Guest

Cisco Security Monitoring, Analysis and Response System

Release Notes for Cisco Security MARS Appliance 6.0.1

 Feedback

Table Of Contents

Release Notes for Cisco Security MARS Appliance 6.0.1

Introduction

Supported Hardware

New Features

Miscellaneous Changes and Enhancements

New Vendor Signatures

Upgrade Instructions

Important Upgrade Notes

General Notes

Upgrade to 6.0.1

Upgrade to 5.3.6

Upgrade to 4.3.6

Upgrade Path Matrix

Downloading the Upgrade Package from CCO

Documentation Errata

Important Notes

Caveats

Open Caveats for Supporting Devices

Open Caveats— Release 6.0.1

Resolved Caveats —Release 6.0.1

Resolved Caveats —Releases Prior to 6.0.1

Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco Security MARS Appliance 6.0.1


Published Date: September 14, 2008
Revised Date:July 24, 2009

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Release 6.0.1 running on any supported Local Controller or Global Controller as defined in Supported Hardware.

This chapter contains the following topics:

Introduction

Supported Hardware

New Features

Upgrade Instructions

Documentation Errata

Important Notes

Caveats

Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

Release 6.0.1 is now available as an upgrade of 5.3.6 and 4.3.6 of your software release in support of the second generation MARS Appliance models as identified in Supported Hardware. Registered SMARTnet users can obtain release 6.0.1 from the Cisco support website at:

http://www.cisco.com/go/mars/

And then click the Download Software link in the Support box on the right side of the MARS product home page.

Supported Hardware

Release 6.0.1 supports the following Cisco Security MARS Appliance models:

Local Controller Appliances: 2nd Generation

Cisco Security MARS 25R (CS-MARS-25R-K9)

Cisco Security MARS 25 (CS-MARS-25-K9)

Cisco Security MARS 55 (CS-MARS-55-K9)

Cisco Security MARS 110R (CS-MARS-110R-K9)

Cisco Security MARS 110 (CS-MARS-110-K9)

Cisco Security MARS 210 (CS-MARS-210-K9)

Local Controller Appliances: 1st Generation

Cisco Security MARS 20R (CS-MARS-20R-K9)

Cisco Security MARS 20 (CS-MARS-20-K9)

Cisco Security MARS 50 (CS-MARS-50-K9)

Cisco Security MARS 100e (CS-MARS-100E-K9)

Cisco Security MARS 100 (CS-MARS-100-K9)

Cisco Security MARS 200 (CS-MARS-200-K9)

Global Controller Appliances: 2nd Generation

Cisco Security MARS GC2R (CS-MARS-GC2R-K9)

Cisco Security MARS GC2 (CS-MARS-GC2-K9)

Global Controller Appliances: 1st Generation

Cisco Security MARS GCR (CS-MARS-GCR-K9)

Cisco Security MARS GC (CS-MARS-GC-K9)

New Features

In addition to resolved caveats, this release includes the following new features:

This section contains the following topics:

Miscellaneous Changes and Enhancements

New Vendor Signatures

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in 6.0.1:

Consolidated Software Release—This software release, 6.0.1, runs on any MARS Appliance model that has shipped prior to June 2008 (1st and 2nd generation appliances). This change allows you to manage your future upgrade processes uniformly, rather than managing a 4.x and 5.x image separately.

You can now migrate a MARS Appliance from 4.x to 6.0.1, as well as upgrade from 5.3.6 to 6.0.1. For details on migrating from 4.x to 6.0.1, see Migrating Data from Cisco Security MARS 4.x to 6.0.1

Upgrade Management—The ability to pull updates from the Cisco Software Downloads site or an internal server and apply them consistency across the MARS appliance on your network. Whether operating as a standalone Local Controller, or via a managed upgrade performed by the Global Controller, MARS now simplifies this operation and identifies the type of upgrade that has been downloaded (system upgrade verses signature updates). Includes support for on-demand and scheduled upgrades.

Device Support Framework—This feature enables the definition, export, and import of packages that describe a new device type. Specifically, it defines the device type, event parsing rules, inspection rules, and reports. You can export and reuse these packages across multiple Local Controllers and Global Controllers.

Cisco IPS TR/RR Support—This feature includes support for threat rating (TR) and risk rating (RR) attributes found in Cisco IPS solutions. Specifically, it adds two additional columns to inspection rules and event details: IPS Risk Rating and IPS Threat Rating. These new columns also appear in the "All Matching Events" query and report, as well as the CSV export form of the report.

In inspection rules, you can specify one of the following values for the IPS Risk Rating and the IPS Threat Rating attributes:

Match any event—Matches events with or without rating (ignore this field).

Match events without a Rating—Matches only those events without a rating.

Match events with a Rating—Allows you to specify a range of values or to select equal to, not equal to, greater than, lesser than, greater than or equal to, and lesser than or equal to and then specify the value.

Select the check box under the option to also include events without a rating.


Note You can only perform an event query. There is no session query or LLV support for IPS RR/TR.


The following exceptions exist to this feature support:

CSCso60975—In a query for All Matching Sessions, the IPS TR and IPS RR columns are missing in the results.

CSCso60384—In a query for All Matching Events LLV raw events, the IPS TR and IPS RR columns do not appear in the results. The IPS TR and IPS RR columns are present for the LLV sessionized events query.

CSCso64832—For the query results All Matching Sessions - Custom Columns, the IPS TR and RR fields are not included in the pull down options.

Support for Internet Explorer 7.x—The MARS web interface is verified to run correctly on Microsoft® Internet Explorer 7.x.

New Cisco Device Support—Support for the following new device types or versions is included:

IOS 12.4(6)T - Zone-based Firewall

Cisco IPS 6.x virtual sensor support

ASA/PIX 7.2.3 and 7.2.4

ASA/PIX 8.0.3

ASA 8.1/5580 with NetFlow 9 support

Cisco Secure Access Control Server 4.1.3

FWSM 3.1.8

CSC-SSM 6.1 and 6.2

Cisco Clean Air 4.1.3

Cisco WLAN 5.0

Cisco Security Agent 6.0

New 3rd-Party Device Support—Support for the following new device types or versions is included:

Juniper Netscreen FW 5.4 and 6.0

McAfee Foundstone 5.0 and 6.0

McAfee ePolicy Orchestrator 3.6.x and 4.0 (McAfee AntiVirus 8.x supported through ePO)

McAfee Intrushield 4.1

CSV Export Enhancements—Now export of reports beginning with #s is supported.

Rule Enhancements—Rules can now be deleted, and the audit log of which user deleted the rule is maintained by MARS. Rule now support up to 20 keywords. You can no longer create rules without defining a name for the rule. You can apply the Change Status action to multiple rules at the same time.

Performance Enhancement for Batch Queries and Reports—This enhancement reduces the time require to generate batch queries and reports in many situations. As a result, you may notice that many batch queries and reports take significantly less time to complete. (CSCsm39521)

Performance Enhancement for Inline Queries, Batch Queries and Reports—This enhancement reduces the time required to generate queries and reports in many situations. As a result, you may notice that many queries and reports take significantly less time to complete. (CSCsm22541)

New Vendor Signatures

The following table describes the most recent signatures supported for each product or technology:


Tip For full details on supported devices and versions, see Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller 6.0.x.

Revised in 6.0.1
Product
Signature Version Supported
Intrusion Prevention and Detection Signatures

Yes

Cisco IDS 4.0,
Cisco IPS 5.x,
Cisco IPS 6.x
Cisco IOS 12.2

Current through S330 signature release.

Yes

Snort NIDS 2.8

Current through the August 12, 2008 signature release.
Latest signature mapped: 13953.

Yes

ISS RealSecure Network Sensor 6.5 and 7.0, and
ISS RealSecure Server Sensor 6.5 and 7.0

XPU 28.130
Release date: August 12, 2008

Yes

McAfee IntruShield 4.1

4.1.30.4
Release date: August 12, 2008

Yes

McAfee Entercept HIDS 2.5, 4.0, 6.x

Current through the August 4, 2008 signature release.

Yes

CheckPoint Application Intelligence
(VPN-1 NG with Application Intelligence R55)

Current through the August 12, 2008 signature release.

Yes

Netscreen IDP 2.1, 3.0, 3.1, 4.0, 4.1

Signature version: 4.1.
Release date: August 11, 2008

Yes

Symantec NIDS, v 4.0

Signature package: 95
Release date: June 12, 2008

Yes

Enterasys Dragon 6.x, 7.x

Current through the August 13, 2008 signature release.

No. EOS.

Symantec Manhunt 3.x
(See Symantec NIDS, v 4.0.) 3.4.3 Update 59

3.4.3 Update 59
Current through the May 24, 2007 signature release.

Vulnerability Scanner Signatures

Yes

Qualys Guard ANY

Current through the August 12, 2008 signature release.

Yes

E-Eye, Retina Scanner Vulnerability Software, version 5.6New Vendor Signatures

Current through the August 11, 2008 signature release.

Yes

Foundstone, version 3.x

Current through the August 11, 2008 signature release.

Yes

Common Vulnerabilities and Exposures (CVE) Database

Current with the August 13, 2008 definition update.

Miscellaneous Support

No

Oracle 11g

Support for new AUDIT_ACTIONS.



1 eEye REM 1.0 is supported in 4.2.x.

Upgrade Instructions

The MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site regularly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.

For detailed instructions on planning and performing an upgrade or install, refer to "Checklist for Upgrading the Appliance Software" in the Cisco Security MARS Initial Configuration and Upgrade Guide.

Important Upgrade Notes

To ensure that the upgrade from earlier releases is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.

General Notes

The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met:

If the system has not been rebooted during the past 180 days.

If the system has been rebooted 30 times.

The fsck operation takes a long time to complete, which can result in significant unplanned downtime when rebooting the system after meeting a condition above. For example, a MARS 50 appliance can take up to 90 minutes to perform the operation.

Upgrade to 6.0.1

The upgrade process to 6.0.1 differs based on the release you are upgrading from. If you are upgrading a 5.x release, then you can upgrade to 6.0.1 if you are running 5.3.6. The upgrade from 5.3.6 to 6.0.1 takes several hours, as it also upgrades the Oracle database running on the appliance. If you are running an earlier 5.x version, you must first upgrade to 5.3.6 (see Upgrade to 5.3.6 for details).

However, if you are upgrading a 4.x release, you must migrate the system instead of upgrading. To migrate from a 4.x, you must follow the step-by-step instructions specified in the Migrating Data from Cisco Security MARS 4.x to 6.0.1.


Note When upgrading a "restricted" model of MARS appliance (20R, 100e, or GCm) to MARS Software release 6.0.1, all limits enforced by the restricted model will be ignored. The "restricted" models will perform as unrestricted models (20, 100, or GC) once upgraded to release 6.0.1.


Upgrade to 5.3.6

For notes that are specific to the upgrade to the 5.3.6 release, as well as all previous 5.x releases, see the Release Notes for Cisco Security MARS Appliance 5.3.6.

Upgrade to 4.3.6

For notes that are specific to the upgrade to the 4.3.6 release, as well as all previous 4.x releases, see the Release Notes for Cisco Security MARS Appliance 4.3.6.

Upgrade Path Matrix

When upgrading from one software release to another, a prerequisite release is always required. This prerequisite release is the minimum level required to be running on the appliance before you can upgrade to the most recent release. Table 1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current release.

