Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Security Monitoring, Analysis and Response System

Release Notes for the CS-MARS Appliance 3.4.3

Downloads

Table Of Contents

Release Notes for the CS-MARS Appliance 3.4.3

Introduction

New Features

New Vendor Signatures

Upgrade Instructions

Burning an Upgrade CD-ROM

Preparing the Internal Upgrade Server

Required Upgrade Path

Downloading the Upgrade Package from CCO

Specify the Proxy Settings for the Global Controller or Local Controller

Upgrade Global Controller or Local Controller from its User Interface

Upgrade from the CLI

Upgrading a Local Controller from the Global Controller

Specify the Proxy Settings in the Global Controller

Upgrade Local Controller from the Global Controller User Interface

Client Requirements

Configuring Internet Explorer Settings

Configuring Pop-Up Blockers

Correcting Issues Caused by the 832894 (MS04-004) Security Update or the 821814 Hotfix

Obtaining the Required Browser Plug-ins

Important Notes

MIB Information

Caveats

Open Caveats - Release 3.4.3

Resolved Caveats - Release 3.4.3

Resolved Caveats - Releases Prior to 3.4.3

Product Documentation

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for the CS-MARS Appliance 3.4.3

CCO Date: June 28, 2005

These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (CS-MARS), Version 3.4.3 running on either a Local Controller or on a Global Controller. They provide the following information:

Introduction

New Features

Upgrade Instructions

Client Requirements

Important Notes

Caveats

Product Documentation

Obtaining Documentation

Documentation Feedback

Cisco Product Security Overview

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

Version 3.4.3 is now available as a patch upgrade to version 3.4.2 of your CS-MARS appliance software. Registered SMARTnet users under the can obtain version 3.4.3 from the Cisco support website at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars

New Features

In addition to resolved caveats, this release includes the following new features:

New Vendor Signatures

New Vendor Signatures

The following table describes the most recent signatures supported for each product:

Product
Signature Version Supported

Cisco NIDS 4.1

S175

McAfee Entercept HIDS 4.1

Agent Version 40-56

ISS RealSecure Network Sensor 7.0

24.7

ISS RealSecure Host Sensor 7.0

24.7

McAfee Intrushield NIDS 1.8

1.8.52.3

Snort NIDS

2.3.3

Netscreen IDP 2.1

Idp2.1r3 Update 254

Enterasys Dragon 6.x

Latest signatures as of 05-11-2005

Symantec Manhunt

37


Upgrade Instructions

The CS-MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the CS-MARS Appliance, you should check the upgrade site weekly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.

Caution Never try to upgrade the hardware components of the CS-MARS Appliance. Doing so could result in bodily injury and void support contracts. Contact Cisco for your hardware upgrade needs.

The following checklist describes the steps required to upgrade your CS-MARS Appliance to the most recent version. Each task might contain several steps; the tasks and steps within should be performed in order. The checklist contains references to the specific procedures used to perform each task.

Task

1. Determine the version that you are running.

Before you upgrade your appliance, you must determine what version you are running. You can determine this in one of two ways:

GUI. To the determine the version in the GUI, select Help > About.

CLI. To determine the version from the CLI, enter version at the CS-MARS command prompt.

The format of the version appears as x.y.z (build_number), for example, 3.4.1 (1922).

Note If you are running a version earlier than 3.2.2, please contact Cisco support for information on obtaining the appropriate upgrade files. If you are running 3.2.2 or later, follow the instructions in this checklist.

Result: You have identified the version running on your appliance and know whether you must contact Cisco support or continue with this checklist.

2. Determine the medium for upgrading.

Before upgrading your appliance, you must determine what medium to use. Your choice of medium can determine whether you must upgrade from the CLI.

CD-ROM. Before you can upgrade, you must download the software and burn an image to a CD-ROM. You can insert this CD-ROM in the DVD drive of the CS-MARS Appliance to perform the upgrade. If you select the CD-ROM medium, you must upgrade each appliance individually and you must use the CLI.

Internal Upgrade Server. Identify the Internal Upgrade Server to be used. Before you can upgrade, you must download the software image to an internal HTTP, HTTPS, or FTP server. It is from this internal server, that you must upgrade your CS-MARS Appliance. This server is expected to meet specific requirements, allowing each CS-MARS Appliance to quickly and securely download the updates.

Note If you are running a version earlier than 3.4.1, you cannot use the GUI to upgrade. In versions earlier than 3.4.1, the GUI only allows for connections to the upgrade.protegonetworks.com support site, which is no longer available.

Result: You have determined which medium to use for your upgrade. If you chose the Internal Upgrade Server option, you have identified and prepared your server, and you have verified that the server can be reached by each standalone Local Controller or Global Controller that you intend to upgrade. If a proxy server resides between the Internal Upgrade Server and the appliance, you must provide those settings before upgrading.

For more information, see:

Burning an Upgrade CD-ROM

Preparing the Internal Upgrade Server.

