[an error occurred while processing this directive]

Cisco Security Monitoring, Analysis and Response System

Release Notes for Cisco Security MARS Appliance 6.0.4


Table Of Contents

Release Notes for Cisco Security MARS Appliance 6.0.4


Supported Hardware

New Features

Miscellaneous Changes and Enhancements

New Device Support

New Vendor Signatures

Upgrade Instructions

Important Upgrade Notes

General Notes

Upgrade to 6.0.4

Upgrade to 6.0.3

Upgrade to 6.0.2

Upgrade to 6.0.1

Upgrade to 5.3.6

Upgrade to 4.3.6

Upgrade Path Matrix

Downloading the Upgrade Package from CCO

Documentation Errata

Important Notes


Open Caveats for Supporting Devices

Open Caveats— Release 6.0.4

Resolved Caveats —Release 6.0.4

Resolved Caveats —Releases Prior to 6.0.4

Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Release Notes for Cisco Security MARS Appliance 6.0.4

Published: August 3, 2009
Revised: August 4, 2009

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should review the documentation on Cisco.com for any updates.

These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (MARS), Release 6.0.4 running on any supported MARS Appliance model listed in Supported Hardware.

This chapter contains the following topics:


Supported Hardware

New Features

Upgrade Instructions

Documentation Errata

Important Notes


Product Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release 6.0.4 is now available as an upgrade of 6.0.3 of your software release in support of the MARS Appliance models as identified in Supported Hardware. Registered SMARTnet users can obtain release 6.0.4 from the Cisco support website at:
And then click the Download Software link in the Support box on the right side of the MARS product home page.

Supported Hardware

Release 6.0.4 supports the following Cisco Security MARS Appliance models:

Local Controller Appliances: 2nd Generation

Cisco Security MARS 25R (CS-MARS-25R-K9)

Cisco Security MARS 25 (CS-MARS-25-K9)

Cisco Security MARS 55 (CS-MARS-55-K9)

Cisco Security MARS 110R (CS-MARS-110R-K9)

Cisco Security MARS 110 (CS-MARS-110-K9)

Cisco Security MARS 210 (CS-MARS-210-K9)

Local Controller Appliances: 1st Generation

Cisco Security MARS 20R (CS-MARS-20R-K9) as a MARS 201

Cisco Security MARS 20 (CS-MARS-20-K9)

Cisco Security MARS 50 (CS-MARS-50-K9)

Cisco Security MARS 100e (CS-MARS-100E-K9) as a MARS 100

Cisco Security MARS 100 (CS-MARS-100-K9)

Cisco Security MARS 200 (CS-MARS-200-K9)

Global Controller Appliances: 2nd Generation

Cisco Security MARS GC2R (CS-MARS-GC2R-K9)

Cisco Security MARS GC2 (CS-MARS-GC2-K9)

Global Controller Appliances: 1st Generation

Cisco Security MARS GCm (CS-MARS-GCM-K9) as a MARS GC

Cisco Security MARS GC (CS-MARS-GC-K9)

New Features

In addition to resolved caveats, this release includes the following new features:

This section contains the following topics:

Miscellaneous Changes and Enhancements

New Device Support

New Vendor Signatures

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in:

Botnet Traffic Filter (ASA 8.2) Feature Support—Detect malware that attempts malicious network activity, such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) with ASA Botnet Traffic Filter (BTF). BTF checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity. For details, consult Chapter 12, Botnet Traffic Filtering in User Guide for Cisco Security MARS Local and Global Controllers, Release 6.x.

MARS support for ASA 8.2 introduces the following BTF features:

ASA Botnet Summary Tab—When monitoring a properly configured Cisco ASA 8.2 device, customers can quickly view Botnet activity on their network using the new summary tab that provides at-a-glance dashboard with the following new reports:

Activity: ASA Botnet Traffic Filter - Top Botnet Ports

Activity: ASA Botnet Traffic Filter - Top Botnet Sites

Activity: ASA Botnet Traffic Filter - Top Infected Hosts

BTF: System reports—When monitoring a properly configured Cisco ASA 8.2 device, customers can drill down into malicious activity with the following new reports:

Hosts which have generated phone home activity (top infected hosts)

Adequate host details (port/protocol, user agent, etc.) required to remediation.