Table 1 Upgrade Path Matrix 

From Release
Upgrade To
Upgrade Package

4.3.6

6.0.1

Migration required. See Migrating Data from Cisco Security MARS 4.x to 6.0.1

5.3.6

6.0.1

csmars-6.0.1.pkg


Downloading the Upgrade Package from CCO

Upgrade images and supporting software are found on the CCO software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your MARS Appliance.

Top-level page:

http://www.cisco.com/go/mars/

And then click the Download Software link in the Support box on the right side of the MARS product home page.

Result; The Download Software page loads.

From this top-level page, you can select one of the following options:

CS-MARS IPS Signature Updates Archives

CS-MARS IPS Signature Updates

CS-MARS Patches and Utilities (supplementary files)

CS-MARS Recovery Software

CS-MARS Upgrade Packages


Note If you are upgrading from a release earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip releases along the upgrade path.


For information on obtaining a CCO account, see the following URL:

http://www.cisco.com/en/US/applicat/cdcrgstr/applications_overview.html

Documentation Errata

CSCsl14244. User guide does not discuss role of Nessus in the MARS system.

To determine whether specific incidents are false positives, MARS uses Nessus 2.x GPL plug-ins and custom scripts mapped to specific MARS event types. MARS does not use Nessus to perform vulnerability assessments or related reporting.

MARS uses Nessus as one component in determining false positives. When a host resides on a network listed under "Networks for Dynamic Vulnerability Scanning", then MARS uses Nessus to help ascertain whether an attack targeting that host was likely to be successful. When an event does not have corresponding Nessus Attack Scripting Language (NASL) script, MARS uses nmap OS fingerprinting to determine the destination operating system type, and uses nmap-found-OS to match known operating systems affected by the attack.

CSCsk77546. Discovery Device with SSH 512 module not supported.

The OpenSSH client used by MARS does not support modulus sizes smaller than 768. For example, you cannot discover a device using a SSH login that has 512-byte key.

Important Notes

The following notes apply to the MARS 6.0.x releases:

CSCsu50839—Report Result Page saves the previous "Other views" selection

If you change the "Other Views" options in the report result page, the changes persist for that report and for that browser. When the report results are viewed later, the browser shows the saved options but the results displayed are always the default options results.

To avoid this issue, always click Display Report to view a scheduled report's results.

If the client system used to access the MARS GUI is not on the same side of the NAT boundary as the a MARS appliance and the Security Manager server, you can perform policy lookup in read-only mode. However, you cannot start the Security Manager client from the read-only policy lookup table to modify matching policies. The Security Manager client must be on the same side of the NAT as the MARS appliance and the Security Manager server if you want to modify the matching policy from MARS. This restriction is also true if you want to query MARS events from policies.

The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.

Do not to use DISTINCT or SAME in queries, and do not run multi-line queries in Release x.3.4 through 6.0.1. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.

For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.interface. For

The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.

The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.

Reference Number
Description

CSCsc50636, CSCsc50652

Issues: Back-end IPS process runs at 99% CPU when pulling large IP Logs The Back-end IPS process reaches 1GB in memory used when pulling IP Logs. The process names depending on the version on MARS that is running:

In release 4.2.1 and earlier, the process names are pnids50_srv and pnids40_srv.

In release 4.2.2 and later, the process is named csips.

These related issues, are specific to pulling IP logs from Cisco IDS/ IPS devices. The symptom is that the Back-end IPS service consumes the system resources on the MARS Appliance. As an improper configuration of the sensor can significantly degrade the sensor performance as well as that of MARS.

Workaround: Ensure that settings for IP log creation on the sensor limit the size of the IP log (in terms of number of bytes or number of packets captured). Also, verify that IP packet logging is enabled only for signatures of interest and not for all signatures. In addition, the following release-specific maximums are enforced:

In 4.2.1, a 100 file maximum is enforced for the log file queue when the MARS is configured to pull IP log files. Therefore, it may not pull every IP log file. In addition, the complete IP Log file may not be pulled, instead, data is pulled from the file starting 5 minutes before the alert was generated through the end of the file.

In 4.2.2, a 1,000 file maximum (up from 100 in 4.2.1) is enforced for the log file queue when the MARS is configured to pull IP log files. The complete IP Log file may not be pulled, instead, data is pulled from the file starting 1 minute (down from 5 minutes in 4.2.1) before the alert was generated through the end of the file. And last, 100KB is the maximum IP log size that can be pulled from a MARS Appliance.

CSCpn02175

Issue: Data computed or stored on a standalone MARS while in standalone mode will not be transferred to a Global Controller. Only data computed on an Local Controller that is currently monitored by a Global Controller will be pushed up.

CSCpn02073

Issue: After renaming a cloud, clicking the cloud again causes an error.

Workaround: Refresh the page before clicking a renamed cloud.

CSCpn01270

Issue: The free-form search may not work for the following devices:

Check Point Opsec NG FP3

Cisco CSA, 4.0

Cisco, IDS, 3.1 and 4.0

ISS, RealSecure, 6.5 and 7.0

Entercept Entercept, 2.5 and 4.0

IntruVert IntruShield, 1.5

CSCpn00247

Issue: The automatic time-out feature built into the GUI does not work when the Summary page is left open with automatic refresh selected.

Resolution: Please log out of the system when you are no longer using it.


Caveats

This section describes the open and resolved caveats with respect to this release.

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do


This section contains the following topics:

Open Caveats for Supporting Devices

Open Caveats— Release 6.0.1

Resolved Caveats —Release 6.0.1

Resolved Caveats —Releases Prior to 6.0.1

Open Caveats for Supporting Devices

The following caveats affect this release and are part of supported devices or compatible products:

Reference Number
Description
Cisco Security Manager

CSCsm94630

Policy query icon is not shown at times in Real time viewer

CSCso11900

Keyword field dimmed in Query page after events lookup from Security Mgr

CSCsm96376

Policy lookup icon not shown if device is deleted from MARS

CSCsm14585

Read-only policy page takes a long time to display for realtime events

CSCsm94537

Policy lookup icon not shown for a device deleted and re-added to MARS

CSCsl54107

Security Manager policy lookup for ICMP connection teardown syslog fails

CSCsm43237

Minimum password length for Security Manager account in MARS

CSCso38232

Host not shown in topology graph if Security Manager is added on it

CSCsf31401

MARS query does not highlight rules inside any policy group named Local

Firewall Services Module

CSCsl27574

FWSM Syslog message FWSM-6-302013 with wrong Real and Mapped IP


Open Caveats— Release 6.0.1

The following caveats affect this release and are part of MARS.

Reference Number
Description

CSCpn00173

Nessus should check pre-NAT address instead of Post-NAT address

CSCpn00183

Adding devices w/o "Activate" can cause "messy" graph

CSCpn00212

Graphgen crashes when there are many non-existent devices

CSCpn00293

using TAB in editing fields

CSCpn00455

Graph doesn't refresh when a cloud is renamed

CSCpn00586

nasl message text needs to be changed

CSCpn00908

"Domain" in Configuration page - no use

CSCpn01045

Archiving: Need better error message

CSCpn01134

Cloud name input box accepts invalid characters

CSCpn01219

Cleanup script for invalid /etc/qpage.conf entries

CSCpn01293

Host OS listing needs cleaning

CSCpn01319

pnreset command does not cause reboot

CSCpn01382

Security device type hosts don't show up in IP management

CSCpn01398

Unable to shutdown an interface

CSCpn01438

Batch Query: Under high load, some batch queries may not complete

CSCpn02061

Saving .csv files under WinXP SP2 results in .htm extension

CSCpn02177

Docs: Filesystem Check after 22 reboots

CSCpn02251

License: Upon entry of 100 license onto 100e, need to restart pnpars

CSCpn02383

IIS parsing must be separated from Windows log

CSCpn02385

Applied $TARGET01 for GC Query Source IP resulted in "resultCounter

CSCpn02398

XML escaping errors in Keyword Search in Rule

CSCpn02410

rule was not fired because Oracle log used upper case for user

CSCpn02414

GC/LC user rule is too long to fit into a page if keyword is long

CSCpn02470

Server csv function could not handle special characters in password

CSCpn02511

need to fix errors in affected os

CSCpn02549

JavaScript Error from ViewReport when clicking Edit/Clear

CSCpn02558

"Agent" didn't be removed correctly

CSCpn02566

rebooting mars while it is upgrading cause the box not accessible

CSCpn02574

Time change on system causes GC/LC communication problem

CSCpn02653

No way to specify "!Keyword" without a good "keyword"

CSCpn02656

System error occurs when # of java connections runs out

CSCpn02666

Batch Query Results with one item returned -> no data in graph in em

CSCpn02804

Replay History feature not working correctly

CSCpn02869

Rules editing: changing entry for select window pulldown after error

CSCpn02901

GC/LC, rule does not display user <cxu> but allows such cfg

CSCpn02968

Network group search is not working for "All IP addresses"

CSCpn02973

Not able to downgrade a security analyst to Notification only user

CSCpn02976

GC:LC - Communication issues after time zone change

CSCpn03052

JBoss 'OutOfMemoryError ' when accessing Management/Event Management

CSCpn03057

Copied rules have shortened year in front, which is confusing (ex. 0

CSCsb67871

Got System Error In GC After Re-installed New Version In LC

CSCsb77550

CSV-re import of CSA and Symantec agents unsuccessful

CSCsb80082

Deleting a LC w/o exchanging certificates doesn't set mode to Standalone

CSCsc04484

LC Rule/Report list shows empty after deletion of GC group

CSCsc15590

MARS not including all events in a report, query returns events fine

CSCsc59363

Need improvement to GUI for multi-line rules

CSCsc90480

MARS Incident notification options are not configurable

CSCsc95831

log messages of MARS processes stopped being written into backend log

CSCsd06302

device name with single quote causes pink box

CSCsd61749

pnrestore doesn't restore all of the system config

CSCsd84350

CS-MARS/CSM: Credentials change on CSM side not checked.

CSCsd86896

Clicking the clear button when editing the query type doesn't work.

CSCsd89457

Incorrect handling of time range for rules that fire periodically.

CSCsd95582

Both successful/failed mitigation reports show same results

CSCse00626

IP Management -> device group displays hosts only.

CSCse09127

Failed load from csv returns incorrect status

CSCse10945

Summary Page Graphs Spontaneously Change Displayed Size (w/ multi-head)

CSCse17936

5K Lines Custom Query fails

CSCse18816

UI takes 99% CPU, hanging browser and slowing system while expanding all

CSCse27948

pink box when do query - ORA-01555: snapshot too old exception

CSCse31722

Cloud toggle only works on first page of reporting devices

CSCse33172

Invalid id used in DbClient::retrieve() 0

CSCse34407

Query Tab -> Multi column query returns wrong results.

CSCse34600

configurable SNMP timeout support

CSCse38565

CSV-Re-importing Symantec AV client CSV doesn't work

CSCse42953

CS-Mars - unable to show L2 path when source and destination in same net

CSCse45884

LLV query causes client CPU to go to 100%

CSCse51642

IPlanet Unknown Device Event Type Parsing Error

CSCse54808

The time stamp shown by the pndbusage command is incorrect.

