Table Of Contents
Quick Install and Release Notes for Cisco Security MARS Appliance 4.1.1
Introduction
New Features
New Device Support and Features
New GUI Feature Support
Case Management
Enhancement for Rules
Inactive Device Detection
Mitigation Reports
Mitigation With 802.1X Network Mapping
Rule and Report Groups
Deprecated Features
New Vendor Signatures
Upgrade Instructions
Important Upgrade Notes for 4.1.1
Required Upgrade Path
Downloading the Upgrade Package from CCO
Important Notes
Quick Install Notes
Installation Quick Reference
Checklist for Initial Configuration
Caveats
Open Caveats - Release 4.1.1
Resolved Caveats - Release 4.1.1
Resolved Caveats - Releases Prior to 4.1.1
Product Documentation
Obtaining Documentation, Support, and Security Guidelines
Quick Install and Release Notes for Cisco Security MARS Appliance 4.1.1
CCO Date: October 17, 2005
These release notes are for use with the Cisco Security Monitoring, Analysis, and Response System (CS-MARS), Version 4.1.1 running on either a Local Controller or on a Global Controller. They provide the following information:
•
Introduction
•New Features
•Upgrade Instructions
•Important Notes
•Quick Install Notes
•Caveats
•Product Documentation
•Obtaining Documentation, Support, and Security Guidelines
Introduction
Version 4.1.1 is now available as a patch upgrade to version 3.4.4 of your CS-MARS appliance software. Registered SMARTnet users under the can obtain version 4.1.1 from the Cisco support website at:
http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars
New Features
In addition to resolved caveats, this release includes the following new features:
•New Device Support and Features
•New GUI Feature Support
•Deprecated Features
•New Vendor Signatures
New Device Support and Features
The following new devices and device feature are now supported:
•Qualys QualysGuard 3.4. Includes pulling vulnerability assessment information from the QualysGuard subscription service reports and appliances.
•Cisco Security Management Console 4.5 and Auto-Agent Discovery. Includes support for CSA MC 4.5 and auto-agent discovery.
•Cisco VPN 3000 Concentrator 4.7. Includes supporting the most current release of Cisco VPN 3000.
•McAfee ePolicy Orchestrator. Includes support for the ePolicy Orchestrator server and McAfee agents.
•Cisco Incident Control Server Support. Supports Cisco ICS events and provides outbreak and containment summary reports.
•Cisco IDS and IPS Devices. CS-MARS now provides support for RAW message logs and trigger packet information for Cisco intrusion detection and preventions product.
•Check Point Audit Log Support. CS-MARS now pulls audit logs, in addition to the firewall logs, for Check Point devices. No additional configuration is necessary. For each configured Check Point log server, CS-MARS pulls both the firewall log and audit log.
•Cisco FWSM 2.3 and Context Discovery. CS-MARS now supports FWSM 2.3, and it discovers the contexts defined on a FWSM for all supported versions.
•Distributed Threat Mitigation. Provides support for dynamic signature updates based on detected attacks.
•IOS 802.1x Support. CS-MARS now parses the 802.1x supplicant messages as part of the initial NAC setup. In addition, the Cisco Secure ACS 802.1x-specific logs are also parsed.
New GUI Feature Support
The following GUI enhancements are now supported:
•Case Management
•Enhancement for Rules
•Inactive Device Detection
•Mitigation Reports
•Mitigation With 802.1X Network Mapping
•Rule and Report Groups
Case Management
Note Case Management replaces the incident escalation feature of previous CS-MARS releases.
To escalate an incident in CS-MARS Release 4.1.1, you create a case, add data and annotations to the case, generate an HTML case report, then email the report to other CS-MARS users.
Case report information collected from incidents, sessions, queries, reports, other cases, and mitigations can be forensic evidence pertinent to the following:
•Audits (for example, regulatory compliance audits)
•Justifications for modifying ACLs or policy changes
•Notes for MARS false positive tuning
•Examples of allowed and prohibited behavior
Enhancement for Rules
The variables DISTINCT and SAME are implemented for CS-MARS rules to enhance the readability of the rules and to reduce false positives. For example, previous to DISTINCT, repeated login retries could be reported as scanning incidents.
DISTINCT and SAME variables can be selected as arguments in the following fields when creating or editing a rule:
•Source IP
•Destination IP
•Service Name
•Event
•Device
•Reported User
The SAME variable functions like "$" type variables (such as $TARGET, or $DEVICE) but DISTINCT and SAME are local to the rule offset (row) in which they are included, that is, the CS-MARS correlation engine does not compare the DISTINCT and SAME values in one rule offset with the DISTINCT and SAME values in another offset as it would with other variables.
The following simplified scenarios describe DISTINCT and SAME usage (assume that all unnamed fields contain the argument ANY):
Rule Arguments:
•Destination IP Address—ANY and DISTINCT
•Count—25
Rule behavior: Rule fires when 25 events occur that have destination IP addresses that are different (distinct) from each other.