Top Botnet sites by domain and IP address

Top Botnet ports detected

BTF: System rule—When monitoring a properly configured Cisco ASA 8.2 device, a new system rule is available that detects failed phone-home db downloads.

Cisco IPS 7.0 Feature Support—IPS 7.0(1) contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that Cisco has amassed over the years. At regular intervals, Cisco IPS receives threat updates from the Cisco SensorBase Network, which contains detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS uses this information to filter out the worst attackers before they have a chance to attack critical assets. It then incorporates the global threat data in to its system to detect and prevent malicious activity even earlier.

MARS support for 7.0(1) introduces the following Global Correlation features:

A new system report that identifies the attacks blocked by Cisco IPS 7.0 (1) over a specified interval.

Global Correlation scores embedded in query and reporting interfaces allow customers to view reputation data and create customized Global Correlation reports.

Tunable Query Performance Support—Customers can reduce query wait times by creating custom indexes for commonly run queries. Under certain data sets and use cases, you can define a tuned query database. A new option for tuning query performance appears under ADMIN > System Maintenance > Database Configuration > Database Tuning / Query Optimization. For details, consult the "Database Tuning and Query Optimization" section of Chapter 13, System Maintenance in User Guide for Cisco Security MARS Local and Global Controllers, Release 6.x.

E-Mail Notification Update—E-mail based notifications now include top 3 source IPs, top 3 destination IPs, and top 3 botnet sites. For more information on these notification, consult the "Notification Methods" section of Chapter 5, Alerts and Incident Notifications in User Guide for Cisco Security MARS Local and Global Controllers, Release 6.x.

Future Cisco.com Software Update Support—MARS 6.0.4 includes changes to support a seamless migration from the current Cisco.com software and signature download sites to a new location hosted on Cisco.com. Customers are required to upgrade to 6.0.4 to enable future automated system upgrades, patches, and dynamic signature update support, features introduced in MARS 6.0.1 . By the end of October 2009, customers running releases prior to 6.0.4 will no longer be able to use these automated update features. The feature affected by this update are accessible from ADMIN > System Setup > IPS Signature Dynamic Update Settings and ADMIN > System Maintenance > Upgrade.

Alternatively, you can perform the following appropriate workaround:

Upgrade—Manually download the updates and upgrade from a local server. For details, select the Internal Upgrade Server option in Step 4 of the "Checklist for Upgrades of Appliance Software" section in Chapter 5, Upgrade ManagementCisco Security MARS Initial Configuration and Upgrade Guide, 6.X

IPS Signatures—Modify the old URL (https://www.cisco.com/cgi-bin/ida/locator/locator.pl) with the new value: https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl. For details on how to modify this URL, see the "IPS Signature Dynamic Update Settings" section in Chapter 4, Cisco IPS 6.x Devices and Virtual Sensors in of Device Configuration Guide for Cisco Security MARS, Release 6.x.

New Device Support

The 6.0.4 release of MARS supports the following new device versions:

Cisco ASA 8.2

Cisco IPS 7.0

Cisco IPS 6.2

Cisco IOS/Switch IOS 12.4 (backward compatibility support)

Cisco FWSM 4.0.1 and 4.0.4 (backward compatibility support)

Cisco Security Agent 6.0.1 (backward compatibility support)

New Vendor Signatures

The following table describes the most recent signatures supported for each product or technology:

Tip For full details on supported devices and versions, see Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller 6.0.x.

Revised in 6.0.4
Signature Version Supported
Intrusion Prevention and Detection Signatures


Cisco IDS 4.0,
Cisco IPS 5.x,
Cisco IPS 6.x
Cisco IPS 7.x

Current through S406 signature release.