CSCse78738

FWSM ifspeed incorrectly reported as 0 for per-context vlan interfaces

CSCse85972

Unresolved symbol in Java build (though didnot stop building)

CSCse98029

Occasionally corrupted event data enters into MARS database

CSCsf06019

Generic Router UI must support multiple reporting applications

CSCsf11651

Device resource monitor incorrectly samples 5 sec CPU instead of 5 min

CSCsf12825

GUI should prevent edit/delete of system-context PIX/ASA 7.0 devices

CSCsf15781

Database table columns do not match with the archive file columns

CSCsf26715

Inaccuracy in per-context memory utilization for multi-context devices

CSCsf27568

keyword search query can't display big-5 encoding raw msg

CSCsf31121

Exception in Case Management code when deleting a report

CSCsf31207

Mars doesn't support new/changed FWSM 3.1.3 maintenance release syslogs

CSCsf31228

Unknown device events for FWSM 3.1 FWSM-3-717001 till FWSM-4-717031

CSCsf99767

provide encoding selection for adding agent to device/host

CSCsf99844

wrong values for current connections using CLI "show resource usage"

CSCsg20987

CSMARS DTM sdf files are sent with invalid format

CSCsg64119

rule's keyword editor treats NOT as binary rather than unary

CSCsg73786

Devices should not be added to MARS if Discovery is unsuccessful

CSCsg76958

FR: Recognize either CIPS network variables or have CSMARS net variables

CSCsg82600

some syslog results in unknownDET with 'Activate'

CSCsh00013

Case Management: history does indicate change of ownership

CSCsh44351

CSM multiple hostname matches failed to return multiple hosts

CSCsh67828

Custom Column Query filtered by reporting device missing results

CSCsh73553

MARS DVD imaging does not support USB keyboard

CSCsh97060

MARs says it can delete up to 500 at a time but only lets you delete 50.

CSCsi03658

CS-MARS - IOS Discovery via Telnet/SSH fails with $hostname in banner

CSCsi07186

User can input unsupported characters in AAA device name

CSCsi11312

pn_incident_log and pn_report_log should be archived

CSCsi13100

gui.sh dev build makes different JBOSS web.xml than make release

CSCsi15769

NLS_LANG variable should be updated in environment

CSCsi18757

CS-MARS - Request to have the "ssldump" command in the MARS CLI.

CSCsi29398

CS-Mars does mitigate to the proper endpoint

CSCsi49285

Mismatch in results between query and report.

CSCsi49330

Mismatch in results between query and report when query is based on user

CSCsi49396

Mismatch in results between query & report when query based on desti. IP

CSCsi49419

The application hangs, while getting the results for a query.

CSCsi49474

Mismatch results between query and report (custom column)

CSCsi51999

Edit SW based Application device need submit twice

CSCsi52731

mars reboots w/o asking for confirmation after user clicked cfg update

CSCsi62384

The performace test kills all the process during the weekend run

CSCsi65713

Index needs to be removed for the pn_report_result table

CSCsi65960

L2 mitigation has problem finding path

CSCsi68126

For multiple context mode, inbound/outbound error reports are incorrect.

CSCsi69310

security hole happens if users close browsers without click logout

CSCsi86420

with 60% event rate capacity, query events ranked by time takes 20 min

CSCsi91734

Mismatch in results between query and report for All Matching Events

CSCsi93283

Mismatch between query and report results for source port ranking.

CSCsj15512

Update reports when handling deletion of hosts

CSCsj20697

LC did not get added to GC so unable to generate syslogs.

CSCsj23845

CS-MARS Action filter doesn't work if not associated with incidents

CSCsj28376

Box may not be able to reboot after recovery, under certain conditions

CSCsj51240

Paging does not work for report right after adding it to a case.

CSCsj66955

scheduled discovery is scheduled at wrong time

CSCsj67626

Raw message query type schedule report missing some raw message events

CSCsj69985

Syslogrelay is accepting same IP for both source and collector

CSCsj90505

Inline/Batch query not match on NAT connection report

CSCsj90875

Inline/Batch query: result mismatch on Matched Rule Ranking

CSCsj96592

Adding LC with version lower than 4.3.1 should version mismatch err

CSCsk04282

MARS failed to import 1000 hosts vulnerablilty information

CSCsk26308

pink error when listing devices while scalability script running

CSCsk27276

MARS: Isolated Networks in Topology due to 'ip unnumbered' Interface

CSCsk39645

GUI doesn't check duplicate agent ip address when adding application

CSCsl41494

Network_group object with DB ID of 0 (zero) causes system error in GUI

CSCsl58216

MARS Layer 2 path and mitigation issues with IOS 12.3 and 12.4 version

CSCsl58359

exporting data use pnexp requires more TEMP tablespace

CSCsm40349

rare crashing issue due to file system check/memory short

CSCso39840

Sud incr. in traf raw msg should have std deviation instead of variance

CSCso40549

L2 path through 7600 with VRF give error message

CSCso59056

pnrestore throws the warning of archive version 0

CSCso97681

Host name appears inconsistently on Incident Vector Topology

CSCsq05336

MARS - Large Number of Reported Users, Query user selection fails

CSCsq07542

CS-MARS Incident path graph connects to wrong cloud/gateway

CSCsq23060

Entries with ID 0 exist in database in some tables

CSCsq52768

AAA - Unable to add AAA server on GC

CSCsq57230

custom parser performance issue

CSCsq69190

4.3.5 eth1 IP address not migrated to 5.3.5

CSCsq69627

4.3.2 MARS-20 - The status of their reports is stuck 'in progress'

CSCsq88032

Anomaly baselines are not part of archive/restore data

CSCsq97937

pnparser and graphgen crashed multiple times in loading topology

CSCsq97972

pnparser crashed in AnomalyAnalyzer

CSCsr07779

MARS event session table missing primary key

CSCsr18510

Report result gives NONE as the output instead of the network address

CSCsr31888

Checkpoint raw messages are being truncated

CSCsr41052

MARS not showing the switches in L2 mitigation path consistently

CSCsr46945

LC Delete takes too long with lots of global networks

CSCsu40679

Mismatch in event correlation for the events from IPS


Resolved Caveats —Release 6.0.1

The following customer found or previously release noted caveats have been resolved in this release.

Reference Number
Description

CSCpn00873

Adding a Cisco IDS 4.0 doesn't ensure that it has a valid port

CSCpn01532

Serial port speed setting inconsistent

CSCpn02191

(Interwoven) secure archiving

CSCpn02327

missing zone information on GC rule creation

CSCpn02333

LC: After pnreset -g, should clear out former zone's information

CSCpn02407

GC reported users are not pushed up from LC to GC

CSCpn02515

(US Army) `Any' over-riding rule/query criteria

CSCpn02569

GC-LC:Reported User Rule Push

CSCpn02787

src and dst ip are 0.0.0.0 for event of built icmp connection for fa

CSCpn02807

LC should show the info about the GC which is monitoring LC

CSCpn02831

GC - Rule for specific zone makes rules inactive in other LCs, but t

CSCpn03022

Enhancement needed for host

CSCpn03079

parsing error for IOS syslog: %FW-6-SESS_AUDIT_TRAIL

CSCsb45815

Test Connectivity holding on QualysGuard on-demand URLs

CSCsc15702

Custom parser not used under certain circumstances

CSCsc22184

No ratelimiting on M20/50/100 for store netflow

CSCsc46185

Cannot delete a single user-defined rule in CS-MARS

CSCsc78878

snort signature 2570 incorrectly mapped

CSCsc97963

Netscreen logical interfaces (vlan intf) not discovered

CSCsd28267

CLI: pnupgrade does not properly check parameters

CSCse13038

CS-Mars - learning of McAfee agents with invalid names

CSCse13913

Clicking 'Clear' on edit query page doesn't clear everything

CSCse20539

Hotspot graph doesn't update after adding a device from GC

CSCse28932

solaris event: file system full

CSCse32707

CSV- Report->View Report : Incorrect csv file generation.

CSCse33688

No Event Types listed under Cisco Switch-IOS 12.2

CSCse38356

Windows pulling gets stuck for one IP due to invalid content in evt log

CSCse44509

On demand report progress shows negative value

CSCse55071

Snort - Unknown Device Type

CSCse57955

CS-Mars showing unknown parsing error for Netscreen 5.0 events

CSCse78089

Unable to upgrade CS-Mars via GUI

CSCse82022

Unable to view reports starting with #sign in csv format

CSCse82042

Change the Device Type Version for FWSM

CSCse91636

MARS - not all columns seen in CSV reports generated using custom column

CSCsf06141

high CPU usage in pnparser sessionization

CSCsf16900

After discovery is done, the new added fwsm3.1 is not shown in device pg

CSCsf19647

Operator "neq" doesn't be parsed correctly

CSCsf29813

first several pulled log messages are not logged after cleaning logs

CSCsg05143

Button functions on zone config page should be restricted

CSCsg26352

Getting a internal server error when trying to access a incident on GC

CSCsg38029

high CPU usage in pnparser due to checkpoint NAT rules

CSCsg41738

IDS monitored networks not displayed the same as discovered interfaces

CSCsg46296

CS-Mars- nslookup requests using the GUI do not work

CSCsg47022

CS-MARS - Incorrect Start Times on Retrieved Raw Message Files

CSCsg53135

CS-MARS - Recent Incidents for Last field does not mantain state

CSCsg68371

cannot not use < > & to do keyword correctly

CSCsg71418

GC: Query shows as complete on GC while still running on LC

CSCsg75415

GC-deleting current logged-in user ends session before activating change

CSCsg79246

Getting a blank window when adding a device in IE 7

CSCsg80475

All incidents purged if event-session partition table is corrupted.

CSCsg90210

Query Matchin all sessions takes long time to finish

CSCsg91816

port 0 in 'Top Destination Ports' misleading

CSCsh05549

Order of events in RawEvent Queries: need finer grained timestamps

CSCsh05946

CS-MARS - Ability to adjust file size when retrieving raw messages

CSCsh14454

server.log can grow unbounded with in a single day

CSCsh52537

Repeated upgrades of oracle fills hard drive

CSCsh55324

Global userevent in LC not behaving correctly when LC deleted/re-added

CSCsh80125

pnrestore start/end time arguments - invalid dates not rejected

CSCsh83068

Report and query return no results under device type ANY

CSCsh89445

GUI allow users create rule without putting rule name

CSCsi33498

SANS TOP20 reports should be updated in every release

CSCsi44427

Enh: Make HTML report output the same as CSV output

CSCsi50024

IPS is not visible in Global Zone Hot Spot Graph

CSCsi50292

Cannot add mars 20r to gc

CSCsi58880

Enh: Need a scroll bar in Real Time Event Viewer GUI

CSCsi66512

Auriga/Cygnus: pnmodel returns wrong return value for MARS 210

CSCsi66599

Query/Report allow user to change max records 5000

CSCsi72614

MARS problem distinguishing betwn L2 and L3 devices during SNMP discover

CSCsi72853

AIM-IPS 6.0 support

CSCsi76255

Custom log template pattern messed up when add a LC to GC

CSCsi79486

Sorting maybe required for the drop-down list of service group

CSCsi88964

Documentation for Snort 2.6 Support

CSCsi95167

Places need to be Sorted by Name

CSCsi96921

IPSDynamicSigUpdate attempts to connect to CCO with no credentials

CSCsj03338

CS-MARS - Cannot import domain information from seed file

CSCsj05344

GUI: Allow select multiple Rules to change status

CSCsj13201

Device type of McAfee ePO 3.5 agent has extra word

CSCsj31990

pnparser: avoid flooding log file for most of framewk, sb, sessionizer

CSCsj36991

WLAN: "Load from Seed File" needed for WLC

CSCsj37444

pnparser: Needs to audit log pn_reported_user records

CSCsj40313

Summary: HotSpot Graph duplicate at Attack Diagram

CSCsj41020

inconsisitency of the mars internal generated syslogs for VA info

CSCsj41168

Error when trying to accept new sensor certificate

CSCsj42467

LC not showing up on certificate page

CSCsj46699

Deleting notification object on LC causes pink box when updating report

CSCsj62420

ASA Context are appearing as Submodule under PIX and Vice-Versa

CSCsj66410

Enh - CS-Mars - CSV TACACS+ Accounting support

CSCsj67037

pnparser / postfire / process_event_srv crashed in func test

CSCsj68087

MARS Discovery fails to take the context information of ASA from 7.2-7.0

CSCsj70968

Charts need captions in Query/Report results.

