Tuesday, August 04, 2009

Cisco MARS 6.0.4 Now Available

Thanks to Csaba for pointing out to me, that Cisco have released MARS version 6.0.4

Surprisingly with some of the rumours out there at the moment, there are some new features in this release, and not just signature updates for the supported products.

You can check out the release notes HERE.

So apart from some cosmetic changes, here is what is new...

New Device Support

The 6.0.4 release of MARS supports the following new device versions:

Cisco ASA 8.2

Cisco IPS 7.0

Cisco IPS 6.2

Cisco IOS/Switch IOS 12.4 (backward compatibility support)

Cisco FWSM 4.0.1 and 4.0.4 (backward compatibility support)

Cisco Security Agent 6.0.1 (backward compatibility support)

Miscellaneous Changes and Enhancements

Botnet Traffic Filter (ASA 8.2) Feature Support—Detect malware that attempts malicious network activity, such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) with ASA Botnet Traffic Filter (BTF).

MARS support for ASA 8.2 introduces the following BTF features:

ASA Botnet Summary Tab—When monitoring a properly configured Cisco ASA 8.2 device, customers can quickly view Botnet activity on their network using the new summary tab that provides at-a-glance dashboard with the following new reports:

Activity: ASA Botnet Traffic Filter - Top Botnet Ports

Activity: ASA Botnet Traffic Filter - Top Botnet Sites

Activity: ASA Botnet Traffic Filter - Top Infected Hosts

BTF: System reports—When monitoring a properly configured Cisco ASA 8.2 device, customers can drill down into malicious activity with the following new reports:

Hosts which have generated phone home activity (top infected hosts)

Adequate host details (port/protocol, user agent, etc.) required to remediation.

Top Botnet sites by domain and IP address

Top Botnet ports detected

BTF: System rule—When monitoring a properly configured Cisco ASA 8.2 device, a new system rule is available that detects failed phone-home db downloads.

Cisco IPS 7.0 Feature Support—IPS 7.0(1) contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that Cisco has amassed over the years.

MARS support for 7.0(1) introduces the following Global Correlation features:

A new system report that identifies the attacks blocked by Cisco IPS 7.0 (1) over a specified interval.

Global Correlation scores embedded in query and reporting interfaces allow customers to view reputation data and create customized Global Correlation reports.

Tunable Query Performance Support—Customers can reduce query wait times by creating custom indexes for commonly run queries.

E-Mail Notification Update—E-mail based notifications now include top 3 source IPs, top 3 destination IPs, and top 3 botnet sites.

Future Cisco.com Software Update Support—MARS 6.0.4 includes changes to support a seamless migration from the current Cisco.com software and signature download sites to a new location hosted on Cisco.com. Customers are required to upgrade to 6.0.4 to enable future automated system upgrades, patches, and dynamic signature update support, features introduced in MARS 6.0.1 .

And Finally Very Important

The 6.0.3 release, distributed in April 2009, was the last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances. Therefore, you cannot apply the 6.0.4 release to these appliance models.

Good Luck


James said...

Where did you get your info on the supported hardware?
The Release notes specifically cover the first gen hardware.

Ashok said...

Hi Chris...

There is no support for the ISS Siteprotector new version yet. Any alternate solution for that or should we go with the custom parsing.

TAS said...

Thanks for update!