3. Understand the required upgrade path and limitations.

Upgrading from one version of the appliance software to the next must follow a cumulative upgrade path; you must apply each upgrade package in the order it has been made available between the version running on the appliance and the version you want to run. Review Table 0-1 to determine upgrade path that you must follow.

In addition to following a required upgrade path, a limitation exists between a Global Controller and any Local Controllers that it monitors. The Global Controller can only monitor Local Controllers that are running the same version it is. If you are attempting to monitor a Local Controller that is running an earlier software version, the Local Controller will appear offline to the Global Controller. However, CS-MARS includes an upgrade option where the Global Controller pushes the same upgrade version to the Local Controllers that it is monitoring, allowing you to manage the upgrade process from within the Global Controller user interface.

Result: You will have identified the complete list of upgrade packages that you must download.

For more information, see:

Required Upgrade Path.

4. Download all required upgrade packages from the CCO website.

After you have identified the upgrade packages to download, log in to Cisco Connection Online (CCO) using your CCO account and download the various packages. To download upgrade packages, you must have a valid SMARTnet support contract for the CS-MARS Appliance.

Depending on your selection in Step 2., you will either store these files on the Internal Upgrade Server or burn a CD-ROM image.

Result: All the upgrade packages that are required to upgrade from the version you are running to the most recent version are located in a known path on either the Internal Upgrade Server or a CD-ROM.

For more information, see:

Downloading the Upgrade Package from CCO.

5. Understand the upgrade approach you want to use.

If you are running a version earlier than 3.4.1, you must upgrade using the command line interface. In this case, proceed to Step 6. Otherwise, select from the following upgrade options:

Upgrade from an appliance that connects to the Internal Upgrade Server directly (CLI or GUI) .

Upgrade from an appliance that connects to the Internal Upgrade Server through a proxy (CLI or GUI) .

Upgrade a Local Controller using the Global Controller via either a proxy server or a direct connection to the Internal Upgrade Server (GUI only).

Upgrade from a CD-ROM at the command line (CLI only).

Result: You have determined the appropriate upgrade approach to use based on your selected medium and currently running version.

6. Identify any required proxy server settings.

If your appliance runs on a network that is separated from the Internal Upgrade Server by a proxy server, you must identify the proxy server settings. If you are planning to upgrade using the GUI, you can specify these settings using the Admin > System Parameters > Proxy Settings page. Otherwise, make note of the settings so that you can provide them at the command line during upgrade.

Note You can specify the proxy server settings in the GUI for versions 3.4.1 and later. However, you can specify proxy server settings at the CLI for versions 2.5.1 and later.

Result: You have either specified the proxy server settings in the GUI, or you have noted the settings for later use.

For more information, see:

Specify the Proxy Settings for the Global Controller or Local Controller.

7. Upgrade the appliance to the next appropriate version, as determine by the upgrade path.

From the appliance, use the method you chose in Step 5. to upgrade incrementally, as determined in Step 4., to the desired version

Result: You have applied each of the required upgrade packages.

For more information, see:

Upgrade Global Controller or Local Controller from its User Interface

Upgrade from the CLI

Upgrading a Local Controller from the Global Controller


Burning an Upgrade CD-ROM

Burning an upgrade CD-ROM does not have any special requirements. If you require more than one upgrade package, you can include three upgrade packages per CD, as packages are typically around 200 MB.

Note You must apply the upgrade packages in sequential order, and the appliance will reboot between each upgrade. It can take 30-40 minutes for an upgrade to be applied and the system to restart before you can apply the next patch.

Preparing the Internal Upgrade Server

The Internal Upgrade Server requirements vary based on the upgrade option you selected and the version running on your appliance.

Note CS-MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server whether it is accessed via HTTP, HTTPS, or FTP. In addition, if you are passing through a proxy server, that server must also enforce inline authentication.

For CLI-based upgrades of version 2.5.1 or later, the Internal Upgrade Server must be configured to meet the following requirements:

Be an FTP, HTTP, or HTTPS server.

Requires user authentication.

Accepts connections from the CS-MARS Appliance.

Connections can pass through a proxy server that must also use authentication.

For GUI-based upgrades of releases 3.4.1 or later, the Internal Upgrade Server must be configured to meet the following requirements:

Be an HTTPS or FTP server.

Requires user authentication.

Accepts connections from the CS-MARS Appliance

Connections can pass through a proxy server that must also use authentication. In addition, the proxy server setting must be configured in the GUI before the upgrade.

Required Upgrade Path

When upgrading from one software version to another, a prerequisite version is always required. This prerequisite version is the minimum level required to be running on the appliance before you can upgrade to the most recent version. Table 0-1 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current version.