CSCsj77235

Enh: Incr. throughput via reduced mem-ops in PnParsedEvent serialization

CSCsj79124

WLAN: Edit User Rule name might hide user rules from Rules tab

CSCsj87207

GUI cannot show the full topology because of constant process crash

CSCsj90077

Enh: Summary page severity filter should provide more option

CSCsj92673

pink box appears when adding query/Report into Cases

CSCsj95799

Always Prompt SSL cert/Dup IP, Test Conn removes Monitored Nets

CSCsk02261

XPATH is change to find open ports information from QG 5.0 xml file

CSCsk02989

GC is not usable when LC has lots of deleted devices

CSCsk08028

Real time multi column query is not working.

CSCsk09106

Enh: Scheduled ranking reports performance improvements

CSCsk12421

Netflow config wrongly mixed up with traffic anomaly configuration

CSCsk12489

operator role can not resubmit report

CSCsk14368

pnparser lost commu w/ superV, so restarted by superV in perf test

CSCsk15271

Hotspot grpah didnt get enlarged

CSCsk19283

Support for Teardown syslog to CSM policy navigation

CSCsk20599

Enh: ASA Full-Throttle specific Netflow v9 parsing code

CSCsk23818

Reports need to do bulk insert in java

CSCsk23854

Change Version not changing the version of the context

CSCsk24656

Enh: Add Real Time (Raw Events) or LLV support for Netflow

CSCsk26328

on LC, GC user report name editable through previous button

CSCsk27999

Java error when clicking on Configuration Information page

CSCsk35823

Scheduled NAC report return empty result

CSCsk38984

Update Oracle to latest CPU (critical patch unit)

CSCsk46510

No Error message on Discovering FWSM through FTP

CSCsk48474

IPS process constantly crashes with 100 IPS added to MARS

CSCsk60311

Mars - Option to check logs pulling status

CSCsk62697

Enh: IPS6x is not supported in seed file import in 4.3.1/5.3.1

CSCsk64671

WLAN: WLC virtual ip shown as Ip address; shd be mgmt ip

CSCsk66330

Better to allow -Submit Inline- button more often - tie to timeout

CSCsk69316

New Device Support - NAC Appliance

CSCsk70744

Upgrade OpenSSL version

CSCsk71762

XML Parsing in SVG topology reference without authentication

CSCsk73647

UCB installation

CSCsk74568

CSM connection is getting frequently reset due to ClientAbortException

CSCsk79053

GC error - java.lang.OutOfMemoryError exception

CSCsk80647

pnupgrade is not displaying next fsck scenario

CSCsk85174

MARS - 5 tuple information missing from raw IDS events from NFS archive

CSCsk87226

MARS didn't discover FWSM multiple context mode successfully

CSCsk87325

WLAN: MARS need to take care new/modify Signature Attack in DCubed

CSCsk88570

MARS: received email reports contain blank chart

CSCsk89160

200-GC Configuration import on 110 stops some processes

CSCsk92543

CS-MARS: Custom Column Report Device Column Blank .

CSCsk93378

UCB code changes check in

CSCsk94319

ASA 7.2: missing ASA-7-715078 event in 22-bigfile.txt

CSCsl00467

MARS timeout settings impact "timezone set" command

CSCsl01098

To include patch for Venezuela & Argentina timezone change

CSCsl02072

Symantec: issue when device gets added with devicename in small letters

CSCsl03822

Support Secure Syslogs

CSCsl04692

Reported user is not parsed for windows event id: 680

CSCsl07131

ns25 syslog message parsing error

CSCsl09384

Need to include new JBoss and JDK packages

CSCsl09666

Unknown Events of ASA|PIX Messages - need to check in all ASA|PIX Veriso

CSCsl10687

Build script and JBoss configuration filechanges for new Jboss/JDK

CSCsl11647

Pnupgrade hanging at the last step - Updating database schema

CSCsl14083

wrong src and dest address/port parsed for snort event

CSCsl15808

NAT address filtering doesn't work in scheduled ranking reports

CSCsl17838

include signature diff data between 435 and 601 in 601 image

CSCsl17852

Need DB upgrade script: from_0x_3_50_to_06_0_13.sql

CSCsl19616

include fuse and sshfs in 601 image

CSCsl19691

To include superdoctor package

CSCsl20087

Pink box error due to finding null interface as next hop address

CSCsl22819

PushReportResultsServlet wrongly inserts Incident Id Map entry twice

CSCsl22999

Mars - Purge Archive message reporting wrong partition

CSCsl24328

CS-MARS IPS TR/RR Support in release 6.0

CSCsl29431

MARS interface must always be accessed from new IE browser session

CSCsl31143

MARS restore process fails on 4.3.1

CSCsl31267

UCB: need to fix how mem limit is enforced on Linux 2.6 platform

CSCsl32590

CS-MARS - ASA 7.2 syslog 713228 not parsed correctly

CSCsl39856

2.6 Kernel panic on old Mars 50 model

CSCsl49530

Support IOS IPS devices in bidirectional cross linkage

CSCsl49534

Device Resolution logic to be enhanced to consider context information

CSCsl52720

'Test Connectivity' failure indicates a wrong error message

CSCsl52833

bogus error in JBoss log when editing Case in GUI

CSCsl53449

Parsing source IP from a Linux event

CSCsl55529

Device Support Framework (DSF) Phase 1

CSCsl58089

L3 path calculation is not working for checkpoint connected routes

CSCsl59123

CS-MARS: Duplicated Anomaly Reports do not work correctly

CSCsl65674

CS-MARS - IOS syslog IP_SOURCE_GUARD-4-DENY_INVALID_PACKET no MARS event

CSCsl77503

data work: add new entries from Gen-2 /etc/services to pn_service.txt

CSCsl77947

Need an extra field in PN_DEVICE table

CSCsl78914

Adding NETFLOW_ASA_STORE_ALL entry in PN_SYS_PARAM table

CSCsl82191

CS-Mars IPS Dynamic updates fail if using a cisco ip address for server.

CSCsl82607

Doc\ Typo, sever should read server

CSCsl83645

Support for filtering TR/RR values in real-time LLV

CSCsl86150

5 tuple information missing inside of raw msg of CheckPoint Opsec

CSCsl87120

Even for wrong URL for Qualys guard, CS-MARS say discovery successful du

CSCsl92623

Need to support ACS SE and ACS SW upto 4.x

CSCsl94750

"Succesful" is spelled incorrectly in CS-MARS.

CSCsl95540

Zone based Policy Firewall support required in IOS 12.4 device

CSCsm01248

System max read socket buffer size needs to be increased

CSCsm02412

ASA FT 8.1 device support

CSCsm02611

Add ASA 8.0.3 support

CSCsm03231

Enh: MARS should auto remove ^M in seed file

CSCsm03848

image management: enable binary and data upgrade separately

CSCsm08337

Add ASA 7.2.4 support

CSCsm08643

Include flowd license text on MARS 6.0 CD image

CSCsm09020

"missing_zone_info" incidents show up in the GC

CSCsm09021

Wrong query interval if leave one field blank

CSCsm09359

CSCsm11980

CSCsm11895

xCSM: Add GC APIs for P->E navigation in CSMS linkage

CSCsm11980

ASA-4-106023 event parsing error on MARS 4.3.2

CSCsm14585

Read-only policy page takes a long time to display for realtime events

CSCsm16469

Qualys Gaurd code refinements and more debugs

CSCsm17710

Report Result Replication can get stuck (LC --> GC)

CSCsm20064

Need an entry in PN_MODULE table for new process 'securesyslog'.

CSCsm21263

Add google perftools 0.98 version to MARS CD image

CSCsm22541

Performance improvements in query/report by better SQL

CSCsm27889

ASA 8.0 Parsing errors for some of the syslog messages

CSCsm28619

All Netflow v9 incorrectly categorized to be ASA v9

CSCsm28664

Need to update HELP -> About -> Documentation link after docs

CSCsm28714

Need CLI/UI method for retrieving log files

CSCsm31800

PIX|ASA 7.2 below mentioned Syslog messages are not parsing

CSCsm33408

Merge of datawork from x.3.3 to x.3.4

CSCsm34817

Windows 2003, Events are showing as Unknown Reporting Device

CSCsm34934

Windows 2003 Events are Scattering in MARS

CSCsm35155

Change 'Always Store ASA Netflow ...' text in GUI

CSCsm36602

Parsing issue of FWSM-6-305009 FWSM-6-305010

CSCsm37082

%PIX/ASA-6-106015: Normalized incorrectly

CSCsm37572

Remove Any feature should be applied to the free input fields

CSCsm38062

MARS change wrong device type when use SNMP as access type

CSCsm38560

Unknown device event types reported for Snort 2.8 on X.3.3

CSCsm39521

scheduled report doing aggregation unnecessarily

CSCsm39733

reporting devices page needs to support a third level of devices

CSCsm41341

Add support for McAfee ePO 3.6.x and 4.0

CSCsm41623

Failure to add ASA device if version is less than 8.0

CSCsm41882

Java takes high CPU after using LLV (real time query)for a while

CSCsm45118

CSA Events in MARS appear as hex characters

CSCsm45708

Add support for Netscreen 5.4 and 6.0

CSCsm45753

Supporting latest release of intruShield 4.1

CSCsm48303

sslcert utility - need to restart securesyslog process along with jboss

CSCsm48603

config change report didn't capture cat6k/vpn3k config change events

CSCsm48876

Support export in UCB

CSCsm49604

c_rehash utility required in MARS DVD image

CSCsm50878

RR/TR query: "0 - 100, Not Exists" does not match if RR/TR null

CSCsm51404

Sensor showing as couldn't resolve name in the LLV query

CSCsm53557

Scheduled Hourly Reports doesn't get executed

CSCsm54451

Memory Leak in Netflow processing code

CSCsm55938

PIX|ASA: Event parsing errors

CSCsm55954

detailed NAC report table header does not show in the schedule report

CSCsm56006

PIX|ASA70 - Event parsing errors

CSCsm56621

one thread in pnparser taking 99% cpu

CSCsm56916

SNMP Trap processing failure

CSCsm57453

Incident not created for some of same events

CSCsm57490

Misleading Description for System Rule

CSCsm57512

IOS12.2 - Event parsing error

CSCsm57823

xCSM: CSM xlaunch icon not shown against events from IOS<12.4

CSCsm58872

schema version (from dump file) not matched with UCB schema version

CSCsm60654

Device Display left-shifts elements of some rows

CSCsm62147

pnparser crashes, when Symantec AV trap comes

CSCsm63209

Pink box when adding device via 'unknown event report' query result

CSCsm65365

IPS protocol field not parsed correctly

CSCsm65748

TCP port 32769 is open

CSCsm66185

Enh: PnParsedEvent mem reduction of reported user and var pairs

CSCsm66411

Enh: Sessionize stored IOS Netflow with non-netflow events

CSCsm67145

DSF- patterns link is not active while extending a system DT

CSCsm67785

LC/GC:topo push stucked processing audit log recs with null dbobject id

CSCsm68408

Wrong mapping of eth1 and eth0 interfaces by MARS

CSCsm68864

CSM icon is not displayed, if incident tab is first clicked

CSCsm69944

Cannot add IDS 4.x sensor to CSMARS

CSCsm70262

DSF-Filtering by provider: 'All' doesn't show MARS as device type

CSCsm70638

LC details not seen directly from GC (requires LC login)

