Release Notes for IDS Host Sensor and Console, Version 2.5

New Features

Host Sensor (Agent) Features
Console Features

Documentation Roadmap
Additional Information Online
Supported Platforms

Host Sensor (Agent)
Console

Known and Resolved Problems
Documentation Updates
Obtaining Documentation

World Wide Web
Ordering Documentation
Documentation Feedback

Obtaining Technical Assistance

Cisco.com
Technical Assistance Center

Cisco TAC Web Site
Cisco TAC Escalation Center

Release Notes for IDS Host Sensor and Console, Version 2.5

These release notes are for use with the Cisco IDS Host Sensor and Console, version 2.5.

These release notes provide:

New Features
Documentation Roadmap
Additional Information Online
Supported Platforms
Known and Resolved Problems
Documentation Updates
Obtaining Documentation
Obtaining Technical Assistance

New Features

Version 2.5 contains the following new features:

Host Sensor (Agent) Features

The following features are included in the May 21, 2002, Agent update:

Support of Apache versions 1.3.23 and 1.3.24 (Solaris).
Enhanced protection for Buffer Overflow in Windows systems.
Buffer Overflow protection for exploits using the Return to LIBC technique in Solaris.
Graceful recovery from user mode program faults in Solaris.
The Windows system user ("NT AUTHORITY/Syste"' in Windows NT and "Domainname/machinename" in Windows 2000) is reported by the Agents as "LOCAL/system". This enables you to create consolidated exceptions for the system user across multiple machines.
Host IDS 2.5 support. This Agent is the first to support Console version 2.5. This Agent (or later versions) must be installed and deployed on the Console before the Console can be upgraded to version 2.5.
Nine new signatures (see the Agent readme file for descriptions).

Console Features

The following enhancements are included in this release:

Expanded capabilities for creating Exceptions—Exceptions can now be pre-defined without requiring an underlying security event. They have increased granularity, supporting parameters such as Agent Groups, Users, User Groups, Processes, and wildcards. Exceptions can also be created based on security events.
The introduction of SecureSelect Mode—SecureSelect Modes allow you to set flexible security policies and control what type of protection HIDS provides. There are three SecureSelect levels: SecureSelect-Warning Mode, SecureSelect-Protection Mode, and SecureSelect-Vault Mode.
SecureSelect Vault Mode—This new mode, based on Vault Signature rules, allows you to lock down your operating system.
A new Backup Key command—Allows you to back up the public and private key to a specified location on your system.
Additional Reports were added to the existing list of reports.
A new Licensing scheme—License keys are now stored in License files and depend on the Console computer name (hostname) instead of the IP address.

Note Although every effort has been made to validate the accuracy of the information in the printed and electronic documentation, you should also review the IDS Host Sensor and Console documentation on Cisco.com for any updates.

The following documents support the IDS Host Sensor and Console, version 2.5 release:

Registration and Licensing Notes for IDS Host Sensor and Console
Installation & Setup Guide for IDS Host Sensor and Console
User Guide for IDS Host Sensor and Console

Note Adobe Acrobat Reader 4.0 or later is required.

Additional Information Online

You can use the Active Update Notification service on Cisco.com to receive information on product updates.To receive notifications about product information and updates register at the following URL:

http://www.cisco.com/warp/public/779/largeent/it/ids_news/subscribe.html

Supported Platforms

Host Sensor (Agent)

The Agent Update supports the following operating systems:

· Windows NT 4 Server and Enterprise Server (Service Pack 4 through Service Pack 6a)

· Windows 2000 Server and Advanced Server (up to Service Pack 2)

· Solaris 6 SPARC architecture 4u (32-bit kernel)

· Solaris 7 SPARC architecture 4u (32-bit and 64-bit kernel)

· Solaris 8 SPARC architecture 4u (32-bit and 64-bit kernel)

The Agent Update protects the following web servers:

· IIS 4.0 and 5.0 (Windows)

· Apache 1.3.6 through 1.3.24 (SPARC Solaris)

· Netscape Enterprise Server 3.6 (SPARC Solaris)

· iPlanet Web Server 4.0, 4.1, and 6 (SPARC Solaris)

Console

The Console supports the following operating systems:

· Windows NT 4.x Server or Enterprise Server with Service Pack 6a

· Windows 2000 Server or Advanced Server with Service Pack 1 and Service Pack 2

Known and Resolved Problems

Table 1 describes the problems known to exist in this release.