Table 0-1 Upgrade Path Matrix

From Version
Upgrade To1
Upgrade Package

3.2.2 or 3.3.2 Beta

3.3.3*

pn-3.3.3.pkg

3.3.3

3.3.4*

pn-3.3.4.pkg

3.3.4

3.3.5*

pn-3.3.5.pkg

3.3.5

3.4.1*

pn-3.4.1.pkg

3.4.1

3.4.2

pn-3.4.2.pkg

3.4.2

3.4.3

pn-3.4.3.pkg

1 An asterisk (*) next to a package name in this column identifies that this upgrade must be performed from the command line, as GUI support was lost with the closing of the upgrade.proteogonetwork.com website.


Downloading the Upgrade Package from CCO

Upgrade images and supporting software are found on the CCO software download pages dedicated to CS-MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your CS-MARS Appliance

Top-level page: http://www.cisco.com/pcgi-bin/tablebuild.pl?topic=279644034

Upgrade files: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars

Supporting files: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars-misc

Note If you are upgrading from a version earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip versions along the upgrade path.

For information on obtaining a CCO account, see the following URL:

http://www.cisco.com/en/US/applicat/cdcrgstr/applications_overview.html

Specify the Proxy Settings for the Global Controller or Local Controller

If you know that your appliance cannot directly access the Internal Upgrade Server, you can specify the proxy settings. This procedure describes how to specify the proxy settings with the assumption that you will upgrade the appliance from the user interface associated with that appliance. For information on upgrading a Local Controller from within the Global Controller user interface, see Upgrading a Local Controller from the Global Controller.

Note This procedure is valid for versions 3.4.1 and later.

To specify proxy settings, follow these steps:

Step 1 Open the CS-MARS user interface in your browser.

Step 2 Select Admin > System Parameters > Proxy Settings.

Step 3 In the Proxy Address and Proxy Port fields, enter the address and port used by the proxy server. that sits between your appliance and the Internal Upgrade Server.

Step 4 In the Proxy User field, specify the username the appliance must use to authenticate to the proxy server.

Note This username and password pair is neither the CCO nor the Internal Upgrade Server Login and Password. CS-MARS requires that proxy servers enforce inline user authentication.Therefore, you must specify a username and password pair to authenticate to the proxy server.

Step 5 In the Proxy Password field, specify the password associated with the username you just provided.

Step 6 Click Submit to save your changes.

Upgrade Global Controller or Local Controller from its User Interface

Note This procedure is valid for versions 3.4.1 and later.

To upgrade the appliance from the user interface, follow these steps:

Step 1 Open the CS-MARS user interface in your browser.

Step 2 Select Admin > System Maintenance > Upgrade.

Step 3 In the IP Address field, enter the address of the server where the upgrade package files are stored.

Step 4 In the User Name and Password fields, enter your Internal Upgrade Server login information.

Note CS-MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server.

Step 5 In the Path field, specify the path where the package file is stored, relative to the type of server access used.

Step 6 Select the appropriate protocol in the Server Type box.

You can download the install package using either HTTPS or FTP.

Step 7 In the Package Name field, specify the full name of the package file that you have downloaded.

Step 8 Click Download.

Depending on the size of the package, this download can take some time. After the download is complete, the Install button becomes active.

Step 9 Click Install.

After you click Install, the system needs some time to process the upgrade. After the upgrade is complete, the system reboots. During the upgrade, the user interface is also restarted.

Upgrade from the CLI

You can connect to the Internal Upgrade Server and complete the upgrade using HTTP or HTTPS, or you can download the upgrade package onto an FTP server and perform the upgrade.

To upgrade using the CLI, follow these steps:

Step 1 Log in to the appliance via the console port or SSH connection.

Step 2 Enter your CS-MARS login name and password.

Step 3 To verify that the appliance is running the prerequisite version, run the CLI command:

version

The appliance must be running the supported prerequisite version. See Table 0-1 for the required prerequisite version. If it is not, you must follow the upgrade path to reach that version.

Step 4 Do one of the following:

Note CS-MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server whether it is accessed via HTTP, HTTPS, or FTP. In addition, if you are passing through a proxy server, that server must also enforce inline authentication.

To upgrade from a CD-ROM located in the appliance's DVD drive, run the CLI command: 

pnupgrade cdrom://package/pn-[ver].pkg

Where packages/ is the path on the CD where you have stored the *.pkg file and where [ver] is the version number of the package file to which you want to upgrade, such as 3.3.4.

To upgrade from an internal HTTP or HTTPS server, run the CLI command: 

pnupgrade https://upgrade.myhttpserver.com/upgrade/packages/ 
pn-[ver].pkg [user] [password]

or 

pnupgrade http://upgrade.myhttpserver.com/upgrade/packages/ 
pn-[ver].pkg [user] [password]

Where upgrade.myttpserver.com/upgrade/packages is the path where you have downloaded the other *.pkg file, and where [ver] is the version number, such as 3.3.4, and [user] and [password] are your Internal Upgrade Server login name and password.