Rule Arguments:
•Destination IP Address—ANY and SAME
•Count—25
Rule behavior: Rule fires when 25 events occur that have destination IP addresses that are identical (same) to each other.
Rule Arguments:
•Source IP Address—SAME
•Destination IP Address—DISTINCT
•Service Name—SAME_TCP_DEST_PORT
•Count—25
Rule behavior : Rule fires when 25 events occur that have destination IP addresses distinct from each other, but have the same source IP address, and the same TCP destination port numbers.
Note In CS-MARS Release 4.1.1, you can use the Query interface to create a rule with the DISTINCT and SAME variables, but submitting a query or report with the new variables causes the CS-MARS to time out after 20 minutes without returning any results.
Inactive Device Detection
CS-MARS now includes an event type and system rule that create a green-level incident when a reporting device does not report an event within a 60-minute interval. The new system rule can notify administrators. Three new system reports are also defined for reporting inactive incidents. The new event, rule and 3 reports are as follows:
•Event type: Inactive CS-MARS reporting device
•System Rule: Inactive CS-MARS Reporting Device
•Activity: Inactive Reporting Device-Top Devices (Run on-demand only)
•Inactivity: Reporting Devices-Inactive IP List (Runs every hour)
•Inactivity: Reporting Devices-Least Active IPs (Runs every hour)
Mitigation Reports
CS-MARS now includes event types, system rules and system reports to record and report successful and unsuccessful CS-MARS Layer 2 mitigation attempts. The events, rules and reports are as follows:
•Event type: CS-MARS Host Mitigation Failed
•Event type: CS-MARS Host Mitigation Succeeded
•System Rule: CS-MARS Host Mitigation - Success
•System Rule: CS-MARS Host Mitigation - Failure
•Activity: CS-MARS Host Mitigation - Failure - All Events (Run on-demand only)
•Activity: CS-MARS Host Mitigation - Success - All Events (Run on-demand only)
Successful mitigation is defined as CS-MARS not receiving an error condition from the enforcement device after CS-MARS pushes to it the recommended Layer 2 mitigation command.
Mitigation With 802.1X Network Mapping
When connected with a Cisco 802.1X-enabled switch running DHCP-snooping with RADIUS authentication through a Cisco Access Control Server (ACS), the CS-MARS can now identify a mitigation point and an enforcement device without discovering topology through SNMP, Telnet, or SSH access to the network elements.
Rule and Report Groups
CS-MARS Release 4.1.1 allows the creation of custom groups for rules and reports. A set of predefined report groups is also provided to enhance analysis and regulatory compliance reporting, as shown in Table 1.
Table 1 Predefined Report and Rule Groups for CS-MARS Release 4.1.1
Report Groups
|
Corresponding Rule Groups
|
System: Access
|
System: Access
|
System: All Events - Aggregate View
|
—
|
System: All Exploits - Aggregate View
|
—
|
System: COBIT DS3.3 - Monitoring and Reporting
|
—
|
System: COBIT DS5.10: Security Violations
|
—
|
System: COBIT DS5.19: Malicious software
|
—
|
System: COBIT DS5.20: Firewall control
|
—
|
System: COBIT DS5.2: Authentication and Access
|
—
|
System: COBIT DS5.4: User Account Changes
|
—
|
System: COBIT DS5.7: Security Surveillance
|
—
|
System: COBIT DS9.4: Configuration Control
|
—
|
System: COBIT DS9.5: Unauthorized Software
|
—
|
System: CS-MARS Distributed Threat Mitigation (Cisco DTM)
|
System: CS-MARS Distributed Threat Mitigation (Cisco DTM)
|
System: CS-MARS Incident Response
|
System: CS-MARS Incident Response
|
System: CS-MARS Issue
|
|
System: Client Exploits, Virus, Worm and Malware
|
System: Client Exploits, Virus, Worm and Malware
|
System: Configuration Changes
|
—
|
System: Configuration Issue
|
System: Configuration Issue
|
System: Database Server Activity
|
System: Database Server Activity
|
System: Host Activity
|
System: Host Activity
|
System: Network Attacks and DoS
|
System: Network Attacks and DoS
|
System: New Malware Outbreak (Cisco ICS)
|
System: New Malware Outbreak (Cisco ICS)
|
System: Operational Issue
|
System: Operational Issue
|
System: Reconnaissance
|
System: Reconnaissance
|
System: Resource Issue
|
System: Resource Issue
|
System: Resource Usage
|
—
|
System: Restricted Network Traffic
|
System: Restricted Network Traffic
|
System: SOX 302(a)(4)(A)
|
—
|
System: SOX 302(a)(4)(D)
|
—
|
System: Security Posture Compliance (Cisco NAC)
|
System: Security Posture Compliance (Cisco NAC)
|
System: Server Exploits
|
System: Server Exploits
|
Deprecated Features
The following features have been removed or replaced:
•User Rule Subtab. All User Rules are now displayed in the Inspection Rules subtab.
