Friday, November 13, 2009

CVE-2009-2977

Thanks to an eagle eyed reader, (though it is a couple of months old now), if you are running 6.0.4 and earlier, there is an Vulnerability when MARS is configured to pull Windows Event Logs.

"The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 6.0.4 and earlier stores cleartext passwords in log/sysbacktrace.## files within error-logs.tar.gz archives, which allows context-dependent attackers to obtain sensitive information by reading these files."

You can view the CVE Here.

This was covered by Cisco Bug: CSCtb52450 , which mentioned it was only a bug when MARS was configured to PULL events rather than using Snare (or Honeycomb, and similar products)

Its was also mentioned , the issue can be mitigated if log files are not exported out of the CS-MARS device. (Only CS-MARS administrators can export log files)

BTW this was resolved in MARS release 6.0.5


Thursday, November 05, 2009

No Updates for Non Cisco Devices?

There has been plenty of rumours recently regarding MARS, and its support for Non Cisco Devices, more so, over the last couple of days...

Whether its Gartner a few days ago, or MARS competitors, like Nitro putting out releases yesterday, (and I`d fully expect the others to follow)

I noticed an official Business Unit response, in the Netpro Forums......

"October 30, 2009
Cisco response to Gartner Research Memo entitled “Cisco MARS Is Becoming Less Viable as a General SIEM Solution”
Summary
• Gartner has alerted its customers that as Cisco continues to focus its security management efforts on Cisco devices, MARS appliances may become less viable for the broad set of “general” SIEM use cases.
• Gartner concludes that Cisco’s focus on native management capabilities for our devices is a positive direction.
• For customers with primarily Cisco event sources on their network, Gartner recommends that MARS still provides a strong platform for security threat management (STM) and network behavior analysis (NBA) capabilities.
Details
On October 29th, 2009, Gartner released a research note titled “Cisco MARS Is Becoming Less Viable as a General SIEM Solution.” This note is in response to Cisco’s stated direction to focus CS-MARS development on supporting Cisco-built network security devices and critical host operating systems. Non-Cisco network device data and signature updates continue to be supported in CS-MARS for the current versions of these 3rd-party systems.
In the memo, Gartner concludes that “Cisco will focus its efforts on improving Cisco's native security management capabilities,” which they note as a positive direction for Cisco’s overall Security portfolio.

In the past, we have encouraged Gartner to break up this crowded space as it encompasses a vast array of use cases spanning compliance reporting, log aggregation, threat identification, and mitigation. While MARS has been placed in the SIEM market, it has never fully covered all aspects of the Gartner-defined space. Over the last year, as we have focused on the core Security Threat Management use cases for Cisco products, Cisco has de-emphasized compliance reporting and non-Cisco devices.

In particular for Cisco customers, it is important to note Gartner’s recommendation that MARS continues to provide strong STM and NBA capabilities for Cisco event sources
. "


Stinky......

Book Review: Cisco Routers for the Desperate, 2nd Ed


"Cisco Routers for the Desperate, 2nd Edition is designed to be read once and left alone until something breaks. When it does, you'll have everything you need to know in one easy-to-follow guidebook."


Cisco Routers for the Desperate, 2nd Edition, by Michael W.Lucas, condenses all you need to know about Cisco routers, and some switching down to a mere 125 pages.


Now your not going to pass your CCIE, or CCNA for that matter, with just this book. The sections covered are quite basic and to the point, but there are many people in the market place, who just have never had any official training on Cisco kit, and this book is for them.


How to navigate an IOS interface, configure interfaces, time, back up configs etc, are covered with a quirky writing style, then a redundancy chapter on BGP and HSRP will start to wet your cisco appetite.


All in all, a good read for anyone new to Cisco kit, or for the plenty of people out there, who did the CCNA course years ago, never did the exam, and now finally get your "hands on", and cant remember the basics!

Monday, November 02, 2009

MARS 6.0.5 FIPS PCI Card Notes

As you may of read in the release notes for MARS 6.0.5, a FIPS PCI Card is available for the MARS 110R

You can read details here

Tuesday, October 20, 2009

MARS 6.0.5 Released

Release notes here: 6.0.5

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in:

FIPS 140-2 Level 2 Compliance for the MARS 110R—Some customers, especially those in the federal market, require secure appliance communications to use government approved encryption technologies and provide tamper protection. When used in conjunction with a Cisco FIPS 140-2 Level 2 certified PCI card, the 6.0.5 release of the MARS software enables FIPS 140-2 Level 2 compliance.