Cisco ASA

Current as of May 2009


Cisco IOS 12.2/12.4

Current as of June 2009


Snort NIDS 2.8

Current through the May 29, 2009 signature release.
Latest signature mapped: 15471.


ISS RealSecure Network Sensor 6.5 and 7.0, and
ISS RealSecure Server Sensor 6.5 and 7.0

XPU 29.060
Release date: May 12, 2009


McAfee IntruShield 4.1

Release date: May 28, 2009


McAfee Entercept HIDS 2.5, 4.0, 6.x

Current through the January 23, 2009 signature release.


CheckPoint Application Intelligence
(VPN-1 NG with Application Intelligence R65)

Current through the June 1, 2009 signature release.


Netscreen IDP 2.1, 3.0, 3.1, 4.0, 4.1

Signature version: 4.0.
Release date: June 5, 2009

No. EOS.

Symantec NIDS, v 4.0

Signature package: 95
Release date: June 12, 2008


Enterasys Dragon 6.x, 7.x

Current through the June 1, 2009 signature release.

No. EOS.

Symantec Manhunt 3.x
(See Symantec NIDS, v 4.0.) 3.4.3 Update 59

3.4.3 Update 59
Current through the May 24, 2007 signature release.

Vulnerability Scanner Signatures


Qualys Guard ANY

Current through the June 5, 2009 signature release.


E-Eye, Retina Scanner Vulnerability Software, version 5.61

Current through the June 4, 2009 signature release.


Foundstone, version ANY

Current through the June 5, 2009 signature release.


Common Vulnerabilities and Exposures (CVE) Database

Current with the June 12, 2009 definition update.

Miscellaneous Support


Oracle 11g

Support for new AUDIT_ACTIONS.

1 eEye REM 1.0 is supported in 4.2.x.

Upgrade Instructions

The MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site regularly for upgrades. In addition to addressing high-priority caveats, upgrade packages update system inspection rules, event types, and provide the most recent signature support.

For detailed instructions on planning and performing an upgrade or install, refer to "Checklist for Upgrading the Appliance Software" in the Cisco Security MARS Initial Configuration and Upgrade Guide.

Important Upgrade Notes

To ensure that the upgrade from earlier releases is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.

General Notes

The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met:

If the system has not been rebooted during the past 180 days.

If the system has been rebooted 30 times.

The fsck operation takes a long time to complete, which can result in significant unplanned downtime when rebooting the system after meeting a condition above. For example, a MARS 50 appliance can take up to 90 minutes to perform the operation.

Upgrade to 6.0.4

No important notes exist for the 6.0.4 upgrade.

Upgrade to 6.0.3

No important notes exist for the 6.0.3 upgrade.

Upgrade to 6.0.2

No important notes exist for the 6.0.2 upgrade.

Upgrade to 6.0.1

The upgrade process to 6.0.1 differs based on the release you are upgrading from. If you are upgrading a 5.x release, then you can upgrade to 6.0.1 if you are running 5.3.6. The upgrade from 5.3.6 to 6.0.1 takes several hours, as it also upgrades the Oracle database running on the appliance. If you are running an earlier 5.x release, you must first upgrade to 5.3.6 (see Upgrade to 5.3.6 for details).

However, if you are upgrading a 4.x release, you must migrate the system instead of upgrading. To migrate from a 4.x, you must follow the step-by-step instructions specified in the Migrating Data from Cisco Security MARS 4.x to 6.0.1.

Note When upgrading a "restricted" model of MARS appliance (20R, 100e, or GCm) to MARS Software release 6.0.1, all limits enforced by the restricted model will be ignored. The "restricted" models will perform as unrestricted models (20, 100, or GC) once upgraded to release 6.0.1.

Upgrade to 5.3.6

For notes that are specific to the upgrade to the 5.3.6 release, as well as all previous 5.x releases, see the Release Notes for Cisco Security MARS Appliance 5.3.6.

Upgrade to 4.3.6

For notes that are specific to the upgrade to the 4.3.6 release, as well as all previous 4.x releases, see the Release Notes for Cisco Security MARS Appliance 4.3.6.