•Escalate Incident. This feature has been replace by the Case Management feature in 4.1.1. See Important Upgrade Notes for 4.1.1 for important notes.
New Vendor Signatures
The following table describes the most recent signatures supported for each product or technology:
Product
|
Signature Version Supported
|
Cisco Network IDS 4.1
|
S193
|
McAfee Entercept HIDS 4.1
|
Agent Version 40-56
|
ISS RealSecure Network Sensor 7.0
|
24.17
|
ISS RealSecure Host Sensor 7.0
|
24.17
|
McAfee IntruShield NIDS 1.8
|
1.8.59.3
|
Snort NIDS
|
2.3.3
|
Netscreen IDP 2.1
|
Idp2.1r3 Update 254
|
Enterasys Dragon 6.x
|
Latest signatures as of 09-26-2005
|
Symantec Manhunt
|
3.4.3 Update 44
|
Qualys QualysGuard 3.x
|
Latest Knowledge Base XML file as of 02-07-2005
|
Common Vulnerabilities and Exposures (CVE) Database
|
Latest as of 09-08-2005
|
Upgrade Instructions
The CS-MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the CS-MARS Appliance, you should check the upgrade site weekly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.
For detailed instructions on planning and performing an upgrade or install, refer to Checklist for Upgrading the Appliance Software in the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System.
Important Upgrade Notes for 4.1.1
The following notes relate to changes in your system or configuration as a result of upgrading to CS-MARS 4.1.1.
•Prior to the 4.1.1 release, CSA was identified by the device type name Cisco CSA 4.0. As part of an upgrade, any Cisco CSA 4.0 devices were renamed as Cisco CSA 4.x. This new name includes support for Cisco CSA 4.0 and 4.5.
•The new case management replaces the Escalate Incident functionality in CS-MARS 3.4.4 and earlier. However, escalated incidents are not converted to cases during the upgrade process. Therefore, you must close all open escalations before upgrading to CS-MARS 4.1.1 (CSCsb52057).
Required Upgrade Path
When upgrading from one software version to another, a prerequisite version is always required. This prerequisite version is the minimum level required to be running on the appliance before you can upgrade to the most recent version. Table 2 identifies the upgrade path that you must follow to reach the minimum level required to upgrade to current version.
Table 2 Upgrade Path Matrix
From Version
|
|
Upgrade Package
|
releases prior to 2.5.6
|
Contact Cisco Support
|
n/a
|
2.5.6
|
3.1.1
|
pn-3.1.1.pkg
|
3.1.1
|
3.2.1
|
pn-3.2.1.pkg
|
3.2.1
|
3.2.2
|
pn-3.2.2.pkg
|
3.2.2 or 3.3.2 Beta
|
3.3.3*
|
pn-3.3.3.pkg
|
3.3.3
|
3.3.4*
|
pn-3.3.4.pkg
|
3.3.4
|
3.3.5*
|
pn-3.3.5.pkg
|
3.3.5
|
3.4.1*
|
pn-3.4.1.pkg
|
3.4.1
|
3.4.2
|
pn-3.4.2.pkg
|
3.4.2
|
3.4.3
|
pn-3.4.3.pkg
|
3.4.3
|
3.4.4
|
pn-3.4.4.pkg
|
3.4.4
|
4.1.1
|
cs-mars-4.1.1.pkg
|
Downloading the Upgrade Package from CCO
Upgrade images and supporting software are found on the CCO software download pages dedicated to CS-MARS. You can access these pages at the following URLs, assuming you have a valid CCO account and that you have registered your SMARTnet contract number for your CS-MARS Appliance
•Top-level page: http://www.cisco.com/cgi-bin/tablebuild.pl?topic=279644034
•Upgrade files: http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars
•Recovery image files: http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-recovery
•Supporting files: http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc
Note If you are upgrading from a version earlier than those posted on CCO, please contact Cisco support for information on obtaining the required images. Do not attempt to skip versions along the upgrade path.
For information on obtaining a CCO account, see the following URL:
•http://www.cisco.com/en/US/applicat/cdcrgstr/applications_overview.html
Important Notes
The following notes apply to the 4.1.1 release:
•Do not to use DISTINCT or SAME in queries, and do not run multi-line queries in Release 4.1.1. If you run such a query, the system time outs after 20 minutes without returning any results. The message "Timeout Occurred" appears instead. You can use DISTINCT and SAME in a Query to create a rule with the Query interface.
•For Symantec AntiVirus, the Symantec agent hostname (AV client computer name) appears in the "Reported User" column of the event data. Therefore, you can define a query, report or rule related to this agent based on the "Reported User" value.
•The False Positive and Query pages (multi-column result format) have changed. You can now query on firing events that triggered false positives within a time interval. Such queries will render events that did not appear on the False Positive page. To ensure performance, the False Positive page only displays false positives from the most recent 10,000 firing events. To view additional false positives, you must perform a query.