CSCsm71228

CS-ACS parser modification to use strncasecmp

CSCsm71770

DSF-adding a user defined app type changes provider from cisco->local

CSCsm71782

PIX message 713041 is not parsed by MARS

CSCsm71834

ASA 8.1 add thru seed file, MARS showing it as ASA8.0 instead of ASA8.1

CSCsm72355

ASA netflow v9 field id are changed

CSCsm72961

Creation of rpcclient2 is not a part of build process

CSCsm73377

LC to support API to Add CSM from GC

CSCsm73384

xCSM: Support GUI wizard on GC to enable addition of CSM to LC(s)

CSCsm73815

DSF - provider information for device event type incorrectly displayed

CSCsm73829

GC: individual LC's Hotspot diagram is empty

CSCsm74061

Microsoft JScript runtime error in 5.3.4 gen2 GC

CSCsm74069

DSF-extending a pure custom device type results in unknown DET

CSCsm74293

Queries for IOSIPS and IPS 5.x events returning empty

CSCsm74433

DSF- NOT able to delete a DET when it is mapped to a system ET

CSCsm74466

DSF- NOT able to extend a system Device Type for SNMP

CSCsm74572

MARS not updating IPS DYN Signature version on Oracle database

CSCsm75403

Network groups ignored in query

CSCsm75513

NACApp: Removal of Not required Params from Add flow

CSCsm75529

Host deletion from GC does not delete host in LC.

CSCsm75531

NACApp: MARS event for Unknown SNMP events

CSCsm75651

One space character missing in error message for add network.

CSCsm75661

Error message for deleting GC netwok in LC not user friendly.

CSCsm75685

NACApp: Add a new Rule

CSCsm76116

Incidents page does not retain time frame between page visits

CSCsm76324

Choosing different zones on summary page does not work.

CSCsm77657

SNMP Traps from NAC device not getting parsed in MARS

CSCsm77660

Many Incidents related to NAC are not triggered in MARS

CSCsm77794

MARS is not able to parse FWSM syslog 402117

CSCsm78161

WLC: Not able to edit discovered WLC

CSCsm78813

DSF- Derived device from system types shows unknown DETs

CSCsm78826

DSF-changing from sw to app type shld switch back while defining a DT

CSCsm79362

DSF - adding an ET with existing event ID results in HTTP 404 error

CSCsm79381

DSF-device type filter in event mangt page should display provider info

CSCsm79939

IP address in "More info of this device " is incorrect for Netscreen 5.0

CSCsm79967

Unknown Device Event Type when ACS SW added thru seed file

CSCsm79993

WLC: Inconsistency in parsing device name for WLC events

CSCsm80019

MARS not parsing interface IP Address enabled with DHCP client

CSCsm80086

The secure syslog events received for ASA 8.0.3 are appended with unnece

CSCsm80187

Merge 534 code to 601

CSCsm80740

custom parser: evts w/ NAT src/dst, w/o port/proto lost in sessionizer

CSCsm81152

GUI "data Archiving" page shows misleading status if Change failed

CSCsm81377

Mars 4.3 - not able to set custom POSIX timezone opt 11

CSCsm81434

DSF- pink box while querying an SNMP trap for manhunt device

CSCsm82282

DeviceType info not shown in Security and Monitoring Info Page

CSCsm82342

CSM ICON is not displayed,if the search criteria is All matching session

CSCsm82392

WLC: Discovery with wrong credentials does not throw any msg. to user

CSCsm82735

MARS is picking up seed file from wrong ftp directory

CSCsm83345

DSF- Derived device from pure custom type shows unknown DETs

CSCsm84042

pink box while adding a report to a case.

CSCsm84275

Same provider names repeated multiple times in Incidents.

CSCsm84291

GC query status shown In Progress even if its finished in LCs long back.

CSCsm84695

Qualys Guard: Hard coded URL for testing connectivity, needs to be docum

CSCsm85660

DOC Bug: Instructions for IPS Custom Signature Update is wrong

CSCsm85978

pnrestore accepts invalid hour input

CSCsm86203

failed restore leaves garbage that blocks further archiving

CSCsm87008

pnrestore accepts in-the-future end time

CSCsm87012

garbage information printed from pnrestore command (SFTP)

CSCsm87446

Error message for deleting GC report from LC can be user-friendly.

CSCsm88047

MARS not throwing any error if two context with same hostname added

CSCsm88307

DSF-Groups filter in event management page should display provider info

CSCsm88682

MARS: Java backend topo sync overflow in ID handling for SQL

CSCsm89141

LLV query with low EPS- events missing in GUI

CSCsm89189

PN MARS is displayed instead of CS MARS

CSCsm89191

Service deleted from LC though service grp is used in report.

CSCsm89213

unsupported mitigation command suggested for ASA 8.0.3

CSCsm89231

The INCIDENTS page shows as "pix" user even for ASA related events

CSCsm89300

Direct Discovery of a NON-ADMIN PIX8.0.3 context fails with an error

CSCsm89328

ACS SW/SE: MARS not parsing ACS events

CSCsm89371

WLC: Access Type details for WLC is blank in delete confirmation dialog

CSCsm90004

Activate button of Netflow Configuration

CSCsm90039

ASA Netflow not working

CSCsm90700

Deleting and re-adding IPS 6.x device changes the event device id

CSCsm90828

Scheduled hourly report with time range last 20 min give no results.

CSCsm91126

MARS should contain event type in windows event

CSCsm91450

MARS should support back and forward slash in rule's keyword tab

CSCsm91707

xCSM : Test Connectivity needs to be done in CSM Edit flow

CSCsm91912

Results per page doesnt work correctly when navigated to different page.

CSCsm92008

Security Manager not reachable error displayed after long time

CSCsm92407

IPS 6.x with virtual sensors not showing up in Topo graph

CSCsm92778

Test Connectivity not returning error when using invalid IPS credentials

CSCsm92836

Large interface index causes SQL errors during DB save of interfaces

CSCsm92942

Test Connectivity does not detect changed IPS certificate

CSCsm93557

LC/GC Not replicating large report result sets > 1000 elements

CSCsm93573

GC: scheduled report of Event Type Group Ranking return no result

CSCsm93778

MARS command model shows Extension for restricted model

CSCsm94206

"Unable to find priority" error msg thrown in log file

CSCsm94630

Policy query icon is not shown at times in Real time viewer

CSCsm94968

SecureSyslog - Use MARS messages to report errors

CSCsm95500

Confirm password field needed for SFTP archiving option

CSCsm96308

ASA 8.1 with name command not PARSED by MARS

CSCsm96926

CS-MARS support for wireless controller 5.x

CSCsm97016

Typo Error for the event ASA-6-716008 in the Events Column

CSCsm98109

Resource Utilization Report shows multiple bad entries (device_monitor)

CSCsm98909

MARS - Firewall Syslog ID 111008 Event Type name is misleading

CSCsm98967

GetCSMARSInfo servlet is not available

CSCsm99161

%PIX-4-330001 incorrectly handled in PIX 8.0

CSCso00243

DSF - DSF package is not always saved after exporting

CSCso01821

Inappropriate Normalized event naming for ASA/PIX-5-722044

CSCso02804

LC/GC Communications: Must check datawork number

CSCso03171

DSF-user should be warned if name and identifier are same for diff provi

CSCso03280

Enable migration working for UCB

CSCso06522

Merge from Blr to UCB mainline 6.0.1 Phase 1

CSCso09952

MARS shows unknown reporting IP:0.0.0.0 for events from WL controller

CSCso10199

LC/GC:Incremental topo push fails to send activate signal to GC

CSCso10751

!user as query criteria in scheduled report doesn't work correctly

CSCso12186

FWSM-3-713085 event not being parsed

CSCso12982

DSF - need to remove extra character 'c' from the parent DET information

CSCso13008

Following ASA 8.1 syslogs are not Parsing

CSCso13032

high amount of memory swapped in from /to disk

CSCso13676

Rediscovery does not remove old virtual sensors

CSCso14465

Upgrade/downgrade of ASA device doesnt display correct version in MARS

CSCso15019

Phase-1 CD-2 Datawork

CSCso15575

jboss-service.xml moving out of pnos.tgz

CSCso15590

DSF-group info is removed while adding an ET,when provider is changed

CSCso15596

DSF - group info is not restored properly after importing

CSCso16201

FEATURE: MARS Image Management Checkins

CSCso16735

xCSM: P->E with CS Mgr credentials fails in crosslaunched CSM client

CSCso16798

New Netflow parser needs to add and tune some params in janus.conf

CSCso17050

Unknown Event Type for NAC syslog msg

CSCso17071

Source and Destination IP is not displayed for NAC events.

CSCso17074

Incorrect Event type for ASA ICMP.

CSCso17220

534 datawork merges

CSCso17267

CSC SSM 6.1 and 6.2 device support

CSCso17673

Securesyslog : Move renegotiate interval value to janus.conf

CSCso17973

pnparser: change getpid() to gettid() on new platform to aid debugging

CSCso19053

Cleanlog file has errors in script

CSCso19373

Merge from 601-csm3i-blr to 601-int-blr

CSCso19413

NAC Admin Login Successful Events not reflected in System Report

CSCso19721

IOS Zone-based policy Firewall messages changes in IOS 12.4(15)T

CSCso19905

ACS 3.x: Generic event shown as Unknown Device Event Type

CSCso20091

Adding PN_SYS_PARAM Entry for Netflow

CSCso20611

pink box while testing connectivity to cco server with ssh/ssl option3

CSCso20925

GC looses lc/zone certifcate information

CSCso21724

PIX Device deletion from GC updated in LC but not updated in GC.

CSCso21796

seed file error handling need to be enhance

CSCso21811

Scheduled daily report runs 45 minutes after the configured time on GC

CSCso22465

MARS is not able to parse FWSM syslog 209005

CSCso23987

Two reporting IPs in MARS stops secure syslog in ASA

CSCso24469

Merge of 6.0.1 Phase-2 device support features to UCB.