Upgrade Path Matrix

When upgrading from one software release to another, a prerequisite release is always required. This prerequisite release is the minimum level required to be running on the appliance before you can upgrade to the most recent release. Table 1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current release.

Table 1 Upgrade Path Matrix 

From Release
Upgrade To
Upgrade Package



Migration required. See Migrating Data from Cisco Security MARS 4.x to 6.0.1




6.0.1 (3066) or 6.0.1 (3070)









Downloading the Upgrade Package from CCO

Upgrade images and supporting software are found on the CCO software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your MARS Appliance

Top-level page:


And then click the Download Software link in the Support box on the right side of the MARS product home page.
Result: The Download Software page loads.

From the Download Software page, select one of the following options:

CS-MARS IPS Signature Updates Archives

CS-MARS IPS Signature Updates

CS-MARS Patches and Utilities (supplementary files)

CS-MARS Recovery Software

CS-MARS Upgrade Packages

Note If you are upgrading from a release earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip releases along the upgrade path.

For information on obtaining a CCO account, see the following URL:


Documentation Errata

CSCsl14244. User guide does not discuss role of Nessus in the MARS system.

To determine whether specific incidents are false positives, MARS uses Nessus 2.x GPL plug-ins and custom scripts mapped to specific MARS event types. MARS does not use Nessus to perform vulnerability assessments or related reporting.

MARS uses Nessus as one component in determining false positives. When a host resides on a network listed under "Networks for Dynamic Vulnerability Scanning", then MARS uses Nessus to help ascertain whether an attack targeting that host was likely to be successful. When an event does not have corresponding Nessus Attack Scripting Language (NASL) script, MARS uses nmap OS fingerprinting to determine the destination operating system type, and uses nmap-found-OS to match known operating systems affected by the attack.

CSCsk77546. Discovery Device with SSH 512 module not supported.

The OpenSSH client used by MARS does not support modulus sizes smaller than 768. For example, you cannot discover a device using a SSH login that has 512-byte key.

Important Notes

The following notes apply to the MARS 6.0.x releases:

CSCsu50839—Report Result Page saves the previous "Other views" selection

If you change the "Other Views" options in the report result page, the changes persist for that report and for that browser. When the report results are viewed later, the browser shows the saved options but the results displayed are always the default options results.

To avoid this issue, always click Display Report to view a scheduled report's results.

If the client system used to access the MARS GUI is not on the same side of the NAT boundary as the a MARS appliance and the Security Manager server, you can perform policy lookup in read-only mode. However, you cannot start the Security Manager client from the read-only policy lookup table to modify matching policies. The Security Manager client must be on the same side of the NAT as the MARS appliance and the Security Manager server if you want to modify the matching policy from MARS. This restriction is also true if you want to query MARS events from policies.

The performance of the Summary Page degrades when too many reports are added under My Reports. The smaller the number of reports under My Reports, the faster the Summary page loads. To ensure adequate performance, limit the number of reports to 6. This issue is partially described in CSCse18865.

Do not to use DISTINCT or SAME in queries, and do not run multi-line queries in Release x.3.4 through 6.0.1. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.

For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.interface. For

The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.

The following notes describe new behavior based on the resolution of specific caveats. Be sure to check the upgrade notes for each release for important notes on data migration.

Reference Number

CSCsc50636, CSCsc50652

Issues: Back-end IPS process runs at 99% CPU when pulling large IP Logs The Back-end IPS process reaches 1GB in memory used when pulling IP Logs. The process names depending on the version on MARS that is running:

In release 4.2.1 and earlier, the process names are pnids50_srv and pnids40_srv.

In release 4.2.2 and later, the process is named csips.

These related issues, are specific to pulling IP logs from Cisco IDS/ IPS devices. The symptom is that the Back-end IPS service consumes the system resources on the MARS Appliance. As an improper configuration of the sensor can significantly degrade the sensor performance as well as that of MARS.