Quick Install Notes
It is recommended that users read the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System. However, for those users who simply want to get the CS-MARS Appliance up and running, the following two topics, taken from the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, summarize the hardware installation and initial software configuration:
1. Installation Quick Reference
2. Checklist for Upgrading the Appliance Software
Installation Quick Reference
Table 0-3 provides an overview of the installation and initial configuration process. Following installation and initial configuration, see the following publications for information on how to use a browser and the HTML interface to fully configure your CS-MARS Appliance to provide the security threat mitigation (STM) services you want from this installation:
•User Guide for CS-MARS Local Controller Version 4.x
•User Guide for CS-MARS Global Controller Version 4.x
Checklist for Initial Configuration
Initial configuration of the appliance accomplishes several goals:
•Introduces the two user interfaces to CS-MARS: the command line interface (CLI) and the HTML interface.
•Licenses the appliance.
•Prepares the appliance to monitor and communicate on your network.
•Configures the system time so that event correlation works properly.
•Ensures the system administrative account is configured properly.
•Ensures appliance is running the most recent version of software.
The following checklist describes the tasks required to initially configure your CS-MARS Appliance. Each task might contain several steps; the tasks and steps within should be performed in order. The checklist contains references to the specific procedures used to perform each task.
|
Task
|
|
1. Establish a console connection to the appliance.
Initial configuration requires a console connection to access the CLI. You should establish this connection with the power turned off on the CS-MARS Appliance. Three console connection options exist:
•A direct console connection to the appliance using a keyboard and monitor
•A standard serial console connection between a computer and the appliance using a terminal emulation package
•An Ethernet console connection between a computer and the appliance using a terminal emulation package
After you have chosen and configured your console connection, you must power up the appliance.
Result: The appliance is powered up and you can see the command line prompt through your console connection.
For more information, see:
•Establishing a Console Connection
|
|
2. Command Line Configuration: Setting the system administrative account's default password and configuring the interfaces.
The command line configuration is separated into three tasks, each task being separated by a reboot of the appliance. The first task involves performing three to four procedures:
•Collect the information required to configure the appliance to operate optimally on your network.
•Log in to the appliance and change the password associated with the system administrative account (pnadmin).
•Configure the eth0 network interface, specifying the default gateway and IP address and network mask pair for that interface.
•(Optional) Configure the eth1 network interface, specifying the IP address and network mask pair for that interface.
Each CS-MARS Appliance has two Ethernet interfaces: eth0 and eth1. The eth0 interface is the dedicated interface used for collecting event data and logs from your network. The eth1 interface is intended for use in an out-of-band management (OOBM) network or for a console connection. Therefore, your default gateway and IP address/mask values should focus on the network connections to be used to monitor the data streams of reporting devices, and these settings should be applied to eth0.
Note The CS-MARS Appliance does not allow you to configure both of its interfaces on the same network.
Result: The default password is no longer associated with the system administrative account and the appliance is more secure. Also, the eth0 is configured to communicate on your network. When you complete the IP address configuration changes for either, the appliance reboots.
For more information, see:
•Configuring Basic Network Settings at the Command Line
•Change the Default Password of the System Administrative Account
•Specify the IP address and Default Gateway for the Eth0 Interface
•(Optional) Specify the IP Address and Default Gateway for the Eth1 Interface
|
|
3. Command Line Configuration.
The second task of the CLI configuration involves setting the hostname of the appliance. The hostname is used to uniquely identify which appliance collects a specific log and which appliance fires an inspection rule. This unique identity is especially important in an environment where Global Controller is running. To complete this task, you must:
•Log in to the appliance using the system administrative account and the new password.
•Set the hostname of the appliance.
Result: The hostname is configured for the appliance. The appliance reboots.
For more information, see:
•Specify the Appliance Hostname
|
|
4. Command Line Configuration.
The third and final task of the initial CLI configuration involves specifying those settings that help ensure the integrity of the event correlation and complete your network connection, allowing access to the appliance from other hosts on the network. In other words, after you complete this phase, you can connect to and complete the appliance configuration using a non-console connection from any host on your network. To complete this task, you must:
•Log in to the appliance using the system administrative account and the new password.
•Set any additional static routes.
•Set the clock.
•Set the NTP server settings.
•Set the DNS domain name.
•Connect the appliance to the network (that is, plug in the Cat 5 cables.)
Result: Now you have network connectivity. You can access the CLI interface using an Secure Shell (SSH) client on any host that can reach the appliance, and you can log in to the HTML interface to complete the initial configuration.
For more information, see:
•Specify the Time Settings
•Set Up Additional Routes
•Completing the Cable Connections
|
|
5. Complete initial configuration using the HTML interface.
After you have completed the cable connections to the CS-MARS Appliance, defined the required network connection settings, and specified any additional default routes, you can start the HTML interface configuration process. Verify the configuration settings of your browser before configuring the CS-MARS Appliance (see Web Browser Client Requirements).