CSCso25952

DSF-Import/Export should be moved under the Packages Table

CSCso26073

Use less space in Query Edit Pane (remove blank lines)

CSCso27488

Wrong description for Event ID 5000077

CSCso27861

Sym Agent load thru seed file returns ArrayIndexOutOfBoundException

CSCso28421

AAA: When adding AAA server cannot select existing ACS

CSCso29393

DSF - extending SNMP trap supported devices doesn't work

CSCso29503

6.0.1 datawork

CSCso31812

DSF- Displaying Provider Name in choice list & Query Result Pages

CSCso32099

Some ISS events parsing error on MARS

CSCso32158

Schema error in 6.0.12 blocks restore/migration

CSCso35123

SecureSyslog : Fine tune datachunk size

CSCso36149

should popup the previous url value after the user is warned

CSCso38012

Event type 418001 in FWSM 3.2 is not being parsed in latest build

CSCso38232

Host not shown in topology graph if Security Manager is added on it

CSCso38304

WLC: Error message is not appropriate for editing AP MAC

CSCso38506

misspelling in "Unknown comand" in MARS command line

CSCso39622

CSMARS not pulling iplogs from ips sensors

CSCso40926

DSF-ET definition info is lost if search is used while adding an ET

CSCso41484

DSF-ignore the severity field while defining a parser for a derived DT

CSCso41641

CS-MARS Inactivity report is not updated in netflow processing

CSCso41675

Rule Definition: Number of Keywords supported per Offset limited to 10

CSCso42023

Pink box is displayed during relogin after time out on FWSM module page

CSCso42923

scheduler-service.xml is copied too frequently

CSCso43232

Chile daylight time change need to be patched for mars.

CSCso43238

LC pull of updated GC rule fails if rule has been edited at LC

CSCso45041

Traffic Anomaly event (sudden increase) is not being generated

CSCso45101

ASA 8.0.3 : Parsing Errors for some messages

CSCso45179

Security exposure - DB password exposed in import script file

CSCso45196

Pink box when deleting a LC object used in the GC batch query

CSCso45986

IPS 5.x and IOSIPS events have TR value set to zero instead of null

CSCso46864

ASA v9 events not sessionized properly

CSCso46912

FWSM : MARS is not able to parse domain name with 63 characters..!!

CSCso49206

High mem use (or leak) in sessionizer with high rate stored ASA v9

CSCso49944

Key word "Qualys Guard" should be added on below message

CSCso50724

pnparser memory leak in parsing error handling caused restart by superV

CSCso52038

SecureSyslog : Use MARS events to report successful connection

CSCso53066

DbInterface's interface_index value's precision has to be 10

CSCso53328

Downloading a package should warn and/or block if insufficient space.

CSCso53345

files that are downloaded that don't contain a package should be removed

CSCso53383

Activate button should be highlighetd after downloading custom signature

CSCso54098

Mars 50: pnmonitor restart frenquently

CSCso54308

LC stops communincating to GC, stack dump shows stuck in Version Check

CSCso54508

MARS should fire event for new packages available in CCO

CSCso55036

New Windows security events support needed

CSCso55931

Need migration/upgrade enhanced to support LC from script

CSCso56032

incremental topo ERROR-Topo Push failed, returning...SQLException

CSCso57071

Pnreset help command on CLI

CSCso57166

SecureSyslog : Remove highMarkReachedFlag check in securesyslog

CSCso57252

Reported User not listed in Report

CSCso57378

CISCO IOS 12.2 syslog messages 184518 and 159

CSCso58353

CSMARS stops pulling events from IPS sensors

CSCso59057

Create a directory /mnt/retriever

CSCso59093

Java code change breaks migration functionality

CSCso60384

TR/RR not present in results for All Matching Events - LLV raw events

CSCso60396

interrupting pnrestore may paralyze the Mars box

CSCso60975

TR/RR not present in query results for All Matching Sessions

CSCso61036

LC/GC Sync: Improve handling of config pull on update

CSCso61045

Report Push: Improve Performance By Batching Better

CSCso61274

Display of service name under rule tab is not correct

CSCso61275

a drop rule is duplicated after changing view

CSCso62665

Message should be clear when on archived file to retrieve

CSCso62775

Support for ASA Netflow events for E to P and P to E features.

CSCso64832

TR/RR missing from Custom Columns pull down in All Matching Sessions

CSCso66264

Related Events/Sessions not listed in report

CSCso66477

pnparser crashes with modified ASA/PIX syslog events

CSCso67102

Datawork number should be displayed in Help>About page

CSCso67537

Handle delete of objects used in batch query/reports across GC/LCs

CSCso67630

Schedule when a package is transferred to a cs-mars unit.

CSCso70178

Shared buffer stall is not detected in some cases

CSCso71201

FTP upgrade started from GUI or CLI does not work.

CSCso72148

Host name Any can be added via VA scan report in MARS

CSCso73998

Editing User Group From Rules/Action Menu Clears Group Members

CSCso74029

Downgrade fifo error message to warning; Rate limit SB full msg for LLV

CSCso74222

"show inventory" command shows wrong info

CSCso74903

Activate button led up

CSCso76394

error screen displayed after login

CSCso77625

Can not create drop rule by clicking on Add button at bottom of window.

CSCso79064

Specify the IP Address and Default Gateway for the Eth1 Interface

CSCso79078

Shut Down the Appliance via the Console info should be corrected

CSCso79084

Reboot the Appliance via the Console info should be corrected

CSCso79104

Telnet command info should be corrected

CSCso79115

SSH command info should be corrected

CSCso80805

Alternate Key lookup for pn_report fails in Java DBAPI

CSCso80816

Dashboard to report relations fail to replicate LC/GC

CSCso80923

Specific Patter From a Customer Parser is Not Synced to LC

CSCso81801

oracle-ds.xml for gen2 models

CSCso81976

Parsing error ASA PIX FWSM

CSCso82007

Incorrect grouping of IOS event

CSCso82146

pnimp help displays wrong sftp syntax

CSCso82383

userid-username mapping not happening properly for syslogs

CSCso82959

DSF: Vendor is misspelled in dsf import GUI Screen

CSCso83198

DSF: Provider groups do not replicate to other LCs

CSCso83398

DSF- EditReportHelper:createNewReport method needs to set provider id

CSCso84509

Minor GUI changes needed for GC Accelerator

CSCso85737

DSF - change Java DBAPI for SQL injection prevention at pkg import time

CSCso85911

Add device from GC gives an error

CSCso86201

Vulnerabilities found against MARS unit

CSCso87624

MARS IOS Discovery failure when banner has number/pound (#) symbols

CSCso89219

6.0.1 Datawork

CSCso89940

MARS: User-Name in raw message not populating user column in NAC report

CSCso90275

Background color for TR, RR columns is incorrect

CSCso91145

Bogus harmless error in Jboss log when changing timeout setting

CSCso91171

show inventory displays wrong PID info for MARS 100 model

CSCso91852

CSA Dynamic generated agents are not displayed on GC

CSCso92379

"Cannot open /dev/sda for reading" error seen on installing Gen1 GC

CSCso92631

xCSM: Integration testing issues with GC Accelerator

CSCso92720

TR, RR fields switched in incident details page

CSCso93030

IP Management not displaying group associations when using Device Group

CSCso93113

DSF - report/inspection rule issue on GUI due to db schema change

CSCso93904

Gen1 GC listed less LC models than it supports

CSCso93942

DSF - Cross Site Scripting (XSS) prevention for DSF changes

CSCso94064

DSF - pkg summary after imp shows # of rules/reports = 0 when it's not 0

CSCso94090

DSF - wrong event types for DSF internal syslog events

CSCso94099

DSF - need to display for each provider: number of rule/report/etc.

CSCso94438

DSF - GUI needs to enforce user-entered rule/report vers as +ve number

CSCso96380

Gen2 GC list support LC models wrong

CSCso96443

Gen2 GC2R: Restricted model is displayed wrongly in the error msg

CSCso96543

Gen2 GC2R: mars 100e is shown as 100r in error msg

CSCso97783

xCSM: NAT tuple in posted XML contains incorrect addresses

CSCso98826

DSF - need to enforce non-blank description when exporting a package

CSCso98956

from_lc_04_3_40_to_06_0_13.sql missing in DB schema file

CSCso99148

retrieve raw msg failed if device name has a space

CSCso99168

retrieve raw msg showed /Log4JConfig error

CSCso99202

DSF - Pattern type owned_by db field incorrect after pkg import

CSCsq00528

McAfee ePO Agent IP is not showing on the MARS after dynamic discovery

CSCsq00595

xmars-GCSupport:P-->E will not when Multiple LCs Added to GC with Device

CSCsq00734

non-stored ASA v9 - xlate and session five tuple not completely filled

CSCsq00886

DSF - GUI does not display pattern of imported user pattern type

CSCsq00967

DSF - preserve the Query Rule attributes in Report after Import

CSCsq00975

GUI inspection rule multiple issues -- count, keyword, extra : character

CSCsq01029

MARS Gen1 - Need Message Pointing to Failed Drive for Replacement

CSCsq01645

At archiving page, a warning should provided when switching access type

CSCsq01655

Data Archiving: need more specific error messages

CSCsq01942

XML Notifications does not appear to be functioning

CSCsq02308

GC Support:Default_Global_Zone Options needs to be removed for P--E flow

CSCsq02887

xCSM: E->P for IPS VS fails

CSCsq03808

DSF - Issues in exporting with pagination on device type display page

CSCsq03898

DSF - Export doesn't always export the et to etg relationship

CSCsq05197

DSF-Changes to Provider info at GC need activation

CSCsq05464

Modify Rules.make to accomodate static_csmars

CSCsq06297

fresh install 5.3.4->6.0.1 upgrade: unable to enter license

CSCsq06740

P -> E is failing for IPS VS0

CSCsq06845

WLC: bsnDot11StationDeauthenticate Trap is parsed as Generic Trap

CSCsq07003

CS-MARS: Test Connectivity to IPS 6.1 devices fails

CSCsq07455

Pink box while trying to see the list of packags from CCO.

CSCsq08077

Unable to see release notes of a package from GUI.

CSCsq08124

DSF: need to add a : for MARS-3-100076

CSCsq08179

DSF: system context is not added while discovering a derived device

CSCsq08230

archive not complete and restore crash

CSCsq08310

Import config hangs - does not complete and reboot machine

CSCsq08365

MARS Perf Enhancement IPS 6.0 Alert Processing hurdle tests FAILED

CSCsq08910

MARS not including the IP Adddress of ISS Agents discoverd thru SNMPTrap

CSCsq10814

EditCert.jsp outputs certificate contents to stdout

CSCsq11132

pink box when click on local packages tab.

CSCsq11389

MARS not getting Sensor name properly from ISS SiteProtector SNMPTRAP

CSCsq11888

HIPS 6.x events from ePO 3.6.x are not recognized by MARS

CSCsq12532

Packages in the install packages list should not check for max version.

