Table Of Contents
Release Notes for Cisco Security MARS Appliance 6.0.7
Last Published: July 19, 2010
Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should review the documentation on Cisco.com for any updates.
These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Release 6.0.7, running on any supported MARS Appliance model listed in Supported Hardware.
This chapter contains the following topics:
Release 6.0.7 is now available as an upgrade of 6.0.6 of your software release in support of the MARS Appliance models as identified in Supported Hardware. Registered SMARTnet users can obtain release 6.0.7 from the Cisco support website at the following URL:
Open the page and then click the Download Software link in the Support box on the right side of the MARS product home page.
Release 6.0.7 supports the following Cisco Security MARS Appliance models:
Local Controller Appliances: 2nd Generation
•Cisco Security MARS 25R (CS-MARS-25R-K9)
•Cisco Security MARS 25 (CS-MARS-25-K9)
•Cisco Security MARS 55 (CS-MARS-55-K9)
•Cisco Security MARS 110R (CS-MARS-110R-K9)
•Cisco Security MARS 110RF (CS-MARS-110RF-K9)
•Cisco Security MARS 110 (CS-MARS-110-K9)
•Cisco Security MARS 210 (CS-MARS-210-K9)
Local Controller Appliances: 1st Generation
•Cisco Security MARS 20R (CS-MARS-20R-K9) as a MARS 20
•Cisco Security MARS 20 (CS-MARS-20-K9)
•Cisco Security MARS 50 (CS-MARS-50-K9)
•Cisco Security MARS 100e (CS-MARS-100E-K9) as a MARS 100
•Cisco Security MARS 100 (CS-MARS-100-K9)
•Cisco Security MARS 200 (CS-MARS-200-K9)
Global Controller Appliances: 2nd Generation
•Cisco Security MARS GC2R (CS-MARS-GC2R-K9)
•Cisco Security MARS GC2 (CS-MARS-GC2-K9)
Global Controller Appliances: 1st Generation
•Cisco Security MARS GCm (CS-MARS-GCM-K9) as a MARS GC
•Cisco Security MARS GC (CS-MARS-GC-K9)
In addition to resolved caveats, this release includes the following changes and enhancements:
Changes and Enhancements
The following enhancement exists in Cisco Security MARS, Release 6.0.7:
•Support for Windows 2008—Cisco Security MARS provides agent based, native log support for Windows 2008 server hosts. Users can send syslog to CS-MARS by installing a Snare agent on their Windows 2008 server hosts.
•Support for Windows IIS 7—Cisco Security MARS provides support for IIS 7 on Windows 2008 servers.
Note If you are upgrading from Windows 2003 to Windows 2008, ensure that any ancillary devices and software you employ are supported. For more information see Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller 6.0.x.
New Vendor Signatures
The following table describes the most recent signatures supported for each product or technology:
1 eEye REM 1.0 is supported in 4.2.x.
The MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site regularly for upgrades. In addition to addressing high-priority caveats, upgrade packages update system inspection rules, event types, and provide the most recent signature support.
For detailed instructions on planning and performing an upgrade or install, refer to "Checklist for Upgrading the Appliance Software" in the Cisco Security MARS Initial Configuration and Upgrade Guide.
Important Upgrade Notes
To ensure that the upgrade from earlier releases is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.
The following general notes apply to this release:
•If you are upgrading from Windows 2003 to Windows 2008, ensure that any ancillary devices and software you employ are supported. For more information see Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller 6.0.x.
•When downloading software packages from CCO to MARS, ensure that your credentials (username or password) do not include the ampersand (&) character. The credential will be truncated before being passed to the authentication module, which results in an error message about invalid user credentials.
•The CS-MARS 110R running the FIPS-compliant card cannot be managed by a Global Controller.
•The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met:
–The system has not been rebooted during the past 180 days.
–The system has been rebooted 30 times.
The fsck operation takes a long time to complete, which can result in significant unplanned downtime when rebooting the system after meeting a condition above. For example, a MARS 50 appliance can take up to 90 minutes to perform the operation.
Upgrade to 6.0.7
If you are upgrading from Windows 2003 to Windows 2008, ensure that any ancillary devices and software you employ are supported. For more information see Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller 6.0.x.
Upgrade to 6.0.6
No important notes exist for the 6.0.6 upgrade.