During this phase, you configure the following:
•Appliance license
•Zone identification (Global Controller only)
•E-mail server identification
•DNS addresses
•E-mail address for the system administrative account (pnadmin)
•TACACS/AAA login prompt settings
Result: You have configured your appliance to communicate on the network, properly correlate events, and issue system e-mails to a monitored e-mail address.
For more information, see:
•Completing the Configuration using MARS web interface
•Licensing the Appliance
•Verifying and Updating Network Settings
•Specifying the DNS Settings
•Configure E-mail Settings for the System Administrative Account
•Configure TACACS/AAA Login Prompts
|
|
6. Upgrade the appliance to the most recent software version.
The software version determines the currency of signatures, system inspection rules, features, and bug fixes. An important part of your security solution is ensuring that you maintain the most up-to-date software on the CS-MARS Appliance. This process involves preparing an upgrade strategy and selecting a method, determining your current version, identifying the most recent version, and downloading and applying all intermediate versions of the software.
Result: The appliance is running the most recent version of software.
For more information, see:
•Checklist for Upgrading the Appliance Software
|
Caveats
This section describes the open and resolved caveats with respect to this release.
•Open Caveats - Release 4.1.1
•Resolved Caveats - Release 4.1.1
•Resolved Caveats - Releases Prior to 4.1.1
Open Caveats - Release 4.1.1
The following caveats affect this release.
Reference Number
|
Description
|
CSCsb77550
|
Issue: Re-importing CSA or Symantec agents fails.
When the user tries to agents from a CSV seed file, the following error message appears:
Result: The error message fails.
Workaround: If you import an agent list once, you must manually synchronize the agent list. To re-import the list of agents will not work.
|
CSCsb80082
|
Issue: When you remove/delete a Local Controller from a Global Controller, the Local Controller should revert to the Standalone mode. However, if you add the Local Controller to the Global Controller and delete it before you exchange certificates between the two appliances, then the mode does not revert.
Workaround: You can work around this issue by ensuring that you always import the certificate from the Local Controller before you attempt to remove it form in the Global Controller.
|
CSCsc04484
|
Issue: The rule or report list on a Local Controller (LC) appears empty after deleting a Global Controller (GC) report or rule group.
1. From the Rules or Reports page in the GC HTML interface, create a rule or report group with some elements in it.
2. Activate to push the group down to the monitored LC.
3. From the Rules or Reports page of a LC HTML interface, select the newly-created GC group in the filter list.
Result: The members of that group are listed.
4. Select the Summary page.
5. Select the Rule or Report page.
Result: The group is still selected as the "filter" for that page
6. Select the Summary page.
7. In the GC HTML interface, delete the rule/report group.
8. Activate to push changes down to the monitored Local Controllers.
9. In the LC HTML interface, navigate back to rule/report page.
Result: The filter list has "All" selected, but no rules or reports appear on the page.
Workaround:
1. Select another option in the filter list, and then All.
Result: The list of all rules/reports appears.
|
CSCsb71298
|
Issue: In Cisco Security Monitoring, Analysis and Response System (CS-MARS) Release 3.4, queries submitted from a Global Controller (GC) that are less than 10 minutes in length will appear as being "In Progress" on the GC, even after the attached Local Controllers (LCs) have finished running the query.
This will only occur in a GC/LC environment if a query is run over a duration less than 10 minutes.
Workaround: Query over time ranges that are no less than 10 minutes in length.
|
CSCsb67871
|
Issue: After re-installing a Local Controller, the zone and device data is lost in the Global Controller.
Workaround: Before you re-install (using a Recovery DVD) a Local Controller, you must delete that Local Controller and zone from the managing Global Controller.
|
CSCsb64587
|
Issue: After Global Controller restore, the Local Controller certificates are missing.
Workaround: After restoring a Global Controller, you must reimport the certificates of each managed Local Controller before communications are restored.
|
CSCsb71309
|
Issue: In Cisco Security Monitoring, Analysis and Response System (CS-MARS) release 3.4.4 and earlier, queries that are run from a Global Controller (GC) which have no results returned from any of the attached Local Controllers (LCs) will show up as "In Progress" in the GUI.
This occurs in a GC/LC environment, and only when a global query returns 0 results from every one of the LCs.
Workaround: You may have to wait up to 10 minutes for a GC Query status to be marked as "Finished", after all LCs have finished running the query.
|
CSCpn03077
|
Issue: Global Controller generates a system error when you add a Local Controller that was added already
Workaround: Before adding a Local Controller, verify that you have not previously added it to the Global Controller. If you do encounter this error, restart the GUI by closing your web browser and logging in again.
|
CSCpn03074
|
Issue: On the Incidents page of a Global Controller, the View and Show buttons do not work for incidents pushed up from the monitored Local Controllers.
|
CSCpn03070
|
Issue: If you upgrade a Global Controller/Local Controller pair, the Local Controller may appear offline for the first 10 minutes after the appliances reboot. The scheduler wakes up and re-syncs 10 minutes after startup.
