netForensics 3.1.1 Migration Update Release Notes · 2 netForensics 3.1.1 Migration Update Release...

netForensics 3.1.1 Migration Update Release Notes

Copyright© netForensics, Inc. 2003. All rights reserved. netForensics is a registered trademark of netForensics, Inc. All other trademarks and salemarks used in this document are the property of their respective companies. Customers may make reasonable numbers of copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person or entity without the express written permission of netForensics, Inc.

Conventions UsedThe following text conventions are used in this document:

• Menu items, button names and commands appear in bold

• Paths in the nF Admin tree appear in bold italic text

• New or important terms and document titles appear in italics• Text that you see on the screen appears in a screen font• Variables appear between brackets in an italic screen font: <variables>

• Command input and file names appear in a bold screen font• Variables requiring user input appear between brackets in a bold italic screen font: <file name>• The Start > Run option represents clicking the Start button on the Windows Taskbar, and then

clicking Run from the pop-up menu

• When typing commands, you must press [Enter] to invoke any command, even if you are not expressly told to do so

ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 2

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 2

Update Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 3

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 3

Pre-Migration (3.1 to 3.1.1 Migration Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 4

Pre-Migration (3.1.0.04, 3.1.0.06 to 3.1.1 Migration Only) . . . . . . . . . . . . . . . . . . . . Page 4

Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 5

Post-Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 7

Installation of New nF Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

UnInstalling nF Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 12

New Features and Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 12

Issues Fixed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 21

Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 22

Obtaining Technical Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 23

Introduction

IntroductionnetForensics is a Security Information Management (SIM) application that works with a heterogeneous array of security products, allowing network managers to centrally monitor, manage and administer the security of a web enabled enterprise network.

An update to netForensics is available, version 3.1.1, which includes software enhancements and addresses some of the known issues in version 3.0 and 3.1. netForensics can be upgraded to version 3.1.1 by applying a migration update.

These release notes provide information about the new features in netForensics 3.1.1 and instructions for applying the migration update.

Supported PlatformsTable 1 lists the supported operating systems for different netForensics components.

Table 1: Quick Lookup for Supported Operating Systems1

Component Supported Operating SystemnF Agent for Apache WebServer Red Hat Linux, Solaris 8, Windows 2000

nF Agent for Arbor Peakflow Red Hat Linux, Solaris 8, Windows 2000nF Agent for Check Point Red Hat Linux, Solaris 8, Windows 2000

nF Agent for Cisco Security Agent Windows 2000 or Advanced Server (SP3)nF Agent for CSACS Windows 2000nF Agent for CSIDS Red Hat Linux, Solaris 8

nF Agent for CSIDS 4.0 Red Hat Linux, Solaris 8, Windows 2000nF Agent for CyberGuard Red Hat Linux, Solaris 8, Windows 2000

nF Agent for Dragon Red Hat Linux, Solaris 8nF Agent for Entercept Windows 2000

nF Agent for Entercept 4.0 Windows 2000nF Agent for IIS WebServer Red Hat Linux, Solaris 8, Windows 2000

nF Agent for Intruvert Red Hat Linux, Solaris 8nF Agent for iPlanet WebServer Red Hat Linux, Solaris 8, Windows 2000 Server

nF Agent for ISS RealSecure for Site Protector Red Hat Linux, Solaris 8, Windows 2000nF Agent for ISS RealSecure for Workgroup Windows 2000

nF Agent for ManHunt Red Hat Linux, Solaris 8, Windows 2000nF Agent for McAfee Anti-Virus Windows 2000 (SP3)

nF Agent for NetScreen Red Hat Linux, Solaris 8, Windows 2000nF Agent for NFR Red Hat Linux, Solaris 8

nF Agent for Nokia IPSO Red Hat Linux, Solaris 8, Windows 2000nF Agent for Sidewinder Red Hat Linux, Solaris 8, Windows 2000

nF Agent for Snort Red Hat Linux, Solaris 8nF Agent for Symantec Enterprise Firewall/VPN Solaris 8, Windows 2000

nF Agent for Symantec ITA Red Hat Linux, Solaris 8, Windows 2000nF Agent for Tripwire for Servers Red Hat Linux, Solaris 8, Windows 2000

nF Agent for Windows Windows 2000nF Batch Agent Red Hat Linux, Solaris 8

nF Batch Agent for Check Point Red Hat Linux, Solaris 8, Windows 2000

1. Red Hat Linux Advanced Server 2.1 only; Solaris 8 on SPARC only; Windows 2000 Server or AdvancedServer (SP2) only

2 netForensics 3.1.1 Migration Update Release Notes

Update Details

Update DetailsThe details of the nF 3.1.1 migration update available from CCO (Cisco.com) (see Obtaining Technical Assistance on page 23), are described in the following table:

PrerequisitesBefore the nF 3.1.1 migration update can be applied, netForensics 3.1 must be installed and running. The build number for nF 3.1 (found in $NF_HOME/config/system/nf.manifest) is 20030414114951.

The following patch levels represent the supported starting points for the upward migration to 3.1.1:

• 3.1 - (requires a pre-migration procedure. See “Pre-Migration (3.1 to 3.1.1 Migration Only)” on page 4).

• 3.1.0.04 - (requires a pre-migration procedure. See “Pre-Migration (3.1.0.04, 3.1.0.06 to 3.1.1 Migration Only)” on page 4).