Upgrade to 6.0.5
The 6.0.5 release is a general bug fix and signature update release for all MARS appliance models. However, it offers new functionality for an existing CS-MARS 110R when you order and install a FIPS-compliant PCI card. Once installed, you can configure FIPS-specific features within MARS. For more information, see the CS-MARS FIPS PCI CARD Quick Install document.
Upgrade to 6.0.4
No important notes exist for the 6.0.4 upgrade.
Upgrade to 6.0.3
No important notes exist for the 6.0.3 upgrade.
Upgrade to 6.0.2
No important notes exist for the 6.0.2 upgrade.
Upgrade to 6.0.1
The upgrade process to 6.0.1 differs based on the release you are upgrading from. If you are upgrading a 5.x release, you can upgrade to 6.0.1 if you are running 5.3.6. The upgrade from 5.3.6 to 6.0.1 takes several hours, as it also upgrades the Oracle database running on the appliance. If you are running an earlier 5.x release, you must first upgrade to 5.3.6 (see Upgrade to 5.3.6 for details).
However, if you are upgrading a 4.x release, you must migrate the system instead of upgrading. To migrate from a 4.x, you must follow the step-by-step instructions specified in the Migrating Data from Cisco Security MARS 4.x to 6.0.1.
Note When upgrading a "restricted" model of MARS appliance (20R, 100e, or GCm) to MARS Software release 6.0.1, all limits enforced by the restricted model are ignored. The "restricted" models perform as unrestricted models (20, 100, or GC) once upgraded to release 6.0.1.
Upgrade to 5.3.6
For notes that are specific to the upgrade to the 5.3.6 release, as well as all previous 5.x releases, see the Release Notes for Cisco Security MARS Appliance 5.3.6.
Upgrade to 4.3.6
For notes that are specific to the upgrade to the 4.3.6 release, as well as all previous 4.x releases, see the Release Notes for Cisco Security MARS Appliance 4.3.6.
Upgrade Path Matrix
When upgrading from one software release to another, a prerequisite release is always required. This prerequisite release is the minimum level required to be running on the appliance before you can upgrade to the most recent release. Table 1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current release.
Table 1 Upgrade Path Matrix
From Release Upgrade To Upgrade Package
Migration required. See Migrating Data from Cisco Security MARS 4.x to 6.0.1
6.0.1 (3066) or 6.0.1 (3070)
6.0.5 no FIPS support
6.0.5 with FIPS support
Downloading the Upgrade Package from CCO
Upgrade images and supporting software are found on the CCO software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your MARS Appliance
And then click the Download Software link in the Support box on the right side of the MARS product home page.
Result: The Download Software page loads.
From the Download Software page, select one of the following options:
•CS-MARS IPS Signature Updates Archives
•CS-MARS IPS Signature Updates
•CS-MARS Patches and Utilities (supplementary files)
•CS-MARS Recovery Software
•CS-MARS Upgrade Packages
Note If you are upgrading from a release earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip releases along the upgrade path.
For information on obtaining a CCO account, see the following URL:
The following notes apply to the MARS 6.0.x releases:
•CSCsu50839—Report Result Page saves the previous "Other views" selection
If you change the "Other Views" options in the report result page, the changes persist for that report and for that browser. When the report results are viewed later, the browser shows the saved options but the results displayed are always the default options results.
To avoid this issue, always click Display Report to view a scheduled report's results.
•If the client system used to access the MARS GUI is not on the same side of the NAT boundary as the a MARS appliance and the Security Manager server, you can perform policy lookup in read-only mode. However, you cannot start the Security Manager client from the read-only policy lookup table to modify matching policies. The Security Manager client must be on the same side of the NAT as the MARS appliance and the Security Manager server if you want to modify the matching policy from MARS. This restriction is also true if you want to query MARS events from policies.
•The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.
•Do not to use DISTINCT or SAME in queries, and do not run multi-line queries in Release x.3.4 through 6.0.1. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.
•For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.interface. For
•The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.
The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
This section contains the following topics:
Open Caveats for Supporting Devices
The following caveats affect this release and are part of supported devices or compatible products:
Open Caveats— Release 6.0.7
The following caveats affect this release and are part of MARS.
Resolved Caveats —Release 6.0.7
The following customer found or previously release noted caveats have been resolved in this release.
Resolved Caveats —Releases Prior to 6.0.7
For the list of caveats resolved in releases prior to this one, see the following documents:
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Cisco Secure MARS Documentation Guide and Warranty
Lists document set that supports the MARS release and summarizes contents of each document.
•For general product information, see:
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.