Resolution: If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface.
|
CSCpn03057
|
Issue: Copied rules have shortened year in front, which is confusing (e.g., 05.04.19) When you duplicate a system rule, the newly created rule has a timestamp appended to it. The date format is unclear, but it is YY.MM.DD.
|
CSCpn03052
|
Issue: JBoss 'OutOfMemoryError ' when accessing Management/Event Management tab.
Workaround: Avoid using the 10,000 items per page on the Event Management page.
|
CSCpn02976
|
Issue: GC:LC - Communication issues after time zone change. After initial configuration, if you change the timezone of a communication GC:LC, there may be problems with communications between the GC and LC.
Workaround: If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface.
|
CSCpn02973
|
Issue: Not able to downgrade a Security Analyst to Notification only user. When you define a user account with the Security Analyst role, you cannot downgrade that role to Notification only.
|
CSCpn02968
|
Issue: Network group search is not working for "All IP addresses". If you select All IP addresses as the search space, the results may be inconsistent with the expected results.
|
CSCpn02901
|
Issue: GC/LC, rule does not display user <cxu> but allows such cfg
Workaround: Avoid using special characters in the keyword search for rules. The list of special characters not supported is as follows:
•less-than (<) <
•greater than (>) >
•ampersand (&) &
|
CSCpn02883
|
Issue: Event management search works only for event description. You cannot search on other fields, such as Event ID.
|
CSCpn02869
|
Issue: Rules editing: changing entry for select window dropdown after error message results in the state not being saved.
Workaround: This issue appears when you have attempted to define an invalid rule and an error message appears. For example, while editing a user inspection rule"
1. Click Sources field.
2. Remove all sources.
3. Click Submit.
Result: Dialog box appears and prompts "please select one".
4. In the select window dropdown, select "All Devices"
Result: Rule submission window appears and contains a blank Sources field.
To work around this issue, click one of the top tabs to cancel your work and redo your edit without submitting an invalid rule (as shown in Step 3).
|
CSCpn02804
|
Issue: Replay History feature not working correctly. When you configure a query that triggers replay history, the results are usually incorrect. The following cases will trigger a replay history:
•a query that uses AND or Followed By
•a query that uses the $ variables, such as $EventType, $Device1, etc.
•a query uses NOT EQUAL TO a service
If you define an invalid query, CS-MARS will be in a compromised state where queries will continue to fail, even if they are constructed correctly after the invalid query. To resolve this issue, log in to the CLI and pnstop/pnstart the CS-MARS system, then re-run your valid query.
|
CSCpn02688
|
Issue: Viewing a report on a Global Controller and viewing the corresponding report on the Local Controller may differ in time slightly.
|
CSCpn02666
|
Issue: The email sent when a batch query completes may not have data in the graph if the query only returns one result.
|
CSCpn02656
|
Issue: Leaving the browser on the Summary page for an extended period of time (several days) may occasionally run into an error.
Workaround: Refresh the page to return to the GUI.
|
CSCpn02653
|
Issue: No way to specify "!Keyword" without a good "keyword"
Workaround: Keyword search requires two keywords to use the "NOT" operator. For example, you cannot specify `NOT nimda'; instead, you must specify something like `virus NOT nimda'.
|
CSCpn02623
|
Issue: Sudden traffic increase does not process ICMP events.
While CS-MARS does process ICMP events on the parsing side, the sudden traffic rule does not fire based on ICMP events.
|
CSCpn02594
|
Issue: Clicking on the Path/Mitigate link in an incident that was fired from a device that has since been deleted may result in an error.
|
CSCpn02574
|
Issue: Having different times on the Global Controller and its associated Local Controllers may cause synchronization problems.
Workaround: Use the CLI to configure NTP or manually set the date and time to be the same on the Global Controller and Local Controllers.
|
CSCpn02566
|
Issue: Rebooting the CS-MARS while the box is in the upgrading state may cause system configuration errors.
|
CSCpn02558
|
Issue: After adding and deleting an agent or sensor to a host, adding a sensor with the same name and type as the previously deleted one back to that host will not work.
Workaround: Use a different agent/sensor name the second time around.
|
CSCpn02549
|
Issue: When viewing report results, clicking on "Edit" or "Clear" in the query summary at the top of the page results in a JavaScript error.
Workaround: Click directly on the "Report type" link to edit the query.
|
CSCpn02511
|
Issue: In migrating "Microsoft, Windows, Generic" device type to three new Windows device types, errors in affected OS could affect data migration and cause confusion about appropriate selection.
Workaround: When migrating data, you should make the following mappings for the OS name:
•Map "2000" to "Windows 2000"
•Map "Windows 2000 Professional Server" to either "Windows 2000 Professional" or "Windows 2000 Server" after verifying the data.