To upgrade from your FTP server after you have downloaded the file, run the CLI command: 

pnupgrade ftp://upgrade.myftpserver.com/upgrade/packages/ 
pn-[ver].pkg [user] [password]

Where ftp://upgrade.myftpserver.com/upgrade/packages is the path where you have downloaded the other *.pkg file, and where [ver] is the version number, such as 3.3.4, [user] and [password] are your Internal Upgrade Server login name and password.

To upgrade from the Internal Upgrade Server through a proxy server, run the CLI command: 

pnupgrade proxyServerIP:proxyServerPort [proxyUser:proxyPassword] 
https://upgrade.myhttpserver.com/upgrade/packages/pn-[ver].pkg [user] [password]

Where the following values are provided:

proxyServerIP:proxyServerPort identifies the IP address/port pair that connects to the proxy server residing between your appliance and the Internal Upgrade Server.

proxyUser:proxyPassword identifies the username and password pair required for the appliance to authenticate to the proxy server.

[ver] is the version number, such as 3.3.4.

[user] and [password] are your Internal Upgrade Server login name and password.

A progress bar indicates the download percentage. After download is complete, the system takes some time to process the upgrade. After the upgrade is complete, the system reboots.

Upgrading a Local Controller from the Global Controller

When upgrading a Local Controller from within the Global Controller user interface, you need to determine whether the Local Controller resides behind a proxy server. If so, you must configure the proxy settings for the Local Controller within the Global Controller user interface. After you have specified the settings, you can upgrade the Local Controller as you normally would.

Note If Local Controller proxy information is not provided and you attempt to download an upgrade for that appliance, the Local Controller attempts to connect to Internal Upgrade Server and fails after a period of time.

When you upgrade a Global Controller and its monitored Local Controllers, you first upgrade Global Controller, which requires that you identify the Internal Upgrade Server information. The Global Controller then pushes this server information to all its selected Local Controllers, which allows the Local Controller to locate the Internal Upgrade Server and start the download and upgrade process. The Local Controller does not retrieve the upgrade package from the Global Controller.

Before You Begin

This procedure is valid for versions 3.4.1 and later.

Verify that each Local Controller is running the same software version as the Global Controller. You cannot upgrade Local Controllers that are running a different software version than the Global Controller.

Specify the Proxy Settings in the Global Controller

To specify the proxy settings for a Local Controller in the Global Controller user interface, follow these steps:

Step 1 Open the CS-MARS user interface in your browser.

Step 2 Select Admin > System Maintenance > Upgrade.

Step 3 Click Proxy Settings. next to the Local Controller that you want to upgrade.

The Global Controller user interface loads the Proxy Information page (Admin > System Parameters > Proxy Settings) on the selected Local Controller.

Step 4 In the Proxy Address and Proxy Port fields, enter the address and port used by the proxy server that sits between your appliance and the Internal Upgrade Server.

Step 5 In the Proxy User field, specify the username the appliance must use to authenticate to the proxy server.

Note This username and password pair is not the Internal Upgrade Server Login and Password. CS-MARS requires that proxy servers enforce inline user authentication. Therefore, you must specify a username and password pair to authenticate to the proxy server.

Step 6 In the Proxy Password field, specify the password associated with the username you just provided.

Step 7 Click Submit to save your changes.

Upgrade Local Controller from the Global Controller User Interface

You can upgrade any of the Local Controllers that are managed by a Global Controller from within the Global Controller user interface. This enables you to work your way through the list of Local Controllers without connecting to each appliance individually.

Step 1 Open the CS-MARS user interface in your browser.

Step 2 Select Admin > System Maintenance > Upgrade.

The list of Local Controller's that can be selected to upgrade appears.

Step 3 In the Login and Password fields, enter the Internal Upgrade Server Login and Password that you have assigned to your Internal Upgrade Server.

Note CS-MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server.

Step 4 Select the check box next to the Local Controller to upgrade, and click Download.

If you have specified proxy settings for the selected appliance, a popup window prompts you to verify the settings. After you verify the information, click OK. If you have forgotten to enter proxy information, click Cancel and then enter the proxy information for that Local Controller as described in Specify the Proxy Settings in the Global Controller.

Depending on the size of the package, this download can take some time. After the download is complete, the Install button becomes active.

Step 5 Click Install.

After you click Install, the remote system needs some time to process the upgrade. After the upgrade is complete, the remote system reboots. During the upgrade, the user interface is also restarted.

Client Requirements

Before running the user interface provided by CS-MARS, you must prepare Microsoft® Internet Explorer 6.0 SP1 or later to connect to the CS-MARS appliance. This section describes the properly configured and patched web browser.

Configuring Internet Explorer Settings

Configuring Pop-Up Blockers

Correcting Issues Caused by the 832894 (MS04-004) Security Update or the 821814 Hotfix

Obtaining the Required Browser Plug-ins

Configuring Internet Explorer Settings

You must use Microsoft® Internet Explorer 6.0 SP1 or later to connect to and configure the CS-MARS appliance. To run it with the CS-MARS, you must configure your browser as follows:

set the browser's cache to check the page every visit

set security level to medium (at least) to enable ActiveX controls and scripting or add to the Trusted sites zone with its default settings

set privacy to medium (at least) to enable cookies

allow pop-ups from the CS-MARS appliance (disable pop-up blockers for the CS-MARS appliance)

To configure Internet Explorer to meet these requirements, perform the following steps:

Step 1 Start Internet Explorer.