Table 1: Known Problems

Component	Summary/Error Message	Explanation/Workaround

Installer	The ODBC resource DLL (odbcint.dll) is a different version than the ODBC driver manager (ODBC32.DLL).	In some situations, the ODBC DLL file, Odbcint.dll, is no longer synchronized with the other ODBC DLLs. This can cause an Odbcint.dll version error to occur when you start ODBC-dependent applications. If you try to start the Agent on a computer with the ODBC problem, the system on which the Agent is installed fails. This means that ODBC is not installed properly on the computer. Workaround: Reinstall the Microsoft Data Access Components (MDAC) to update all ODBC and newer OLE DB drivers and resources on the system. For more information about how incorrect versions of Odbcint.dll can affect components or to download the latest MDAC, refer to www.microsoft.com.
Installer	Console does not start if installation changed from Domain to Local.	If you switch installation modes (Domain, Local) during installation, the Console will not start after rebooting the system. For example, if you select Domain installation and click Next, and then on the next screen you select Back and change the installation to Local and finish the installation, the Console does not startup and you receive the following message: "Cannot start the Console". Workaround: If you change your mind about the type of installation to perform, do not use the Back button to change the installation mode. Instead, cancel the installation and start again using the new installation mode.
Installer	InstallShield does not give the option to upgrade.	If you use Task Manager to abort the upgrade process, you cannot go through the upgrade process again. In InstallShield, you no longer have the option to upgrade. Workaround: Uninstall the Console after saving the database, the cryptographic keys, and the licenses, reinstall again, and then do the upgrade.
Installer	Database is locked. Please exit the installation and try again.	Before you can upgrade an existing Console, you need to stop any integrator service. Otherwise, the upgrade process generates an error.
Installer	The Console cannot be installed on a Windows NT 4 SP6a Terminal Server.	Workaround: None.
Uninstaller	Agent is not removed from the Console user interface after you use Add/Remove program.	If you use the Control Panel Add/Remove program on the Agent machine to remove an Agent, the Agent is not removed from the Console user interface. Do not use this method for removing Agents. Workaround: Use the Uninstall Agent feature from the Agent menu in the Console Agent Management window.
Settings	All reports are shown in U.S. start and end dates format, even if you set regional settings, such as English (UK).	Workaround: None.
Settings	System slows down after selecting "Show event only from last 'n' days".	From the Options window, entering a value greater than 365 days in the "Show event only from last 'n' days" field slows down the system considerably. Be careful what number you enter in this field; the field allows you to enter 3650 days, which slows the system. Workaround: Reduce the total number of events displayed in the GUI. The specific number depends on the performance of your underlying hardware.
Events	Read and Unread icons appear duplicated.	When marking large numbers of Security of System Events as read/unread, the Console appears frozen until the command is completed. The Mark Read and Unread icons may appear duplicated during that time.
Upgrade	After you upgrade a Console to 2.5, all Security Events and System Events are marked unread.	Workaround: None.
Exceptions	Some Advanced Details in Exceptions are case sensitive. Entering a parameter incorrectly could invalidate the Exception.	File, directory, and Registry key names are not case sensitive. However, protocol and workstation parameters are case sensitive. Use caution when modifying any parameter and test the Exception to ensure it functions as expected.
Notifications	Wrong enterprise ID in SNMP traps.	The enterprise ID is sent as 5.2.0.4 instead of 5204. Workaround: None.
Notifications	SNMP traps sent as cold start traps.	Workaround: None.
Version Management	Pre-05212002 Agent can be selected in Version Management.	Do not manually install any Agent software older than version 05212002 at the Console, as older versions are incompatible with HIDS 2.5, and you could accidentally designate them as testing versions. An Agent running an older software version is not capable of communicating with the Console.

Table 2 describes the problems resolved since the last release.

Table 2: Resolved Problems

Component	Summary	Additional Information

Exceptions	"Exception already exists" error appeared if you tried to create a new Exception that differed from an existing Exception only by a parameter in the Advanced Details section.	You can now create multiple Exceptions with different Advanced Details parameters
Notifications	Some event details for pager notifications were truncated when the information exceeded 256 characters (the limit for the recipient pager).	Pager messages are now reformatted so that important details get transmitted first.
Settings	A runtime error occurred if you modified a parameter in one Tools > Options category without clicking OK or Apply before selecting another category and clicking either OK or Apply.	None.
Settings	A runtime error occurred if you deleted the User Name from Tools > Change Password, and then entered the old and the new passwords and clicked OK.	None.
Operating System	A Console service would not start after reboot when installed on a machine with Windows NT 4 SP4 and MS Office 2000 Premium SR1.	None.
Uninstaller	The Console uninstallation would not complete successfully if a previous uninstallation was aborted.	The uninstallation now guides you through complete operations before allowing you to exit.
Events	The start or completion of the archival process did not generate a system event.	None.
Events	A security event based on an HTTP request that ended with an asterisk (*) did not show all relevant event information in Advanced Details.	None.

Documentation Updates

The following changes apply to "Appendix A" of the User Guide for IDS Host Sensor and Console, Table A-3:

Object identifier 1.3.6.1.4.1.5.2.0.4.1.3.0 now corresponds to Console instead of the Application field in the Details tab.
Object identifier 1.3.6.1.4.1.5.2.0.4.1.4.0 now corresponds to the Security Level field in the Details tab instead of the Console field in the Advanced Details tab.
Object identifier 1.3.6.1.4.1.5.2.0.4.1.5.0 now corresponds to the Application field in the Advanced Details tab instead of the Security Level field in the Details tab.

Obtaining Documentation

The following sections explain how to obtain documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

Cisco documentation is available in the following ways:

Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/public/ordsum.html

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Feedback at the top of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to

Streamline business processes and improve productivity
Resolve technical issues with online support
Download and test software packages
Order Cisco learning materials and merchandise
Register for online skill assessment, training, and certification programs

You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Inquiries to Cisco TAC are categorized according to the urgency of the issue:

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.
Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.
Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.
Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.

This document is to be used in conjunction with the documents listed in the "Documentation Roadmap" section.

Hierarchical Navigation

Cisco IDS Host Sensors