CSCsq12865

Discover process restarts when topology update scheduler is run

CSCsq12889

DSF - Cannot delete provider afer deleting all rules

CSCsq13150

javaDbTool.sh tweak doesn't return correct error code at time of error

CSCsq13778

Modify CSM device addition description in GC

CSCsq13858

SocketTimeout Exception while adding CSM to zones via GC

CSCsq13977

Multiple CSM addition Error is not appropriate

CSCsq14000

CSM Status Summary page should display all the LC's information

CSCsq14051

Raw messages from ePO getting truncated in Query/Reports page

CSCsq14057

Mouse cursor should be changed to Hourglass while CSM is pushed to LC

CSCsq14131

Intrushield:Agent Name has to be filed in sensor dynamic discovery

CSCsq14178

CSM SSL certificate is not asked while adding CSM device

CSCsq14192

CSM Edit error mesage needs to be modified

CSCsq14712

MARS 25/25R VID and SN does NOT display properly

CSCsq14736

DSF-updated version for rules/reports is reset to '0' after exporting

CSCsq14743

DSF - provider name is not dispalyed while defining a rule group

CSCsq14749

DSF device type search does not work if vendor name has a "_".

CSCsq15156

DSF - import of a same report from different providers fails

CSCsq15421

Changing the status of the rule should show the current status

CSCsq15691

unable to import a package from CCO.

CSCsq16268

Intrushield sensor dose not store monitored n/w information

CSCsq18180

Realtime queries pop up error message about corruption

CSCsq18918

Intrushield: Incorrect sensor is selected while editing and deleting!!!

CSCsq18945

"cswin" is not able to spawn thread to pull the windows events

CSCsq22075

Deleted LC is listed in the CSM addition page of GC.

CSCsq22135

CSM Add button should be grayed out when no LC's are added to GC

CSCsq23249

"Edit Group" button is disabled for the Event Group in GC-LC setup.

CSCsq23276

pink box while clicking on the user rule action.

CSCsq23405

LC/GC Configuration Pull causes unnecessary Activation

CSCsq23623

Service filter related issues

CSCsq24054

Change version for CSC-SSM in ASA Device

CSCsq24066

Parsing error for CSC-SSM events

CSCsq24462

MARS Discovers netscreen with wrong OS when SNMP used

CSCsq24493

Cross-Launch Authentication Settings in GC do not show the exact values

CSCsq24637

GC CSM add wizard allows to add second CSM to a LC

CSCsq25159

Inactive device incidents triggered by wrong rule

CSCsq25167

upgrade gui should warn user if fsck will run after reboot

CSCsq25288

wrong package is listed in the install package list.

CSCsq25898

can not add LC to GC after 4.3.4 to 6.0.1 migration

CSCsq26089

support ASV plug-in natively on MARS

CSCsq26780

SNMP discovery does not happen for Netscreen 6.0 device

CSCsq27591

non-deterministic behavior observed when deleting multiple devices

CSCsq28308

too much IPS log dumpped to backend log

CSCsq28367

Discovering IPS 6.0 device doesn't show feedback to users

CSCsq29417

MARS showing the Protocol field as N/A for GTP

CSCsq29441

In FWSM syslog messages the Src filed is appearing as 0.0.0.0.

CSCsq29469

MARS: Detailed NAC report with keyword query has empty columns

CSCsq30046

Globle user rule shouldn't be able to change status on LC

CSCsq30063

DSF- System ET groups missing not shown when editing user ET group

CSCsq30430

open source software: to include source code of nmap in ISO image

CSCsq30472

open source software: to include source code of nessus in ISO image

CSCsq31195

unable to retrieve data from local database and remote NFS server

CSCsq32381

DSF- name changed when opening an exported pkg with special chars

CSCsq32537

Upgrade status logs have same message twice.

CSCsq32870

Open Source Software: include jNetStream source code as per LGPL

CSCsq33001

Deleting one package from the local packages list delete all the package

CSCsq33040

On LC seeing pn_statistics_data with zone set to 0 (sometimes)

CSCsq33307

Custom device still shows up in the device list even after deleting it

CSCsq33766

Intrushield sensor can't be added using seedFile

CSCsq35807

ePO: Seed file import(agents) results in ArrayIndexOutOfBoundsException

CSCsq35878

Different Checkpoint firewall versions must be displayed correctly

CSCsq36142

Intrushield:Pink box is displayed for mitigation/attack path query

CSCsq36573

User should not be allowed to check more than one package to download.

CSCsq36653

With performance traffic(syslog+NF), MARS sometimes can not keep up

CSCsq36910

No information about schedule upgrade on LC from GC in GC Logs.

CSCsq37307

big spece in rule display

CSCsq37315

Need to update the Log message contents.

CSCsq37490

Migratiion: export frequently fails when exporting data

CSCsq38529

xCSM: good to have a SAVE button while P->E to LC via GC

CSCsq39659

sometimes TR/RR values are not displayed in Incident Details page

CSCsq39842

Deleting ASA does not delete sub module for IPS

CSCsq39932

SecureSyslog : Memory leak

CSCsq40774

ASA/PIX 8.0 Event type for 722022 need to be changed

CSCsq40873

Sudden Incr. in Traffic triggers every 2 mins instead of hourly

CSCsq41376

Package is not deleted from the list after the installation.

CSCsq41775

DSF- a device with derived custom DT cannot be edited

CSCsq42017

Change the icon shown for child node in device tree table

CSCsq44509

Event grouping is not happening for few of the ios12.2 events

CSCsq45693

Netscreen 6.0 real events reported as unknown device event type

CSCsq45860

IDS tagged syslogs from IOS are not normalized for IOS 12.3 version

CSCsq47201

SSL/SSH settings does not work for upgrade package download from CCO.

CSCsq47633

DSF-Should give warning when the provider IDs have conflict

CSCsq47901

IP address values are not parsed in syslog of CSC-SSM

CSCsq48832

DSF- Gui display issues on export summary page

CSCsq48845

MARS showing wrong version and DB error in 6.0.1 2953

CSCsq49746

Import of 4.3.4 config fails in 6.0.1 due to empty xml_key_value.

CSCsq50036

IndexOutOfBound exception pink box seen on GC device page

CSCsq50153

Issue with DB LOGON and DB LOGOFF events in Oracle device support

CSCsq50505

pnparser crashing and not parsing for some 5.4 Netscreen syslogs

CSCsq50642

Parsing Errors for NetScreen 6.0 Syslog Messages

CSCsq50653

NetScreen 6.0 Events reported as Unknown Device Event Type

CSCsq50736

ASA 8.1 Netflow sessionization failing intermittently

CSCsq50831

MARS: Rules for Cisco IPS events using keywords fails to pull data

CSCsq51089

5.3.4 to 6.0.1 upgrade takes longer time and shows many errors in log.

CSCsq51436

DSF- cloned system rule shown as Global rule on the exported standalone

CSCsq51732

DSF- the number of rule/report group count mismatch while exporting

CSCsq52035

QueryAndReport testcase is failed

CSCsq52348

IP address and port values are not parsed in syslog of Netscreen

CSCsq52370

Intrushield: MARS cannot parse 36 device events

CSCsq52419

Intrushield: MARS cannot parse newly added trap alerts

CSCsq52962

NetScreen 5.4 Events reported as Unknown Device Event Type

CSCsq53625

pink box while viewing the packages form CCO.

CSCsq53892

DSF- Syslog %Mars-3-100092 mismatch the actual event

CSCsq53898

Download connection info input fields take special chr. as valid input.

CSCsq53905

DSF- Syslog %Mars-3-100087, 100088 not generated with events

CSCsq54126

Proxy setup issue on GC for FTP download.

CSCsq54383

DSF- 9 relationship syslogs of importing pkg not implemented

CSCsq55369

Unable to install 6.0.1(2925) build on MARS 25 and MARS 25R

CSCsq55414

SecureSyslog : Server Exit/Close needs improvement

CSCsq55443

CSM icon not displayed on upgrade x34/5->601 & on archive/restore on 601

CSCsq55606

Junk info received along with report in email

CSCsq56287

Ambiguous log message for downloading a upgrade package.

CSCsq56592

DSF- char "/" in the export pkg name cause the file cannot be downloaded

CSCsq56742

DSF- Export Summary page does not differentiate providers with same name

CSCsq57129

DSF- "Any" should not co-exist with other value in imported rule/report

CSCsq57286

mars is not checking for space while downloading a upgrade package.

CSCsq57331

Incident is not get created for new package availability on CCO.

CSCsq57444

DSF - "Change Status" stops working for imported rule

CSCsq57680

IPS device shown as Host in full topology and hotspot digrams.

CSCsq57788

Missing_Zone_info error shown along with zone name for GC incidents.

CSCsq57929

No Fail event for Qualyes Guard during Discovery

CSCsq58922

pink box if the file size of the upgraded package is more than expected.

CSCsq58996

Scheduled upgrade does not start at updated time.

CSCsq59278

Scheduled upgrade on LC doesnt start on updated time.

CSCsq60654

Events not getting sessionized properly in a certain scenario

CSCsq61393

Need to include JBoss source code as per LGPl

CSCsq61618

Download connection information page does not show the correct catalog.

CSCsq62119

IPS raw msgs are displayed incorrectly in custom column queries

CSCsq62543

Enhancements in the Exchange lib code

CSCsq62799

IPS shows monitored networks against device name and not against Vs

CSCsq62989

Report status stuck in Progress in GC thought its finished in LCs.

CSCsq64953

tnsnames.ora has wrong config to use TCP instead of IPC

CSCsq65062

Static route entries are not fetched during Netscreen Discovery

CSCsq65304

Event type is wrong for ciscoLwappMeshChildExcludedParent trap

CSCsq65857

NPE in GCAccelerator status page while adding/editing CSM to multi zones

CSCsq66538

Change IPS 6x sensor name and save doesn't trigger rename of VSs

CSCsq67627

DSF- imported event type group failed to sync to GC

CSCsq67629

DSF- new det or new parser of a system device type failed sync to the GC

CSCsq68935

DSF- Overiden system DET failed to be pulled to LC

CSCsq69140

Log messages should be more informative.

CSCsq71345

GC rule not edited/deleted on/from LC after its modified/deleted from GC

CSCsq71393

Package download from CCO timeout and fail.

CSCsq71632

DSF- Importing overriden system DET causes two entries of same DET

CSCsq71810

MARS discards capacity drop count event

CSCsq71826

inline report server generate key violation logs

CSCsq72389

DSF- old rules shown in selected window of a imported rule group

CSCsq72447

DSF- Auto increased version number stop at 10.0 when exporting pkg

CSCsq72794

provide CSCsq14057 fix for retry flow

CSCsq72973

Modify error message in CSM Status Summary page

CSCsq73210

Issue in discovering netscreen 5.4 & 6.0 using ip address or network id

CSCsq73259

Allow Users to Save Credentials is not disabled in Edit flow

CSCsq74093

DSF- rule/report & pkg relationship tables need to be archived

CSCsq74373

need to include the open source jradius source code in the iso

CSCsq75890

GUI accepting network as a next hop address

CSCsq75966

Estimated time of data import is much higher than actual time.

CSCsq76389

device discovery page error / dead-ends discovery flow

CSCsq76440

Need to include source code for Nbtscan in release ISO

CSCsq76465

Archiving Status shows wrong info when 0 day and SFTP apply

CSCsq76699

Need to put iconv lib into the CCO site.

CSCsq77182

The report can be deleted when user tries to edit it

CSCsq77587

DSF- some system pattern types set local box as provider on upgraded box

CSCsq77785

CSM icon is shown in Incident page, when CSM is not present in MARS

CSCsq79671

DSF- Device types lost after archive/restore on Gen2 boxes

CSCsq81419

Intrushield:Sensor can't be added manually but can be added by autodis.