Step 2 Click Tools > Internet Options.

Step 3 On the General tab under Temporary Internet Settings, click Settings.

Step 4 Select the Every Visit to the Page radio button.

Step 5 Click OK to close the Settings dialog box and to save your changes.

Step 6 On the Security tab under Select a Web content zone to specify its security settings, select Trusted Sites.

The default security level settings for Trusted Sites is Low. If this value is not Low or Medium, you must ensure that ActiveX controls and scripting are allowed using the Custom Level settings.

Step 7 With Trusted sites selected, click Sites.

Step 8 Enter the URL used to connect to the CS-MARS appliance in the Add this Web site to the zone box and click Add.

Specify the full URL, preceded by https://; you can use either the DNS name or the IP address, such as https://171.69.180.5/, in the URL.

Step 9 Click OK to close the Trusted sites dialog box and to save your changes.

Step 10 On the Privacy tab under Settings, verify the selected value is Medium.

If the selected value is not Medium, slide the bar to Medium or click Advanced to define custom settings that will enable first-party cookies.

Step 11 Click Apply.

Step 12 Click OK to close the Internet Options dialog box and to save your changes.

Configuring Pop-Up Blockers

This procedure describes how to allow access to the CS-MARS appliance for users running Windows XP SP2, which included a pop-up blocker.

For information on configuring a different popup blocker to allow access to the CS-MARS appliance, refer to the documentation provided with the pop-up blocker product.

To enable pop-up for Internet Explorer running on Windows XP SP2

Step 1 Click Options > Toolbar Options on the MSN toolbar.

Step 2 Select Pop-up Blocker under Toolbar.

In the Allow list box, enter the host ID of the CS-MARS prefixed by https://. For example, https://171.69.180.5/.

Note For later versions of the MSN Toolbar, the Allow Lists tab can be accessed by clicking the Popup Guard Settings button on Toolbar Buttons tab.

Step 3 Click Add to add the host to the list of sites for which pop-ups are allowed.

Step 4 Click OK to close the MSN Toolbar Options dialog box and to save your changes.

Correcting Issues Caused by the 832894 (MS04-004) Security Update or the 821814 Hotfix

An issue introduced in a recent Internet Explorer security update, 832894, and in the 821814 hotfix can cause a "page cannot be displayed" error when you post to a site that requires authentication. If you have installed either of these updates, you must take corrective action to ensure proper operation with CS-MARS. The following steps verify whether you've installed either update and points you to instructions provided by Microsoft to resolve the issue:

Step 1 Start Internet Explorer.

Step 2 Click Help > About Internet Explorer.

Step 3 Under Updated Version, look for Q832894.

If the Q832894 entry appears, then you must, then you have the IE bug installed.

Step 4 If Q832894 entry appears, visit the Microsoft support web site to resolve the issue. The following knowledge base article provides specific instructions on resolving this issue:

http://support.microsoft.com/default.aspx?scid=kb;en-us;831167

Obtaining the Required Browser Plug-ins

The following plug-ins are required for use with CS-MARS:

Adobe® SVG Viewer plug-in to view the charts, graphs, summary page data

Adobe Reader® to view the CS-MARS documentation

You can either wait for the SVG viewer to automatically install itself when you enter the Summary page for the first time, or you can download it from:

http://www.adobe.com/svg/viewer/install/main.html

You can download the latest Acrobat Reader plug-in from:

http://www.adobe.com/products/acrobat/readermain.html

Important Notes

MIB Information

The CS-MARS MIB is defined in all previous releases of CS-MARS software. The SNMP trap contains the same content as the syslog generated by CS-MARS.

The CS-MARS MIB definition is as follows:

enterprises.16686.1.0 string "MARS-1-101"
enterprises.16686.2.0 string "<alert_content>"

The CS-MARS private enterprise number is 16686 and <alert_content> is defined as follows: <<priorityInfo>> <current_time> %MARS-1-101: Rule <ruleid> (<rulename>) fired and caused <color> Incident <incidentId>, starting from <starttime> to <endtime>.

In the following example of the SNMP trap output, 10.1.1.1 is the CS-MARS IP address: 

SNMPv2-SMI::enterprises.16686 10.1.1.1 SNMPv2-SMI::enterprises.16686.1.0 "MARS-1-101" 
SNMPv2-SMI::enterprises.16686.2.0 "<34>Mon Apr 28 20:11:43 2003 %MARS-1-101: Rule 45513 
(Nimda Attack) fired and caused red Incident 12265001, starting from Mon Apr 28 19:58:47 
2003 to Mon Apr 28 20:11:21 2003."

