.x versions to MARS 20, 20R, 50, 100, 100e, 200, GC, or GCR models. It is supported exclusively by the models listed in Supported Hardware.
Registered SMARTnet users under the can obtain version 5.3.1 from the Cisco support website at:
Cisco Security MARS Version 5.3.1 supports the following Cisco Security MARS Appliance models:
Local Controller Appliances
•Cisco Security MARS 110R (CS-MARS-110R-K9)
•Cisco Security MARS 110 (CS-MARS-110-K9)
•Cisco Security MARS 210 (CS-MARS-210-K9)
Global Controller Appliances
•Cisco Security MARS GC2R (CS-MARS-GC2R-K9)
•Cisco Security MARS GC2 (CS-MARS-GC2-K9)
In addition to resolved caveats, this release includes the following new features:
Data Migration Support
Beginning with this release, you can migrate configuration and event data from a MARS Appliance running 4.x to a newer model running 5.x. For detailed instruction on how to perform this operation, see Migrating Data from Cisco Security MARS 4.x to 5.3.x. at the following URL:
Centralized Password Management—External AAA Server Support
External Authentication, Authorization, and Auditing (AAA) servers can now act as the authentication mechanism for MARS Appliance GUI logins (username and password). Previously, each MARS Appliance authenticated login name/password combinations with the appliance's local user database. Release 5.3.1 supports the following external RADIUS AAA servers:
•Cisco Secure Access Control Server (ACS)
•Microsoft Internet Authentication Service (IAS) Server
•Juniper Networks Steel belted RADIUS
Further Information is available at the following URL:
Account Locking—Login Security
Previously, MARS Appliances permitted an unlimited number of login attempts. With Release 5.3.1, the adminstrator can configure the GUI to lock after a specified number of failed login attempts, or can configure the GUI to never lock. To set the Account Lockout Policy, navigate to the AAA configuration page (Admin > System Setup > Authentication Configuration).
The administrator can unlock accounts form the User Management page
(Management > User Management), or with the new unlock CLI command.
Note Per Open Caveat CSCsk31615 in Release 5.3.1, when MARS fails in an attempt to connect to a specified external AAA server, MARS behaves as if the user had performed a failed login. This can result in users being locked out of the GUI even when they are entering the correct login name and password combination. For example, if three AAA servers are specified, and all three attempts to connect to them fail, and the Maximum Login Failures parameter is set to 3, the user will be locked out of the GUI with one valid login attempt. This behavior will change in a future release.
Further information is available at the following URL:
Monitoring Global Controller Connection Status from the Local Controller
Previously, the connection status between a Local Controller and a Global Controller was reported on the Global Controller's Zone Controller Information page
(Admin > System Setup > Local Controller Management).
With Release 5.3.1, the Local Controller now generates syslogs to record communication problems caused by the following events:
•Local Controller cannot connect to the Global Controller
•Local Controller certificate is not on the Global Controller or vice versa
•Local Controller and Global Controller are operating with incompatible MARS release versions
Release 5.3.1 defines seven new events, three new system rules, and two new system reports on the Local Controller to monitor the connection status with the Global Controller.
Further information is available at the following URL:
GUI and CLI Timeout Interval
Previously, the GUI would timeout after 30 minutes of inactivity. With Release 5.3.1, the timeout interval for the GUI can be set at 15, 30 (default), 45, and 60 minutes, or as Never (never will timeout). Different GUI timeout intervals can be set for the Administrator, Security Analyst. and Operator roles. The Administrator parameter also sets the CLI timeout.
To access the Timeout Configuration page, navigate to Admin > System Parameters > Timeout Settings.
Support for Cisco IPS 6.0 Dynamic Signature Updates
This feature downloads new signatures from CCO and correctly process and categorize received events that match those signatures, which includes them in inspection rules and reports. These updates provide event normalization and event group mapping, and they enable your MARS Appliance to parse day zero signatures from the IPS devices.
By default, this feature is enabled and requires you to configure it. If you do not configure it, the following rule fires:System Rule: CS-MARS IPS Signature Update Failure
This rule fires daily until you configure the feature. To address the issue identify by this firing rule, do one of the following:
•Specify the username and password pair to use when pulling the signature updates from CCO.
•Specify a local server where the MARS-IPS packages reside in the URL for Signature update field.
•Disable the feature.
For information on configuring the feature, see IPS Signature Dynamic Update Settings.
Miscellaneous Changes and Enhancements
The following changes and enhancements exist in 5.3.1:
•Global Controller-to-Local Controller Communication Enhancements. Enhancements include more efficient data batches, reduced transfer times, and a prioritization on recent data. If a data backlog occurs due to a Global Controller-to-Local Controller disconnect, the Local Controller sends recent data first and stays in sync with new data coming in. The Local Controller catches up with older data over time.
•Syslog Forwarding. Designate a syslog collector and forward syslog messages received from one or more IP addresses to that collector. See the syslogrelay setcollector,syslogrelay src, and syslogrelay list commands in Appendix A: Command Reference in the Install and Setup Guide for Cisco Security MARS. See "Syslog Relay Support" in Chapter 2: Reporting and Mitigation Devices Overview of the User Guide for Cisco Security MARS Local Controller.
•Password Management Enhancement. Non-administrative users can change the password associated with their account. Previously, editing a MARS user was considered an administrative task and limited to those accounts with the admin role.
•Raw Message Log Enhancement. To view and delete queries in the local cache, click the View Cache button on the Retrieve Raw Messages page accessed from Admin > System Maintenance > Retrieve Raw Messages.Previously, queries were purged automatically every two weeks; this feature helps avoid disk space shortages that could occur before that period elapsed.
