Wednesday, August 05, 2009

MARS 6.0.4 Revised Release Notes

To clear any confusion!, although there has been no announcement, the release notes have been revised for MARS Version 6.0.4

Upgrade to 6.0.4

No important notes exist for the 6.0.4 upgrade.


As you will see, no mention of the "last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances."

:-)

Tuesday, August 04, 2009

MARS 6.0.4 Confusion, Explaination

Earlier from the release notes, there was a notice regarding 6.0.4 and supported versions.

Upgrade to 6.0.4

The 6.0.3 release, distributed in April 2009, was the last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances. Therefore, you cannot apply the 6.0.4 release to these appliance models. For a full list of supported appliance models, see Supported Hardware.

BUT, if you look at the supported versions for 6.0.4 in the same document, it lists the following....

Release 6.0.4 supports the following Cisco Security MARS Appliance models:

Local Controller Appliances: 2nd Generation

Cisco Security MARS 25R (CS-MARS-25R-K9)

Cisco Security MARS 25 (CS-MARS-25-K9)

Cisco Security MARS 55 (CS-MARS-55-K9)

Cisco Security MARS 110R (CS-MARS-110R-K9)

Cisco Security MARS 110 (CS-MARS-110-K9)

Cisco Security MARS 210 (CS-MARS-210-K9)

Local Controller Appliances: 1st Generation

Cisco Security MARS 20R (CS-MARS-20R-K9) as a MARS 20

Cisco Security MARS 20 (CS-MARS-20-K9)

Cisco Security MARS 50 (CS-MARS-50-K9)

Cisco Security MARS 100e (CS-MARS-100E-K9) as a MARS 100

Cisco Security MARS 100 (CS-MARS-100-K9)

Cisco Security MARS 200 (CS-MARS-200-K9)

Global Controller Appliances: 2nd Generation

Cisco Security MARS GC2R (CS-MARS-GC2R-K9)

Cisco Security MARS GC2 (CS-MARS-GC2-K9)

Global Controller Appliances: 1st Generation

Cisco Security MARS GCm (CS-MARS-GCM-K9) as a MARS GC

Cisco Security MARS GC (CS-MARS-GC-K9)

And hence the models listed, were listed as supported devices!!!

Well, after getting a couple of messages about this, I think I have solved this mystery.

If you look at the EOL for MARS models 100, 100e, 200, GC and GCm, you will see...

Milestone: End of SW Maintenance Releases Date: App. SW

Definition: The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.

Date: April 11, 2009


So its looks like the new version will possibly run on these models, but you are out of time for Maintenance Release support.

Time to look for an upgrade/alternative.

:-)

Cisco MARS 6.0.4 Now Available



Thanks to Csaba for pointing out to me, that Cisco have released MARS version 6.0.4

Surprisingly with some of the rumours out there at the moment, there are some new features in this release, and not just signature updates for the supported products.

You can check out the release notes HERE.

So apart from some cosmetic changes, here is what is new...

New Device Support

The 6.0.4 release of MARS supports the following new device versions:

Cisco ASA 8.2

Cisco IPS 7.0

Cisco IPS 6.2

Cisco IOS/Switch IOS 12.4 (backward compatibility support)

Cisco FWSM 4.0.1 and 4.0.4 (backward compatibility support)

Cisco Security Agent 6.0.1 (backward compatibility support)

Miscellaneous Changes and Enhancements

Botnet Traffic Filter (ASA 8.2) Feature Support—Detect malware that attempts malicious network activity, such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) with ASA Botnet Traffic Filter (BTF).

MARS support for ASA 8.2 introduces the following BTF features:

ASA Botnet Summary Tab—When monitoring a properly configured Cisco ASA 8.2 device, customers can quickly view Botnet activity on their network using the new summary tab that provides at-a-glance dashboard with the following new reports:

Activity: ASA Botnet Traffic Filter - Top Botnet Ports

Activity: ASA Botnet Traffic Filter - Top Botnet Sites

Activity: ASA Botnet Traffic Filter - Top Infected Hosts

BTF: System reports—When monitoring a properly configured Cisco ASA 8.2 device, customers can drill down into malicious activity with the following new reports:

Hosts which have generated phone home activity (top infected hosts)

Adequate host details (port/protocol, user agent, etc.) required to remediation.

Top Botnet sites by domain and IP address

Top Botnet ports detected

BTF: System rule—When monitoring a properly configured Cisco ASA 8.2 device, a new system rule is available that detects failed phone-home db downloads.

Cisco IPS 7.0 Feature Support—IPS 7.0(1) contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that Cisco has amassed over the years.

MARS support for 7.0(1) introduces the following Global Correlation features:

A new system report that identifies the attacks blocked by Cisco IPS 7.0 (1) over a specified interval.

Global Correlation scores embedded in query and reporting interfaces allow customers to view reputation data and create customized Global Correlation reports.

Tunable Query Performance Support—Customers can reduce query wait times by creating custom indexes for commonly run queries.

E-Mail Notification Update—E-mail based notifications now include top 3 source IPs, top 3 destination IPs, and top 3 botnet sites.

Future Cisco.com Software Update Support—MARS 6.0.4 includes changes to support a seamless migration from the current Cisco.com software and signature download sites to a new location hosted on Cisco.com. Customers are required to upgrade to 6.0.4 to enable future automated system upgrades, patches, and dynamic signature update support, features introduced in MARS 6.0.1 .



And Finally Very Important

The 6.0.3 release, distributed in April 2009, was the last software release for the CS-MARS 100, 100e, 200, GC, and GCm appliances. Therefore, you cannot apply the 6.0.4 release to these appliance models.

Good Luck