Note Notifications and traps are sent only from the CS-MARS Local Controller.

Caveats

This section describes the open and resolved caveats with respect to this release.

Open Caveats - Release 3.4.3

Resolved Caveats - Release 3.4.3

Resolved Caveats - Releases Prior to 3.4.3

Open Caveats - Release 3.4.3

The following caveats affect this release.

Reference Number
Description

3077

Issue: Global Controller generates a system error when you add a Local Controller that was added already

Workaround: Before adding a Local Controller, verify that you have not previously added it to the Global Controller. If you do encounter this error, restart the GUI by closing your web browser and logging in again.

3074

Issue: On the Incidents page of a Global Controller, the View and Show buttons do not work for incidents pushed up from the monitored Local Controllers.

3070

Issue: If you upgrade a Global Controller/Local Controller pair, the Local Controller may appear offline for the first 10 minutes after the appliances reboot. The scheduler wakes up and re-syncs 10 minutes after startup.

Resolution: If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface.

3057

Issue: Copied rules have shortened year in front, which is confusing (e.g., 05.04.19) When you duplicate a system rule, the newly created rule has a timestamp appended to it. The date format is unclear, but it is YY.MM.DD.

3052

Issue: JBoss 'OutOfMemoryError ' when accessing Management/Event Management tab.

Workaround: Avoid using the 10,000 items per page on the Event Management page.

3017

Issue: Documentation incomplete: Local Controller User Guide, section "Retrieving Raw Messages" pages 242-243.

Resolution: Beginning with the 3.4.1 release, you can explicitly specify the data source and the directory where the retrieved data is to be cached. If you know the data source, choosing "Retrieve Data From Archived Files" is much faster than retrieving from the database as the data files are cached on the Local Controller. If archiving is not enabled or the NFS server was down during the period of investigation, you can "Retrieve Data From DB" instead. For the "Save Logs to" field, it is recommended that you use the default directory or use "/mnt/pnarchive/" if you have configured archiving.

2978

Issue: User report with "!=" in zone fails to finish on Global Controller.

Workaround: Avoid using "!=" in report definitions.

2976

Issue: GC:LC - Communication issues after time zone change. After initial configuration, if you change the timezone of a communication GC:LC, there may be problems with communications between the GC and LC.

Workaround: If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface.

2973

Issue: Not able to downgrade a Security Analyst to Notification only user. When you define a user account with the Security Analyst role, you cannot downgrade that role to Notification only.

2968

Issue: Network group search is not working for "All IP addresses". If you select All IP addresses as the search space, the results may be inconsistent with the expected results.

2901

Issue: GC/LC, rule does not display user <cxu> but allows such cfg

Workaround: Avoid using special characters in the keyword search for rules. The list of special characters not supported is as follows:

less-than (<) &lt;

greater than (>) &gt;

ampersand (&) &amp;

2883

Issue: Event management search works only for event description. You cannot search on other fields, such as Event ID.

2869

Issue: Rules editing: changing entry for select window dropdown after error message results in the state not being saved.

Workaround: This issue appears when you have attempted to define an invalid rule and an error message appears. For example, while editing a user inspection rule"

1. Click Sources field.

2. Remove all sources.

3. Click Submit.

Result: Dialog box appears and prompts "please select one".

4. In the select window dropdown, select "All Devices"

Result: Rule submission window appears and contains a blank Sources field.

To work around this issue, click one of the top tabs to cancel your work and redo your edit without submitting an invalid rule (as shown in Step 3).

2804

Issue: Replay History feature not working correctly. When you configure a query that triggers replay history, the results are usually incorrect. The folllowing cases will trigger a replay history:

a query that uses AND or Followed By

a query that uses the $ varialbles, such as $EventType, $Device1, etc.

a query uses NOT EQUAL TO a service

2688

Issue: Viewing a report on a Global Controller and viewing the corresponding report on the Local Controller may differ in time slightly.

2666

Issue: The email sent when a batch query completes may not have data in the graph if the query only returns one result.

2656

Issue: Leaving the browser on the Summary page for an extended period of time (several days) may occasionally run into an error.

Workaround: Refresh the page to return to the GUI.

2653

Issue: No way to specify "!Keyword" without a good "keyword"

Workaround: Keyword search requires two keywords to use the "NOT" operator. For example, you cannot specify `NOT nimda'; instead, you must specify something like `virus NOT nimda'.

2623

Issue: Sudden traffic increase does not process ICMP events.

While CS-MARS does process ICMP events on the parsing side, the sudden traffic rule does not fire based on ICMP events.

2594

Issue: Clicking on the Path/Mitigate link in an incident that was fired from a device that has since been deleted may result in an error.

2574

Issue: Having different times on the Global Controller and its associated Local Controllers may cause synchronization problems.

Workaround: Use the CLI to configure NTP or manually set the date and time to be the same on the Global Controller and Local Controllers.

2566

Issue: Rebooting the CS-MARS while the box is in the upgrading state may cause system configuration errors.