•Map "NT" to "Windows NT"
•Map "Microsoft Windows NT 4.0" to "Windows NT". Microsoft should be in vendor field and 4.0 should be in version field.
|
CSCpn02470
|
Issue: Using passwords with the "," (comma) or "'" (quote) characters may cause problems with loading devices from csv files.
Workaround: Avoid using passwords with these characters for the time being.
|
CSCpn02414
|
Issue: Long keyword strings in rules or reports can cause parts of the GUI layout to be pushed out of the browser window's edges.
|
CSCpn02410
|
Issue: The CS-MARS stores reported user names in a case-sensitive fashion. Devices that report case-insensitive user names can behave counter-intuitively if they report names inconsistently.
|
CSCpn02398
|
Issue: Reserved XML characters are not supported in the Keyword Search on the Rule page
Workaround: Avoid using special characters in the keyword search for rules. The list of special characters not supported is as follows:
•less-than (<) <
•greater than (>) >
•ampersand (&) &
|
CSCpn02385
|
Issue: Applying $VAR variables to queries on a Global Controller causes GUI errors and may not return correct results.
|
CSCpn02383
|
Issue: An IIS web server cannot be added to the CS-MARS as a generic web server. When configuring the CS-MARS to receive IIS logs, adding generic web server in Reporting Applications does not work.
Workaround: Choose windows operating system under general tab.
|
CSCpn02333
|
Issue: After performing a "pnreset -g" (which cleans up the GC data on the LC - a copy will be made of all GC data used by rules and reports while all other GC data will be deleted), the LC still shows the old zone name by which it was monitored from the GC. When adding that LC back to a GC that was re-installed from the recovery DVD, problems can occur if the zone names for the GC and LC do not match the ones used before.
Workaround: Use the same "old" GC name during the GC configuration. Use the same zone names when re-adding LCs to the GC.
|
CSCpn02251
|
Issue: After upgrading from a CS-MARS 100e to CS-MARS 100, pnstop and pnstart need to be run for the change to take effect.
|
CSCpn02177
|
Issue: Every 22nd reboot, the CS-MARS file system is checked for consistency. This takes time to complete, and happens before connecting to the network. While this is happening, it may appear that the box simply isn't starting.
Workaround: Attach a console to the CS-MARS to verify that checking is happening if the system does not seem to start after a reboot.
|
CSCpn02175
|
Issue: Data computed or stored on a standalone CS-MARS while in standalone mode will not be transferred to a GC. Only data computed on an LC that is currently monitored by a GC will be pushed up.
|
CSCpn02073
|
Issue: After renaming a cloud, clicking the cloud again causes an error.
Workaround: Refresh the page before clicking a renamed cloud.
|
CSCpn02061
|
Issue: Saving CSV files from reports with IE 6 under Windows XP SP2 causes the file to default to an .htm extension, not .csv extension.
Workaround: Select "All types" from the dropdown while saving, and rename the file to have a .csv extension.
|
CSCpn02011
|
Issue: Certain special characters do not work in password fields. The characters are " ' ; (double-quote, single-quote and semi-colon).
Workaround: Use passwords that do not contain these characters.
|
CSCpn01489
|
Issue: Query summary doesn't mention "severity" if it's a criterion
When the user configures a batch query with a severity as one of the criteria (Red, Yellow, Green), this criterion doesn't appear in the "query summary" of the batch query page. However, the query is run with the correct criteria. When the results are viewed, the severity can be seen in the query details at the top of the page.
|
CSCpn01438
|
Issue: When running batch queries under a high system load and over a time range containing a large amount of data, the batch query might not complete. If the Progress Completed status stays at 0% for an extended period of time (a day), try stopping any other batch queries you have running or stopping and resubmitting your batch query with narrower criteria. If neither of these works, please contact Cisco Support.
|
CSCpn01416
|
Issue: Select: Temp paging fix on Notification-SNMP. All pages that display large numbers of items need to have paging implemented.
Workaround: Use the search window to locate desired object.
|
CSCpn01398
|
Issue: Unable to shutdown an interface: the customer should be able to shutdown an interface on CLI or GUI.1.
Workaround: Do not connect the second network interface to your network.
|
CSCpn01382
|
Issue: When you create a new group (MANAGEMENT > IP Management > Add Group) with a combination of Networks, Devices, and IP addresses and then select that group from the pull-down menu, only the Networks in the group appear, even though the Devices and IP addresses are in the group.
|
CSCpn01293
|
Issue: When administering CS-MARS, it is possible to select an unsupported OS from the pull-down menu when adding or editing a host for logging. If you select an OS that does not contain the string "Microsoft Windows" or "Sun Solaris" when you save the Pull host log or Receive hostlog parameters, (for example, if you select "Sun Cobalt"), then the GUI does not work correctly.
|
CSCpn01270
|
Issue: The free-form search may not work for the following devices:
•Check Point Opsec NG FP3
•Cisco CSA, 4.0
•Cisco, IDS, 3.1 and 4.0
•ISS, RealSecure, 6.5 and 7.0
•Entercept Entercept, 2.5 and 4.0
•IntruVert IntruShield, 1.5
|
CSCpn01219
(re-opened)
|
Issue: If you create a user in the CS-MARS GUI and select New Provider but do not enter a Pager number, qpage.com fails to run because it has an empty entry, and pnmonitor continually tries to restart the daemon that attempts to access qpage.com.