Workaround: Ensure that settings for IP log creation on the sensor limit the size of the IP log (in terms of number of bytes or number of packets captured). Also, verify that IP packet logging is enabled only for signatures of interest and not for all signatures. In addition, the following release-specific maximums are enforced:

In 4.2.1, a 100 file maximum is enforced for the log file queue when the MARS is configured to pull IP log files. Therefore, it may not pull every IP log file. In addition, the complete IP Log file may not be pulled, instead, data is pulled from the file starting 5 minutes before the alert was generated through the end of the file.

In 4.2.2, a 1,000 file maximum (up from 100 in 4.2.1) is enforced for the log file queue when the MARS is configured to pull IP log files. The complete IP Log file may not be pulled, instead, data is pulled from the file starting 1 minute (down from 5 minutes in 4.2.1) before the alert was generated through the end of the file. And last, 100KB is the maximum IP log size that can be pulled from a MARS Appliance.


Issue: Data computed or stored on a standalone MARS while in standalone mode will not be transferred to a Global Controller. Only data computed on an Local Controller that is currently monitored by a Global Controller will be pushed up.


Issue: After renaming a cloud, clicking the cloud again causes an error.

Workaround: Refresh the page before clicking a renamed cloud.


Issue: The free-form search may not work for the following devices:

Check Point Opsec NG FP3

Cisco CSA, 4.0

Cisco, IDS, 3.1 and 4.0

ISS, RealSecure, 6.5 and 7.0

Entercept Entercept, 2.5 and 4.0

IntruVert IntruShield, 1.5


Issue: The automatic time-out feature built into the GUI does not work when the Summary page is left open with automatic refresh selected.

Resolution: Please log out of the system when you are no longer using it.


This section describes the open and resolved caveats with respect to this release.

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:

This section contains the following topics:

Open Caveats for Supporting Devices

Open Caveats— Release 6.0.4

Resolved Caveats —Release 6.0.4

Resolved Caveats —Releases Prior to 6.0.4

Open Caveats for Supporting Devices

The following caveats affect this release and are part of supported devices or compatible products:

Reference Number
Cisco Security Manager


Policy lookup icon not shown if device is deleted from MARS


Policy lookup icon not shown for a device deleted and re-added to MARS


Minimum password length for Security Manager account in MARS


MARS query does not highlight rules inside any policy group named Local

Firewall Services Module


FWSM Syslog message FWSM-6-302013 with wrong Real and Mapped IP

Open Caveats— Release 6.0.4

The following caveats affect this release and are part of MARS.

Reference Number


Nessus should check pre-NAT address instead of Post-NAT address


Adding devices w/o "Activate" can cause "messy" graph


Graphgen crashes when there are many non-existent devices


using TAB in editing fields


Graph doesn't refresh when a cloud is renamed


nasl message text needs to be changed


"Domain" in Configuration page - no use


Cloud name input box accepts invalid characters


Cleanup script for invalid /etc/qpage.conf entries


Host OS listing needs cleaning


pnreset command does not cause reboot


Security device type hosts don't show up in IP management


Unable to shutdown an interface


Batch Query: Under high load, some batch queries may not complete


Saving .csv files under WinXP SP2 results in .htm extension


Docs: Filesystem Check after 22 reboots


IIS parsing must be separated from Windows log


Applied $TARGET01 for GC Query Source IP resulted in "resultCounter


XML escaping errors in Keyword Search in Rule


rule was not fired because Oracle log used upper case for user


GC/LC user rule is too long to fit into a page if keyword is long


Server csv function could not handle special characters in password


need to fix errors in affected os


JavaScript Error from ViewReport when clicking Edit/Clear


"Agent" didn't be removed correctly


rebooting mars while it is upgrading cause the box not accessible


Time change on system causes GC/LC communication problem


Batch Query Results with one item returned -> no data in graph in em


Rules editing: changing entry for select window pulldown after error


GC/LC, rule does not display user <cxu> but allows such cfg


Network group search is not working for "All IP addresses"


Not able to downgrade a security analyst to Notification only user


GC:LC - Communication issues after time zone change


Copied rules have shortened year in front, which is confusing (ex. 0


Got System Error In GC After Re-installed New Version In LC


CSV-re import of CSA and Symantec agents unsuccessful


Deleting a LC w/o exchanging certificates doesn't set mode to Standalone


LC Rule/Report list shows empty after deletion of GC group


Need improvement to GUI for multi-line rules


MARS Incident notification options are not configurable


pnrestore doesn't restore all of the system config


CS-MARS/CSM: Credentials change on CSM side not checked.