CSCsq83149

confusing Test Connectivity user feedback in "discovery" language

CSCsq83339

Pink Box error when the search criteria is All matching sessions, Custom

CSCsq84870

Incomplete ips 6.x reporting device for Packet Data events

CSCsq85509

DSF- editing GC local provider cause new imported provider added on LC

CSCsq85536

DSF- config sync blocked if the local provider of LC is imported on GC

CSCsq85631

New PCI groupings for 6.0.1

CSCsq87406

Need to forcefully Activate after changing the windows pulling interval.

CSCsq87964

Cannot delete a provider created report

CSCsq88601

Events from a non-added ePO server have junk characters

CSCsq88753

Intrushield : Traps for signature with backslash can't be parsed by MARS

CSCsq88942

Unknown device eventtypes in ACS 4.x

CSCsq89914

IPS 6.x with dup reporting IPs trigger javascript error in testconn

CSCsq90321

CSCsq90453

CSCsq90453

Global user rules not triggered on LC

CSCsq91854

Local provider info doesn't match after LC pkg import followed by LC add

CSCsq92142

PushReportResults doesn't properly handle failed report push

CSCsq92353

DSF- imported rule on GC has different editable fields than LC

CSCsq92651

DSF- parser not updated correctly by importing pkg

CSCsq92734

DSF- updated version, time of DT not set correctly from imported pkg

CSCsq92906

only see one package in exchange pop-up window

CSCsq92911

error while downloading exchange package while proxy server configured

CSCsq92956

ssl setting w/accept first time and prompt when changed does not promt

CSCsq93490

proxy server error message is thrown after downloading corrupted pkg

CSCsq93500

we should not see "exchange"showing in the error message

CSCsq93751

Failed to add access point to wlc

CSCsq93755

next button on wlc additon page doesn't take to device edit page

CSCsq93921

Default OS for host on IP management should be (Any, Any)

CSCsq94025

Event mapping for ACS events is not as in the event management page

CSCsq94947

Rule update with rule name near length boundary causes error

CSCsq96072

Inappropriate Name,Description,Platforms,CVE for NormalizedEvent 6004954

CSCsq96364

Rule correlation and matching doesn't work with src/dest IP 0.0.0.0

CSCsq96383

Add support for 5 new IPFIX draft netflow field IDs for future ASA

CSCsq97148

CSCsq97148 - MARS-Gen1 6.0.1.2960 IPS alert db insertion low performance

CSCsq97166

Incident Details page sometimes missing multicolumn nesting

CSCsq97214

radius-acct tcp service is missing from pn_service

CSCsq97507

Download connection info page give wrong wrror message.

CSCsq97855

IPS 5.x module drops mon nets on cert acceptance

CSCsq97991

Incidents subtab is broken in phase 2 CD 3

CSCsq98716

Intrshield:Device Name and Agent Name fields can be merged..!!!

CSCsq99277

IPS 6.x support for device type Cisco Switch-CatOS

CSCsq99749

SFTP failed to mount due to slow remote file server

CSCsq99796

IPS JSPs don't trim whitespace from user-provided sensor names

CSCsq99804

CS-MARS not showing complete Events from ISS Siteprotector

CSCsr00748

I/O optimization for es file archiving

CSCsr01035

Incident not triggered for Mapleleaf Violation events

CSCsr01048

unknown device eventtype in WLC

CSCsr01371

P2E is Failing for ICMP events on Mars due to Service type issue

CSCsr01713

Event information is not listed properly in Reports

CSCsr02628

MARS import process shuould check the configuration

CSCsr02710

Bad url attached to Event Parsing Thread Count setting

CSCsr03956

Netscreen 6.0 event not parsing

CSCsr04396

New package incident should be created based on polling inetrval.

CSCsr04436

Not able to download apckages from CCO.

CSCsr04449

pnupgrade hangs if database services are not running.

CSCsr06202

NACApp: One event CCA-1530 is not parsed properly

CSCsr06977

Oracle stops during upgrade from 5.3.5 to 6.0.1

CSCsr07596

Optimization for raw message file storing and indexing

CSCsr07932

Error while downloading a package from CCO.

CSCsr09448

pnparser: avoid flooding log file in other parts of pnparser

CSCsr09766

insufficient space error message should be same in all scenarios.

CSCsr10615

"pnimp import" command usability enhancements

CSCsr11944

Wrong message for the packages not exist on local server.

CSCsr12289

MARS 200 at 6K eps shows system load average 6

CSCsr12538

Mars is hanging while scheduling an upgrade.

CSCsr12875

DSF- protected package cannot be unlocked after being imported

CSCsr12892

DSF- package name missed in the msg when viewing a locked item

CSCsr13783

Model selection option (MARS110 or MARS110R) is not available on install

CSCsr13827

AP MAC address is updated with leading zero

CSCsr13959

MARS- Log entry filling up backend logs

CSCsr14401

'changeto' command related event triggers Modify Network Config rule

CSCsr15066

DSF - unlocked package failed to be locked again

CSCsr18203

New upgrade package report doesnt gives the list of new upgrade packages

CSCsr19284

Remove protego networks from error message

CSCsr19423

Pinkbox error when CSM certificate is not accepted

CSCsr19863

ASA 8.1 Netflow dropped with seemingly low Netflow rate on GEN1/M20

CSCsr19873

MARS connectivity to oracle server is failing

CSCsr19940

BigFile merge 535-601 is not proper

CSCsr20150

Raw msgs not shown correctly in some cases

CSCsr20575

IPS devices not connected to cloud in topo graph

CSCsr20598

Detailed NAC report does not consider ACS 4.x events

CSCsr21305

File should be deleted from the local packages list after the upgrade.

CSCsr21526

pnupgrade permission is set wrong while upgrade from 5.3.5 to 6.0.1

CSCsr23290

Can get into a new installed MARS box without License Key

CSCsr23815

Bottom Apply button in IPS TR/RR query screen isn't aligned properly

CSCsr24404

"Download Connection Information" view source reveals CCO password

CSCsr24463

DSF - Spelling mistakes in the DSF encryption popup

CSCsr25043

Issue in event parsing when ACS SW is added to host with othr sec apps

CSCsr25103

Unknown device event type in ACS 4.x

CSCsr27905

Issue with registry settings for pnLogAgentService

CSCsr28636

Upgrade GC and LC at same time can fail on LC

CSCsr28639

MARS-435-601 migration raw msg index file not created

CSCsr28645

Remove Upgrade GUI timeout limit for file download

CSCsr28664

MARS-pnparser improvements for time function call

CSCsr28684

Time function is using much CPU in process_event_srv

CSCsr29515

raw msg retrieval, error msg should be more clear

CSCsr32150

DSF- Pink box in device support package page after migration

CSCsr32196

Parse Message ID to help sessionize ACS 4.x events

CSCsr35511

DSF- some typo in a few syslog raw msgs

CSCsr36915

P -> E is not working for IPS 5.1 device

CSCsr38680

Don't log cert error for image upgrade download

CSCsr40542

Event missing after migration from 4.3.5 to 6.0.1

CSCsr40604

Secure syslog: 2nd reporting IP changes"Client Authentication" to YES

CSCsr42220

high rate IPS eps causes pnesloader crashed

CSCsr44042

File size displays 0 if upgrade package is loaded from a local server.

CSCsr44278

cannot pull iplogs after changing ips certificate

CSCsr45199

Inactive device event for devices with manager-agent based architecture

CSCsr45295

Detailed NAC Report not working with Secure ACS Auth failed: External DB

CSCsr46599

Keyword Query JNI code floods janus_log

CSCsr47032

Report results are audit logged

CSCsr49381

Upgrade change needed for CSCsr47032 - Report results audit logged

CSCsr49920

pnesloader killed by cpu-checker

CSCsr50331

csips getting killed by check-CPU handler

CSCsr50755

Issue with system reports.

CSCsr51537

5.3.5 to 6.0.1 upgraded MARS shows empty PCI DSS compliance report grp.

CSCsr51563

PCI-DSS03 report group contents not correct for 2 reports.

CSCsr51653

user should not be allowed to edit catalog polling URL

CSCsr51975

FTP download failure does not tell the reason of failure.

CSCsr53241

Intrushield sensor IP is not added if it exists in IP Management

CSCsr54091

DSF- an overriden system DET become an extend DET after import

CSCsr54732

import process should show the status on new ssh session

CSCsr55244

McAfee ePO 4.0 Seed file import IP Address issues because of ePO Defects

CSCsr58480

DSF- special chars convert issue when add rule/report/event group

CSCsr59097

DSF- failed to upload data package to Mars Forum

CSCsr59972

two menu bar while discovering wlc device

CSCsr61038

Exported 5.3.X data not imported on 6.0.1 machine

CSCsr61404

export help syntax contains reference to {nfs_path} only

CSCsr64225

Import data process stops while building raw message indexes

CSCsr65736

Securesyslog - Tune sharedbuffer size per model

CSCsr67114

pnesloader killed by superV memCheck

CSCsr73132

Error message seen in case of detailed NAC report

CSCsr74553

rm/ix/es files lost in creation of archive

CSCsr75234

Reports GUI is broken for operator users

CSCsr75604

New upgrade package report should not show the word "Exchange".

CSCsr78881

error reported by csips during archive/restore

CSCsr81796

DSF- empty content in ' ' when the pkg is not available

CSCsr82291

DSF- ET group in the rule filter lost after LC added to the GC

CSCsr85545

IPS Dynamic Sig Update - sticks in "downloading" state on redirect

CSCsr90763

MARS IPS performance - processing low percentage of IPS events

CSCsr94031

Statistics synchronization causes array out of bounds exception

CSCsr94248

Cannot download from CCO - Catalog URL in an empty string

CSCsr96430

hostname is reset to "pnmars" after upgrading from 5.3.6->6.0.1

CSCsr96773

intermittent error while downloading a package from CCO.

CSCsr99577

Source and Dest IP reported as N/A in NetScreen 6.0 Events

CSCsu03332

DSF-pnparser restarted after sending a SNMP trap for extend data& parser

CSCsu09821

Intrushield Sensor name field is mandatory while adding sensor

CSCsu27807

pnarchiver ERROR while processing IPS events

CSCsu32145

Device event type not inserted on 5.3.6->6.0.1 upgrade

CSCsu36301

Gen-1 Hotswap add/remove accepts disk 0 but does not accept last disk

CSCsu43079

catalog polling URL is null after we select polling interval non never.

CSCsu46527

package polling interval NEVER can not be changed

CSCsu47322

KeywordQuerySrv is not running after migration from 4.3.6 to 6.0.1

CSCsu51373

src ip ranking query in GC shows only one entry


Resolved Caveats —Releases Prior to 6.0.1

For the list of caveats resolved in releases prior to this one, see the following documents:

http://www.cisco.com/en/US/products/ps6241/prod_release_notes_list.html

Product Documentation

For the complete list of documents supporting this release, see the release-specific document roadmap:

Cisco Secure MARS Documentation Guide and Warranty

http://www.cisco.com/en/US/products/ps6241/products_documentation_roadmaps_list.html

Lists document set that supports the MARS release and summarizes contents of each document.

For general product information, see:

http://www.cisco.com/go/mars

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html