•GC2R Support. The 4.3.1 and 5.3.1 releases are interoperable, allowing the GC2R to manage Local Controllers running 4.3.1 on the following models: MARS 20R, MARS 20, and MARS 50.
•Enhanced Cisco Device Support:
–PIX / ASA 7.2
–CSA 5.0, 5.1, and 5.2
–Cisco IOS Release 12.4(11)T through IOS Release 12.4(11)T4
–FWSM 3.1.3 and 3.1.5
•Enhanced 3rd-Party Device Support.
–ISS Site Protector 2.0
–CheckPoint R61, R62, and R65.
•Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets. This release includes new vendor signatures, updating the 3rd-party signature support. For more information on the updates, see New Vendor Signatures
•Bug fixes. For the list of resolved issues, see Resolved Caveats - Release 5.3.1.
New Vendor Signatures
The following table describes the most recent signatures supported for each product or technology:
Revised in 5.3.1 Product Signature Version Supported Intrusion Prevention and Detection Signatures
Cisco IDS 4.0,
Cisco IPS 5.x,
Cisco IOS 12.2
Current through S299 signature release.
Snort NIDS 2.6.1
Current through the July 7, 2007 signature release
ISS RealSecure Network Sensor 6.5 and 7.0, and ISS RealSecure Server Sensor 6.5 and 7.0
Release date: May 8, 2007
McAfee IntruShield NIDS 1.8
McAfee Network Intruvert v 188.8.131.52
Release date: June 12, 2007
McAfee Entercept HIDS 6.x
Current through the August 21, 2007 signature release.
CheckPoint Application Intelligence
(VPN-1 NG with Application Intelligence R55)
Current through the August 6, 2007 signature release
Netscreen IDP 2.1
Signature version: 2.1 r7.
Release date: March 10, 2007
Enterasys Dragon 6.x, 7.x
Current through the July 3, 2007 signature release.
Symantec NIDS, v 4.0
Signature package: 84
Release date: July 15, 2007
Symantec Manhunt 3.x
(See Symantec NIDS, v 4.0.)
3.4.3 Update 59
Current through the May 24, 2007 signature release.
Vulnerability Scanner Signatures
Qualys QualysGuard 3.x, 4.7.161-1
Current through the August 17, 2007 signature release.
E-Eye, Retina Scanner Vulnerability Software, version 5.61
Current through the August 20, 2007 signature release.
Foundstone, version 4.x
Current through the August 23, 2007 signature release.
Common Vulnerabilities and Exposures (CVE) Database
Current with the August 15, 2007 definition update.
1 eEye REM 1.0 is supported in 4.2x.
The MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site regularly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.
For detailed instructions on planning and performing an upgrade or install, refer to Checklist for Upgrading the Appliance Software in the Install and Setup Guide for Cisco Security MARS 5.x.
Important Upgrade Notes
To ensure that the upgrade from earlier versions is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.
Upgrade to 5.3.1
Beginning with the 4.3.1 and 5.3.1 releases, the dynamic IPS signature updates (if enabled) is an aspect of the version of software running on a MARS Appliance. Therefore, in addition to running the same MARS software versions on the Global Controller and Local Controller, the IPS signature version must match or the communications fail.
In a Global Controller-Local Controller deployment, configure the dynamic signature URL and all relevant settings on the Global Controller. When the Global Controller pulls the new signatures from CCO, all managed Local Controllers download the new signatures from the Global Controller.
In addition, CSCsk90015 states that any reporting device representing a Cisco ACS 3.x device that exists prior to the 5.3.1 upgrade is deleted during the upgrade. To resolve the issue after upgrade, you must the remove the reporting device from the host and re-add that device again as Cisco Secure ACS 3.x .
An example process is as follows:
1. Click Admin > Security and Monitor Devices, select the host with Cisco ACS 3.x as a reporting application and click Edit.
2. Select the Reporting Applications tab, and then blank link and click Remove.
3. After removing the blank link, re-add Cisco Secure ACS 3.x application to that host and click Activate.
Upgrade to 5.2.8
The upgrade is from 5.2.7 to 5.2.8. No important notes exist for this release.
Upgrade to 5.2.7
The upgrade is from 5.2.4 to 5.2.7; no 5.2.5 or 5.2.6 releases exist.
Required Upgrade Path
When upgrading from one software version to another, a prerequisite version is always required. This prerequisite version is the minimum level required to be running on the appliance before you can upgrade to the most recent version. Table 1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current version.
Table 1 Upgrade Path Matrix
From Version Upgrade To Upgrade Package
The following notes apply to the MARS 5.2.4 and later releases:
•To enable monitoring support of Cisco Secure ACS, you must use pnLog Agent version 1.1 or later. Earlier versions of pnLog Agent will not work with the MARS 5.2.4 and later releases.
•Interfaces ethernet3 and ethernet4 are always down.
•USB keyboard does not work while re-imaging with DVD. Use the PS/2 port for keyboard support.
The following notes apply to the MARS 4.x and later releases:
•The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.
•Do not to use DISTINCT or SAME in queries, and do not run multi-line queries. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.
•For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.
•The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.
The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
Open Caveats - Release 5.3.1
The following caveats affect this release and are part of supported devices or compatible products:
The following caveats affect this release and are part of MARS.
Resolved Caveats - Release 5.3.1
The following customer found or previously release noted caveats have been resolved in this release.
Resolved Caveats - Releases Prior to 5.3.1
For the list of caveats resolved in releases prior to this one, see the following documents:
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Cisco Secure MARS Documentation Guide and Warranty
Lists document set that supports the MARS release and summarizes contents of each document.
For general product information, see:
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0612R)
© 2007 Cisco Systems, Inc. All rights reserved.