Clicking the clear button when editing the query type doesn't work.


Incorrect handling of time range for rules that fire periodically.


Both successful/failed mitigation reports show same results


Failed load from csv returns incorrect status


Summary Page Graphs Spontaneously Change Displayed Size (w/ multi-head)


5K Lines Custom Query fails


UI takes 99% CPU, hanging browser and slowing system while expanding all


Cloud toggle only works on first page of reporting devices


Query Tab -> Multi column query returns wrong results.


CS-Mars - unable to show L2 path when source and destination in same net


LLV query causes client CPU to go to 100%


IPlanet Unknown Device Event Type Parsing Error


The time stamp shown by the pndbusage command is incorrect.


Unresolved symbol in Java build (though didnot stop building)


Occasionally corrupted event data enters into MARS database


Device resource monitor incorrectly samples 5 sec CPU instead of 5 min


GUI should prevent edit/delete of system-context PIX/ASA 7.0 devices


Database table columns do not match with the archive file columns


Inaccuracy in per-context memory utilization for multi-context devices


keyword search query can't display big-5 encoding raw msg


Mars doesn't support new/changed FWSM 3.1.3 maintenance release syslogs


Unknown device events for FWSM 3.1 FWSM-3-717001 till FWSM-4-717031


provide encoding selection for adding agent to device/host


wrong values for current connections using CLI "show resource usage"


rule's keyword editor treats NOT as binary rather than unary


Devices should not be added to MARS if Discovery is unsuccessful


some syslog results in unknownDET with 'Activate'


Case Management: history does indicate change of ownership


CSM multiple hostname matches failed to return multiple hosts


MARs says it can delete up to 500 at a time but only lets you delete 50.


User can input unsupported characters in AAA device name


pn_incident_log and pn_report_log should be archived


gui.sh dev build makes different JBOSS web.xml than make release


CS-MARS - Request to have the "ssldump" command in the MARS CLI.


CS-Mars does mitigate to the proper endpoint


Mismatch in results between query and report.


Mismatch in results between query and report when query is based on user


Mismatch in results between query & report when query based on desti. IP


The application hangs, while getting the results for a query.


Mismatch results between query and report (custom column)


Edit SW based Application device need submit twice


mars reboots w/o asking for confirmation after user clicked cfg update


The performace test kills all the process during the weekend run


Index needs to be removed for the pn_report_result table


L2 mitigation has problem finding path


For multiple context mode, inbound/outbound error reports are incorrect.


security hole happens if users close browsers without click logout


with 60% event rate capacity, query events ranked by time takes 20 min


Mismatch in results between query and report for All Matching Events


Mismatch between query and report results for source port ranking.


Report is not emailed because of Message exceeds maximum fixed size


Update reports when handling deletion of hosts


LC did not get added to GC so unable to generate syslogs.


CS-MARS Action filter doesn't work if not associated with incidents


Box may not be able to reboot after recovery, under certain conditions


Paging does not work for report right after adding it to a case.