FIPS PCI card for the MARS 110R—To enable the FIPS 140-2 Level 2 solution, customers must order a Cisco FIPS 140-2 Level 2 certified PCI card (part no. CS-MARS-FIPS-K9=) for their existing MARS 110R. The reconfigured appliance with a Cisco FIPS 140-2 Level 2 certified PCI card installed is designated a MARS 110RF model. For more information on the installation of the FIPS certified PCI card, see the CS-MARS FIPS PCI CARD Quick Install document.

Custom Login Banner Text—According to NIST appliance hardening standards, warning banners are necessary at all access points in the event an organization wishes to prosecute an unauthorized user. CS-MARS provides a customer-defined banner message facility that can provide fair warning to unauthorized users. Banner text of up to 2,000 characters can now be configured form the MARS web interface (ADMIN > System Parameters > Banner Settings). The banner text appears on the login page and as a system message when an SSH connection is made to access the CLI.



Wednesday, August 05, 2009

MARS 6.0.4 Revised Release Notes

To clear any confusion!, although there has been no announcement, the release notes have been revised for MARS Version 6.0.4

Upgrade to 6.0.4

No important notes exist for the 6.0.4 upgrade.


As you will see, no mention of the "last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances."

:-)

Tuesday, August 04, 2009

MARS 6.0.4 Confusion, Explaination

Earlier from the release notes, there was a notice regarding 6.0.4 and supported versions.

Upgrade to 6.0.4

The 6.0.3 release, distributed in April 2009, was the last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances. Therefore, you cannot apply the 6.0.4 release to these appliance models. For a full list of supported appliance models, see Supported Hardware.

BUT, if you look at the supported versions for 6.0.4 in the same document, it lists the following....

Release 6.0.4 supports the following Cisco Security MARS Appliance models:

Local Controller Appliances: 2nd Generation

Cisco Security MARS 25R (CS-MARS-25R-K9)

Cisco Security MARS 25 (CS-MARS-25-K9)

Cisco Security MARS 55 (CS-MARS-55-K9)

Cisco Security MARS 110R (CS-MARS-110R-K9)

Cisco Security MARS 110 (CS-MARS-110-K9)

Cisco Security MARS 210 (CS-MARS-210-K9)

Local Controller Appliances: 1st Generation

Cisco Security MARS 20R (CS-MARS-20R-K9) as a MARS 20

Cisco Security MARS 20 (CS-MARS-20-K9)

Cisco Security MARS 50 (CS-MARS-50-K9)

Cisco Security MARS 100e (CS-MARS-100E-K9) as a MARS 100

Cisco Security MARS 100 (CS-MARS-100-K9)

Cisco Security MARS 200 (CS-MARS-200-K9)

Global Controller Appliances: 2nd Generation

Cisco Security MARS GC2R (CS-MARS-GC2R-K9)

Cisco Security MARS GC2 (CS-MARS-GC2-K9)

Global Controller Appliances: 1st Generation

Cisco Security MARS GCm (CS-MARS-GCM-K9) as a MARS GC

Cisco Security MARS GC (CS-MARS-GC-K9)

And hence the models listed, were listed as supported devices!!!

Well, after getting a couple of messages about this, I think I have solved this mystery.

If you look at the EOL for MARS models 100, 100e, 200, GC and GCm, you will see...

Milestone: End of SW Maintenance Releases Date: App. SW

Definition: The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.

Date: April 11, 2009


So its looks like the new version will possibly run on these models, but you are out of time for Maintenance Release support.

Time to look for an upgrade/alternative.

:-)

Cisco MARS 6.0.4 Now Available



Thanks to Csaba for pointing out to me, that Cisco have released MARS version 6.0.4

Surprisingly with some of the rumours out there at the moment, there are some new features in this release, and not just signature updates for the supported products.

You can check out the release notes HERE.

So apart from some cosmetic changes, here is what is new...

New Device Support

The 6.0.4 release of MARS supports the following new device versions:

Cisco ASA 8.2

Cisco IPS 7.0

Cisco IPS 6.2

Cisco IOS/Switch IOS 12.4 (backward compatibility support)

Cisco FWSM 4.0.1 and 4.0.4 (backward compatibility support)

Cisco Security Agent 6.0.1 (backward compatibility support)

Miscellaneous Changes and Enhancements

Botnet Traffic Filter (ASA 8.2) Feature Support—Detect malware that attempts malicious network activity, such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) with ASA Botnet Traffic Filter (BTF).