Resolution: Open each user profile and click Submit to ensure all the required fields are populated.
|
CSCpn01134
|
Issue: The cloud name input box accepts invalid characters. To reproduce this behavior, click on the Large Graph link on the Hotspot graph. Click on a cloud. Click Change name and enter invalid characters into the input field (for example, ~!# or ###). Sometimes the page returns an error message such as error: Error: Invalid or No Security Perimeter. The graph rendering fails with the IE status bar message "not well formed, line #:column#".
|
CSCpn01051
|
Issue: Logging into a CS-MARS from a non-supported browser and leaving the GUI open will prevent other users from logging into that MARS.
Resolution: If you log in to CS-MARS using a supported browser and see a message saying that your browser is unsupported, please check if another user has logged into the CS-MARS with an unsupported browser and not closed his browser window.
|
CSCpn01045
|
Issue: Entering an incorrect IP address or directory path for the data archiving feature will result in a cryptic error message.
Resolution: If you see a message of type "Status: PN-0002: No message for PN-0216" after configuring data archiving, please click "Back to Archiving" and check your IP address and directory.
|
CSCpn01039
|
ADDRESSED IN DOCS
|
CSCpn01019
|
Issue: When utilizing the data archiving feature, you may experience data loss if your network link is slow or if your archive server does not have the capacity to handle high throughput.
|
CSCpn00908
|
Issue: "Domain" in Configuration page - no use
Workaround: This issue was overcome by other events. This field no longer exists, however, you can specific the e-mail domain on the Configuration page to identify the default domain from which e-mail notifications are delivered by the appliance.
|
CSCpn00877
|
Issue: When you submit a name that is associated with a device type to the system, changes to its device type can cause issues to incorrectly display some of its configuration information.
Resolution: When adding a device, take care to give it its proper device type.
|
CSCpn00610
|
Issue: Backend logs can be out of order in the view page because the numbers are reused. Timestamps should be used as report identifiers.
|
CSCpn00596
|
Issue: On a freshly installed machine starting to get events and sessions, you can get a negative Data Reduction where there are more sessions than events. This is due to the fact that events are written to the database more frequently than sessions.
Resolution: Wait for some time to pass, as events gradually outnumber sessions this number will become increasingly accurate.
|
CSCpn00586
|
Issue: If you are investigating a false positive, and you see a message telling you that a service has crashed, this could be due to vulnerability scanning by the CS-MARS appliance. You may have to re-start the service.
Resolution: It is strongly recommended that you patch the security hole to eliminate this vulnerability.
|
CSCpn00455
|
Issue: If clouds are renamed through diagrams, the system might not display those names.
Resolution: Here are some work around steps to rename clouds:
1. Click the cloud you want to rename.
2. Enter in the new name in the text field near the top of the popup window.
3. Click "Change".
4. Once it's done, click "Close".
5. Click the "Large Graph" button in the Hotspot Graph.
6. Return to the Summary page.
|
CSCpn00293
|
Issue: When tabbing over three-digit entries in IP fields on the Configuration Information page, the cursor can disappear.
Resolution: Use your mouse to move between fields on this screen when editing IP addresses.
|
CSCpn00259
|
Issue: On the Setting Runtime Logging Levels page, if you set the level for GUI to Trace and save, it is saved as Debug.
Resolution: Do not change settings on the Setting Runtime Logging Levels page without a Cisco Support representative.
|
CSCpn00247
|
Issue: The automatic time-out feature built into the GUI does not work when the Summary page is left open with automatic refresh selected.
Resolution: Please log out of the system when you are no longer using it.
|
CSCpn00212
|
Issue: Diagrams on the Summary pages occasionally do not display.
Resolution: Exit the browser. The next time you log on, the diagrams should have re-drawn.
|
CSCpn00183
|
Issue: Adding many devices (more than 20) without activating those devices can cause messy output in the diagrams.
Resolution: Click the Activate button after adding many devices.
|
CSCpn00173
|
Issue: Nessus should check pre-NAT address instead of Post-NAT address.
|
CSCpn00166
|
Issue: The use of ANY in queries and rules is slightly inconsistent. When selecting ANY in the Query page, if other items are selected at the same time for that field, the ANY is ignored. When selecting ANY on the Rules page, if other items are selected at the same time for that field, the other items are ignored and ANY is the selection.
|
CSCpn00146
|
|