scheduled discovery is scheduled at wrong time


Syslogrelay is accepting same IP for both source and collector


Inline/Batch query not match on NAT connection report


Inline/Batch query: result mismatch on Matched Rule Ranking


Adding LC with version lower than 4.3.1 should version mismatch err


MARS failed to import 1000 hosts vulnerablilty information


pink error when listing devices while scalability script running


MARS: Isolated Networks in Topology due to 'ip unnumbered' Interface


GUI doesn't check duplicate agent ip address when adding application


MARS Layer 2 path and mitigation issues with IOS 12.3 and 12.4 version


rare crashing issue due to file system check/memory short


Loading hosts from seed file does not fill interface information on MARS


pnrestore throws the warning of archive version 0


Host name appears inconsistently on Incident Vector Topology


custom parser performance issue


4.3.5 eth1 IP address not migrated to 5.3.5


Actual Time For 'pnexp' Or 'pnimp' Is Much Higher Than Estimated


Anomaly baselines are not part of archive/restore data


MARS not showing the switches in L2 mitigation path consistently


Rawmsg retrieve Stop(from the GUI) does not stop backend immediately


Unable to edit Cisco Switch IOS event parser in 6.0.1 DSF feature.


MARS adding wrong device entry after adding ISS Provetia as ISS RS 7.0


MARS not printing the correct Layer 2 topology


CSM-MARS linkage is not working when AAA is configured as Authentication


Querying events filter by severity level not generating any reports


Unable to parse NAC 4.5


Invalid insp rule propagated from GC to LC even when rule ok on GC


MARS 6.0.2 Issue with modifying user roles.


the deleted devices are still showing in the resource utilization report


MARS device support for Check Point NG FP3


User defined rule doesn't work for keyword with NOT condition


Cisco SNMP Traps with enterprise id 9 are parsed incorrectly


Unknown Device Event Type for ACS 4.2


CS-MARS Single Zone Report Showing Info from other Zones


Inactive rules becomes active after importing using DSF


Severity not evaluated/matched correctly for CSA and some IPS events


querying IPS events with prot:IP(SNMP traps) generates improper results


Query with sites from GC is taking too long to finish.


MARS - l2 path does not show stacked switches


CS-MARS: Unable to update custom signature package


wrong info on pop up while deleting a site on GC.


Older unsupported versions of checkpoint should not be supported in MARS


CS-MARS-6.0-Filtering on Red severity slow and Oracle pegged.


site pop up shows different info if user click site from different pages


MARS returns empty result set for queries returning large amount of data


GC report with BTF site reference is always stays in progress.


ASA site report takes a few seconds to display even on a non-busy box


CSMARS: Scheduled Keyword-query Reports w/Special Chars Give No Results


Invalid credential error if CCO passwd including URL special characters


"export all" doesn't export configuration


DSF export/import feature for rules/report with sites is not working


scheduled reports for firing events adds item_count value of 19-digit nu

Resolved Caveats —Release 6.0.4

The following customer found or previously release noted caveats have been resolved in this release.

Reference Number


FWSM ifspeed incorrectly reported as 0 for per-context vlan interfaces


Exception in Case Management code when deleting a report


Strange source IP when creating drop rule using source ip as


Incident query ranked by time: wrong logic


L2 path doesn't show firewall device if it reports and blocks the attack


LC stops communincating to GC, stack dump shows stuck in Version Check


checkpoint mitigation causes process crash and GUI hung


Device filter in GC report got populated incorrectly on LC


Pnesloader failed to access the shared buffer a long period of time


Add IPS reputation support in MARS


Support ASA 8.2


Graphgen crashes periodically on memory "new" and "delete"


Error in alert_pndb.log about sysaux out of space error


IPS: 7.x device support


CS-MARS Seconds field in Time range for rules not working correctly.


IPS reputationScore support - Parser logic.


Drop Rule does not update status flag of all previous events


Adding large number of devices to the rule handled ungracefully


Enh: CS-MARS backend changes for ASA L4TM support


Enh: CS-MARS GUI changes for ASA L4TM support


Unknown Device Event Types from FWSM 3.1


OpenSSL changes for incorrect checks for malformed signatures


Request pnmonitor to call a backend servlet for stucked LC/GC connection


cs-mars GC "change status" button on bottom of rules page broke


Raw Message Retrieval stops at a particular percentage


MARS raid firmware hangs


Unresponsive SFTP archive server causes some zombie processes


Custom parser cannot extend events for Linux


When setting up AAA server we get a number format exception


Pnarchive didn't reconnect when its DB connection was lost


Every ~20 min processes restart when environment slows port scans


Racing condition could happen in pnarchive raw message indexer


Archiving loses connection to Windows-based nfs and sftp servers


Mars 6.0.1 - java stack trace seen query results


Memory leaking in pnesloader exception handling


Pnesloader crashed because of memory corruption


DOC: Install Guid Incorrectly States Authenticated Proxy as Upgrade Req.