2558

Issue: After adding and deleting an agent or sensor to a host, adding a sensor with the same name and type as the previously deleted one back to that host will not work.

Workaround: Use a different agent/sensor name the second time around.

2549

Issue: When viewing report results, clicking on "Edit" or "Clear" in the query summary at the top of the page results in a JavaScript error.

Workaround: Click directly on the "Report type" link to edit the query.

2511

Issue: In migrating "Microsoft, Windows, Generic" device type to three new Windows device types, errors in affected OS could affect data migration and cause confusion about appropriate selection/

Workaround: When migrating data, you should make the following mappings for the OS name:

Map "2000" to "Windows 2000"

Map "Windows 2000 Professional Server" to either "Windows 2000 Professional" or "Windows 2000 Server" after verifying the data.

Map "NT" to "Windows NT"

Map "Microsoft Windows NT 4.0" to "Windows NT". Microsoft should be in vendor field and 4.0 should be in version field.

2470

Issue: Using passwords with the "," (comma) or "'" (quote) characters may cause problems with loading devices from csv files.

Workaround: Avoid using passwords with these characters for the time being.

2414

Issue: Long keyword strings in rules or reports can cause parts of the GUI layout to be pushed out of the browser window's edges.

2410

Issue: The CS-MARS stores reported user names in a case-sensitive fashion. Devices that report case-insensitive user names can behave counter-intuitively if they report names inconsistently.

2398

Issue: Reserved XML characters are not supported in the Keyword Search on the Rule page

Workaround: Avoid using special characters in the keyword search for rules. The list of special characters not supported is as follows:

less-than (<) &lt;

greater than (>) &gt;

ampersand (&) &amp;

2385

Issue: Applying $VAR variables to queries on a Global Controller causes GUI errors and may not return correct results.

2383

Issue: An IIS web server cannot be added to the CS-MARS as a generic web server. When configuring the CS-MARS to receive IIS logs, adding generic web server in Reporting Applications does not work.

Workaround: Choose windows operating system under general tab.

2366

Issue: Using an old bookmark to CS-MARS from version 2.5 or earlier after upgrading to 3.1.1 will not work correctly. It will have "gui" in the URL: https://pnmars/gui/login.jsp. If you attempt to access the GUI via an old bookmark, you will see a j_security_check page and then a 404 (page not found error) page appears.

Workaround: Update bookmarks to the CS-MARS to remove the "gui" string. For example: https://pnmars

2333

Issue: After performing a "pnreset -g" (which cleans up the GC data on the LC - a copy will be made of all GC data used by rules and reports while all other GC data will be deleted), the LC still shows the old zone name by which it was monitored from the GC. When adding that LC back to a GC that was re-installed from the recovery DVD, problems can occur if the zone names for the GC and LC do not match the ones used before.

Workaround: Use the same "old" GC name during the GC configuration. Use the same zone names when re-adding LCs to the GC.

2251

Issue: After upgrading from a CS-MARS 100e to CS-MARS 100, pnstop and pnstart need to be run for the change to take effect.

2177

Issue: Every 22nd reboot, the CS-MARS file system is checked for consistency. This takes time to complete, and happens before connecting to the network. While this is happening, it may appear that the box simply isn't starting.

Workaround: Attach a console to the CS-MARS to verify that checking is happening if the system does not seem to start after a reboot.

2175

Issue: Data computed or stored on a standalone CS-MARS while in standalone mode will not be transferred to a GC. Only data computed on an LC that is currently monitored by a GC will be pushed up.

2073

Issue: After renaming a cloud, clicking the cloud again causes an error.

Workaround: Refresh the page before clicking a renamed cloud.

2061

Issue: Saving CSV files from reports with IE 6 under Windows XP SP2 causes the file to default to an .htm extension, not .csv extension.

Workaround: Select "All types" from the dropdown while saving, and rename the file to have a .csv extension.

2011

Issue: Certain special characters do not work in password fields. The characters are " ' ; (double-quote, single-quote and semi-colon).

Workaround: Use passwords that do not contain these characters.

1982, Customer Case #: 1108

Issue: The CS-MARS is unable to receive Netflow messages on a port number less than 1024.

Workaround: Use a port number greater than 1024.

1489

Issue: Query summary doesn't mention "severity" if it's a criterion

When the user configures a batch query with a severity as one of the criteria (Red, Yellow, Green), this criterion doesn't appear in the "query summary" of the batch query page. However, the query is run with the correct criteria. When the results are viewed, the severity can be seen in the query details at the top of the page.

1438

Issue: When running batch queries under a high system load and over a time range containing a large amount of data, the batch query might not complete. If the Progress Completed status stays at 0% for an extended period of time (a day), try stopping any other batch queries you have running or stopping and resubmitting your batch query with narrower criteria. If neither of these works, please contact Cisco Support, see Obtaining Technical Assistance.

1416

Issue: Select: Temp paging fix on Notification-SNMP. All pages that display large numbers of items need to have paging implemented.