MARS support for ASA 8.2 introduces the following BTF features:

ASA Botnet Summary Tab—When monitoring a properly configured Cisco ASA 8.2 device, customers can quickly view Botnet activity on their network using the new summary tab that provides at-a-glance dashboard with the following new reports:

Activity: ASA Botnet Traffic Filter - Top Botnet Ports

Activity: ASA Botnet Traffic Filter - Top Botnet Sites

Activity: ASA Botnet Traffic Filter - Top Infected Hosts

BTF: System reports—When monitoring a properly configured Cisco ASA 8.2 device, customers can drill down into malicious activity with the following new reports:

Hosts which have generated phone home activity (top infected hosts)

Adequate host details (port/protocol, user agent, etc.) required to remediation.

Top Botnet sites by domain and IP address

Top Botnet ports detected

BTF: System rule—When monitoring a properly configured Cisco ASA 8.2 device, a new system rule is available that detects failed phone-home db downloads.

Cisco IPS 7.0 Feature Support—IPS 7.0(1) contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that Cisco has amassed over the years.

MARS support for 7.0(1) introduces the following Global Correlation features:

A new system report that identifies the attacks blocked by Cisco IPS 7.0 (1) over a specified interval.

Global Correlation scores embedded in query and reporting interfaces allow customers to view reputation data and create customized Global Correlation reports.

Tunable Query Performance Support—Customers can reduce query wait times by creating custom indexes for commonly run queries.

E-Mail Notification Update—E-mail based notifications now include top 3 source IPs, top 3 destination IPs, and top 3 botnet sites.

Future Cisco.com Software Update Support—MARS 6.0.4 includes changes to support a seamless migration from the current Cisco.com software and signature download sites to a new location hosted on Cisco.com. Customers are required to upgrade to 6.0.4 to enable future automated system upgrades, patches, and dynamic signature update support, features introduced in MARS 6.0.1 .



And Finally Very Important

The 6.0.3 release, distributed in April 2009, was the last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances. Therefore, you cannot apply the 6.0.4 release to these appliance models.

Good Luck

Thursday, May 28, 2009

ASA Botnet Traffic Filter Syslogs

"The Cisco® ASA Botnet Traffic Filter complements existing endpoint security solutions by monitoring network ports for rogue activity and detecting infected internal endpoints sending command and control traffic back to a host on the Internet. The Botnet Traffic Filter database accurately and reliably identifies command and control traffic, as well as the domains or hosts receiving the information."

If you are using Cisco ASA8.2, with the Botnet Traffic Filter license, you will know, the ASA will syslog out, when hosts are added to the blacklists etc. Then you can errr, manually mitigate these yourselves, with a shun or ACL. (i`m sure this will get better in the future!)

The current version of MARS 6.0.3 only understand syslogs from ASA 8.1 latest, and thus these new syslog messages, will get determined as unknown events.

I was thinking of creating a parser package, to support these, but unfortunately have not had the time recently.

If you fancy having a go yourselves, you can create either create a parser, and rules, or simply create some rules to look for the text strings in the syslogs below.

Here are the new syslogs, related to the Botnet Traffic Filter feature.....

338001
Error Message %ASA-4-338001: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338002
Error Message %ASA-4-338002: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338003
Error Message %ASA-4-338003: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338004
Error Message %ASA-4-338004: Dynamic filter action black listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338101
Error Message %ASA-4-338101: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338102
Error Message %ASA-4-338102: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338103
Error Message %ASA-4-338103: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: ip address/netmask

338104
Error Message %ASA-4-338104: Dynamic filter action white listed protocol traffic
from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: ip address/netmask

338201
Error Message %ASA-4-338201: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port, (mapped-ip/mapped-port), source malicious
address resolved from local or dynamic list: domain name

338202
Error Message %ASA-4-338202: Dynamic filter action grey listed protocol traffic from
in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to
out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination
malicious address resolved from local or dynamic list: domain name

338301
Error Message %ASA-4-338301: Intercepted DNS reply for domain name from
in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port,
matched list

338302
Error Message %ASA-5-338302: Address ipaddr discovered for domain name from list,
Adding rule

338303
Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing rule

338304
Error Message %ASA-6-338304: Successfully downloaded dynamic filter data file from
updater server url

338305
Error Message %ASA-3-338305: Failed to download dynamic filter data file from updater
server url

338306
Error Message %ASA-3-338306: Failed to authenticate with dynamic filter updater
server url

338307
Error Message %ASA-3-338307: Failed to decrypt downloaded dynamic filter database
file

338308
Error Message %ASA-5-338308: Dynamic filter updater server dynamically changed from
old_server_host: old_server_port to new_server_host: new_server_port

338309
Error Message %ASA-3-338309: The license on this ASA does not support dynamic filter
updater feature.

338310
Error Message %ASA-3-338310: Failed to update from dynamic filter updater server url,
reason: reason string


Enjoy.