DOC: Access and Reporting IP swapped in "FTP Access" portion of guide


%SSH-5-SSH2 from 12.4 IOS not parsed properly


Unable to load 'All Devices' under rule


cs-mars parsed log messages for process csiosips filling up Janus_log


CS-MARS: Doc - 6.x Upgrade Guide's pnupgrade section outdated/incorrect


DOC : Documentation doesn't state that reboot is required for pnexp


some drop rules do not drop packets after 602 to 603 upgrade


Doc Bug: Incorrect pnupgrade syntax in MARS 6.x Upgrade Guide


CS-MARS: Report start times drifting


Unofficial Support of Internet Explorer 8.0 for MARS product


Mars allows http access to JBoss Application Server


MARS: Parsing error for IOS FW syslog %FW-6-DROP_TCP_PKT:


CS-MARS: EventID 8200008 (RADIUS Accounting interim update) not parsed


Mars archive function not clearing cf- files from /tmp dir


ASA syslogs which are related to Aristides are unknown


Need to remove duplicated Oracle jobs


Not all GC users show up on the LC


querying restored events doesn't return any results


IPS sig version inconsistency in installed and upgraded 604 CD2


Delete button is not disabled on Site Management page on GC.


GC-LC communication is not working as expected for site management.


Deleting a site on rule page is taking the user on wrong page.


Delete button should be greyed out for sites on Rule page on GC.


KeywordQuerySrv, Pnarchiver, and Pnesloader failed to sync up


Report BTF: Top Botner Sites is not giving correct results


Ranking by Site query missing last two columns (IP addr, Site type)


Query results are not shown properly after the reslts are added to case


Botnet traffic filter event type name is wrong.


Mars is not adding BTF black list ip address on management page


Extra checkbox to select all the sites on GC site managemnet page.


two new ASA8.2 events are parsed as unknown


Site ranking bytes transmitted query and report is not working.


Incident notification (email) doesnt have information about sites.


Syslog and SNMP incident notification does not have site information.


pink box while viewing report results in csv for scheduled report


Adding ASA devices using seedfile is adding ASA8.2 as 8.1.


Server timeout error while viewing the incident path for a incident.


Show inventory fails on mars25/mars55 with new flash DOM


MARS event names for few L4tm syslogs is misleading


Black/White/Grey Site defination need to be corrected on MARS.


Retrieve Raw Messages device list missing "/"


Long BTF site names are truncated on site management page.


Pattern Name dropdown is empty in Pattern Definition window


Secureview datadrop for April-May


MARS Fails to add reported users to rules that have many users assigned


Add new "ASA Botnet Reports" SUMMARY subtab with 3 reports


Deleting one BTF site is deleting all the sites form site management pag


Some LC BTF sites and some IPs of some sites do not show up on GC


built-in firewall need to block more open ports


Missing stored procedures: pn_pack_rr_ie1 and pn_pack_rr_ie2


The macro substitution for KILLALL is not right in pnmonitor.sh


Clicking legend for Top botnet sites report shows large, wrong values


CS-MARS: GC Services Restart Frequently


Top Botnet ports report's results have one empty column


IPS autoupdate URL needs change for new publishing location

Resolved Caveats —Releases Prior to 6.0.4

For the list of caveats resolved in releases prior to this one, see the following documents:


Product Documentation

For the complete list of documents supporting this release, see the release-specific document roadmap:

Cisco Secure MARS Documentation Guide and Warranty


Lists document set that supports the MARS release and summarizes contents of each document.

For general product information, see:


Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:


Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

1 'as a' note means the license no longer restricts the number of managed devices; the appliance now operates as a unrestricted model under the original license.

[an error occurred while processing this directive]