Workaround: Use the search window to locate desired object.

1382

Issue: When you create a new group (MANAGEMENT > IP Management > Add Group) with a combination of Networks, Devices, and IP addresses and then select that group from the pull-down menu, only the Networks in the group appear, even though the Devices and IP addresses are in the group.

1343

Issue: If you define an invalid query, CS-MARS will be in a compromised state where queries will continue to fail, even if they are constructed correctly after the invalid query.

Resolution: Log in to the CLI and pnstop/pnstart the CS-MARS system, then re-run your valid query.

1293

Issue: When administering CS-MARS, it is possible to select an unsupported OS from the pull-down menu when adding or editing a host for logging. If you select an OS that does not contain the string "Microsoft Windows" or "Sun Solaris" when you save the Pull host log or Receive hostlog parameters. For example, if you select "Sun Cobalt," the GUI does not work correctly.

1270

Issue: The free-form search may not work for the following devices:

Check Point Opsec NG FP3

Cisco CSA, 4.0

Cisco, IDS, 3.1 and 4.0

ISS, RealSecure, 6.5 and 7.0

Entercept Entercept, 2.5 and 4.0

IntruVert IntruShield, 1.5

1219

(re-opened)

Issue: If you create a user in the CS-MARS GUI and select New Provider but do not enter a Pager number, qpage.com fails to run because it has an empty entry, and pnmonitor continually tries to restart the daemon that attempts to access qpage.com.

Resolution: Open each user profile and click Submit to ensure all the required fields are populated.

1144

Issue: Due to a bug in a third-party library, the day of the "Sent" date of the e-mail notification is one day earlier than actual date.

1134

Issue: The cloud name input box accepts invalid characters. To reproduce this behavior, click on the Large Graph link on the Hotspot graph. Click on a cloud. Click Change name and enter invalid characters into the input field (for example, ~!# or ###). Sometimes the page returns an error message such as error: Error: Invalid or No Security Perimeter. The graph rendering fails with the IE status bar message "not well formed, line #:column#".

1115

Issue: When adding a Cisco IDS 3.1 device, you must login as user netrangr. Doing otherwise causes the CS-MARS appliance script to not see when the login prompt appears and causes the Test Connectivity to fail. Please consult your Cisco IDS 3.1 manual to learn how to configure your device to send events to MARS.

1051

Issue: Logging into a CS-MARS from a non-supported browser and leaving the GUI open will prevent other users from logging into that MARS.

Resolution: If you log in to CS-MARS using a supported browser and see a message saying that your browser is unsupported, please check if another user has logged into the CS-MARS with an unsupported browser and not closed his browser window.

1045

Issue: Entering an incorrect IP address or directory path for the data archiving feature will result in a cryptic error message.

Resolution: If you see a message of type "Status: PN-0002: No message for PN-0216" after configuring data archiving, please click "Back to Archiving" and check your IP address and directory.

1019

Issue: When utilizing the data archiving feature, you may experience data loss if your network link is slow or if your archive server does not have the capacity to handle high throughput.

937

Issue: The 1.1 to 1.2 upgrade can not be performed through the GUI.

Resolution: Use the CLI tool to perform the upgrade.

877

Issue: When you submit a name that is associated with a device type to the system, changes to its device type can cause issues to incorrectly display some of its configuration information.

Resolution: When adding a device, take care to give it its proper device type.

610

Issue: Backend logs can be out of order in the view page because the numbers are reused. Timestamps should be used as report identifiers.

596

Issue: On a freshly installed machine starting to get events and sessions, you can get a negative Data Reduction where there are more sessions than events. This is due to the fact that events are written to the database more frequently than sessions.

Resolution: Wait for some time to pass, as events gradually outnumber sessions this number will become increasingly accurate.

586

Issue: If you are investigating a false positive, and you see a message telling you that a service has crashed, this could be due to vulnerability scanning by the CS-MARS appliance. You may have to re-start the service.

Resolution: It is strongly recommended that you patch the security hole to eliminate this vulnerability.

455

Issue: If clouds are renamed through diagrams, the system might not display those names.

Resolution: Here are some work around steps to rename clouds:

Click the cloud you want to rename.

Enter in the new name in the text field near the top of the popup window.

Click "Change".

Once it's done, click "Close".

Click the "Large Graph" button in the Hotspot Graph.

Finally, go back to the Summary page.

293

Issue: When tabbing over three-digit entries in IP fields on the Configuration Information page, the cursor can disappear.

Resolution: Use your mouse to move between fields on this screen when editing IP addresses.

259

Issue: On the Setting Runtime Logging Levels page, if you set the level for GUI to Trace and save, it is saved as Debug.

Resolution: Do not change settings on the Setting Runtime Logging Levels page without a Cisco Support representative, see Obtaining Technical Assistance.

247

Issue: The automatic time-out feature built into the GUI does not work when the Summary page is left open with automatic refresh selected.