Friday, May 15, 2009

Update on 6.0.3 Patch

Thanks to Bob Lin, for an update on the 6.0.3 patch I mentioned yesterday.

Incidentally, the 6.0.3 patch and patch readme can both be downloaded from the MARS Miscellaneous CCO site:

http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc.

It is only required if you encounter one of those two bugs.

Regards,
Bob Lin
CS-MARS Release Manager and Escalation Engineer

Thursday, May 14, 2009

6.0.3 Patch Available

Thanks to Jeremy Wood in the MARS User Group for pointing out there is a patch available for MARS release 6.0.3

"I was noticing that I had a bunch of Drop rules that were not
triggering correctly after upgrading to 6.0.3 and in my quest for a
solution ran across a patch here:

Looks like it fixes the following problems:
CSCsz14701 - some drop rules do not drop packets after 602 to 603 upgrade
CSCsz22056 - Mars http access to JBoss Application Server info"

Thanks Jeremy.

Also you may be interested to note that a new version of the Cisco NAC Appliance 4.5 Parser Package is now available, without an import password! 

This is a v2 of the package, without the word Draft. Thanks to Craig Hyps for pointing this out.

You can get this from the MARS Parser exchange under the Netpro Forums on Cisco.com





Monday, May 04, 2009

MARS Troubleshooting Technotes

I notice Cisco have added a new doc, under the MARS configuration examples section on Cisco.com, on Troubleshooting.

Worth a read for any newbies.

You can view this HERE.

Monday, April 27, 2009

Cisco Security Specialist Required

In today’s recession hit world, companies world wide are letting staff go, and making redundancies.

At Satisnet, the UK’s leading Security Partner, we are actually hiring!

I`m looking to add another member to our Security Consulting Practice, and that could well be you.

If think you meet the following requirements....

Have a Cisco CCSP or CCIE, or are at least working towards these qualifications
A knowledge of any or all of the following: Cisco ASA. PIX, VPN, CSA, MARS, IPS, ACS, Ironport
A Full UK Driving License
Not afraid of UK wide travel on assignments
A knowledge of LAN/WAN and Security Technologies
Be commutable to Bedfordshire, UK
A desire to learn your security products inside and out

Optionally have experience/exposure with
Nessus and other security tools
F5, Radware or Cisco Load Balancing Technologies
SIEM Tools
Vmware

Then please get in touch via the Blog, with your CV, and Salary expectations...

If you are down at InfoSecurity Europe, at Earls Court this week, why not pop down and see what we do, on Stand F50, with Shavlik Technologies.

Good Luck...

Friday, April 24, 2009

New Cisco SAFE Reference Guides


A new set of Cisco SAFE Reference Guides, have just been released. These were very successful a few years ago, and it looks like they have been brought upto date.

You can view the MARS Safe Doc HERE, and the full set of documents HERE.

Worth a read. :-)

Tuesday, April 07, 2009

Cisco MARS 6.0.3 Now Available

Cisco have released MARS version 6.0.3

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in :

Credential Automation—Save administrative time by updating many Cisco device credentials in a single operation rather than touching each device definition in MARS. Using a seed file to re-import devices that are already defined in MARS, users can update some credentials for Cisco ASA, Cisco PIX, Cisco IPS, Cisco IOS, and Cisco Switch devices.

Actionable Incident Notification—This enhancement helps customers decide on the importance of a notification without having to log into MARS. The MARS syslog, e-mail, and SNMP incident notification messages provide incident summary information as well as Top 3 reports. The incident summary will include the rule ID, rule name, incident ID, incident start/end time and incident severity. Top 3 reports include Top 3 destination ports, Top 3 reporting devices, and Top 3 event types.

Improved Reporting Response Times—This enhancement improves response times of commonly used reports by retrieving event data from memory rather than from the database.

Exported/Archived Configuration Validation— This enhancement ensures that you do not attempt to restore or upgrade a system using a corrupted configuration file. After exporting or archiving a configuration file, MARS scans the file to make sure it is not corrupted.

New Device Support

The 6.0.3 release of MARS supports the following new device versions:

Cisco IPS 6.2 (backward compatible mode)


You can view the release notes HERE.