• 3.1.0.06 - (requires a pre-migration procedure. See “Pre-Migration (3.1.0.04, 3.1.0.06 to 3.1.1 Migration Only)” on page 4).

nF Engine Red Hat Linux, Solaris 8nF Master Red Hat Linux, Solaris 8

nF Provider/Oracle 9i Database Red Hat Linux, Solaris 8nF Syslog File Agent Red Hat Linux, Solaris 8

nF Syslog File Agent Java Windows 2000nF Universal Agents Red Hat Linux, Solaris 8, Windows 2000nF UNIX File Agent Red Hat Linux, Solaris 8

nF Web Server Red Hat Linux, Solaris 8

Patch Number 3.1.1Release Date 12/23/2003File Name 311.tar.gzSupported Platforms Red Hat Linux Advanced Server 2.1,

Solaris 8

Important If the patch level of the netForensics software installed on your system is not at one of the levels listed above, individual patches must be applied in order to bring the software to one of the starting points supported for migration.

For example, If the patch level of the netForensics software installed on your system is at the 3.1.0.02 level, then the 3.1.0.03 and 3.1.0.04 patches must be applied before migrating to 3.1.1 from the 3.1.0.04 patch level.

For detailed information on applying individual patches, see the netForensics release notes associated with each patch release.

Component Supported Operating System

netForensics 3.1.1 Migration Update Release Notes 3

Pre-Migration (3.1 to 3.1.1 Migration Only)

The migration process requires additional disk space of about 500 MB. Please make sure that enough free disk space is available before proceeding.

Pre-Migration (3.1 to 3.1.1 Migration Only)When migrating from netForensics version 3.1 to 3.1.1 the following procedure is required.

1. Log in to the nF Provider server as nf.

2. Download the point patch file 32045.tar.gz from CCO (Cisco.com), (see Obtaining Technical Assistance on page 23).

3. Copy the point patch file to the following directory on the nF Provider:

$NF_HOME/patches

4. Apply the point patch using the following command:

$ $NF_HOME/bin/installpatch» A log file is created in $NF_HOME/logs/patch

5. Stop and start the nF Provider.

Pre-Migration (3.1.0.04, 3.1.0.06 to 3.1.1 Migration Only)When migrating from netForensics version 3.1.0.06 to 3.1.1 the following procedure is required.

1. Download the script file 34852.tar.gz from CCO (Cisco.com), (see Obtaining Technical Assistance on page 23).


3. Extract the 34852.tar.gz file using the following commands:

$ gunzip 34852.tar.gz$ tar xvf 34852.tar

4. Run the script using the following command:

$ sh 34852.sh

Warning If any patches have been applied to nF 3.1 (e.g., to apply signature updates or provide support for new devices), these patch files must be manually removed from $NF_HOME/patches before copying the migration update. This will ensure that the migration update is applied correctly.

To remove any old patch files, log in to the nF Provider as nf user, go to $NF_HOME/patches, and enter the following command:

$ rm *.tar.gz

Warning If enough disk space is not available, the migration may fail.

Warning The nF Provider and Oracle Database must be running when this point patch is applied.


Migration

Alarm MappingsThe migration update includes changes to the alarm mapping files of some nF Agents. Therefore, any user changes (e.g., alarm upgrading or downgrading) to these files will be lost when the migration update is applied. If you have modified any of the nF Agent alarm mapping files, back the files up before applying the migration update so that the same changes can be made following the patch installation, using the Admin UI.

MigrationFollow the steps below to migrate the netForensics software to 3.1.1:


2. Download the migration update file 311.tar.gz from CCO (Cisco.com), (see Obtaining Technical Assistance on page 23).

3. Copy the migration update file to the following directory on the nF Provider:

$NF_HOME/patches

4. Apply the migration update using the following command:


5. Start at least one component from each remote machine in the case of a distributed installation. Do not start any nF Component including the Provider on the server on which the Provider is running.

6. Go to the following directory:

$ cd $NF_HOME/bin7. Run the migration update using the following command:

$ sh migrate31To311.sh

Warning The nF Provider and Oracle Database must be running when the migration update is applied. All other netForensics components should be stopped individually (i.e., without using nfservices stop) before the migration update is applied.

Important For any nF Agents installed on Windows, start the “Agent” component before the “Data” component to ensure that updates from the nF Provider are properly downloaded.

Warning When starting a remote component following the installation of the migration update, the component will take longer than normal to start since it has to download an update from the nF Provider.

Warning The migration will take time to complete. It can take up to 30 minutes depending on which patch level you are migrating from.


Migration

8. Log out from all sessions to the Provider machine, including the one from which the migration has been started, then log back in.

9. Restart all nF components except the nF Provider, including all remote components.

10. Log out from all sessions on all remote machines, then log back in.

Warning If a nF Component has not been started on any remote server as outlined in Step 5, then the following error will be reported by the migration script (migrate31To311.sh ).

"Patch 31545 has not been applied for <nF Component> on host <hostname> Please restart the above components"

Restart any nF Component on the remote server for which the error is reported and run the migration script one more time.

Important Even if such an error is reported for the Provider box, do not start any nF Component on the server on which Provider is running.

When other nF Components are installed on the Provider Server, some of them may get installed with a different host name (incase the server has multiple hostnames) or in some cases the Provider and other components may have the same hostname but with and without domain names so the fully qualified name is different. In such cases, the above error will be reported for the hostname of the other nF components. This error should be ignored and no nF Component on the Provider Server should be started at this point of time.

Please follow the steps below to edit the migration script

(migrate31To311.sh) before proceeding:

1. Open the migration script (migrate31To311.sh) using any editor.

2. Add -DIGNORE_HOSTS=hostname to the command. The command should read as follows:

$NF_HOME/softwares/jre/bin/java -DIGNORE_HOSTS=hostname -DPATCH_NUMBER=311 -DNF_HOME=$NF_HOME MigrateTo311In case, the error is reported for multiple hostnames, they can be specified as a comma separated list as -DIGNORE_HOSTS=hostname1,hostname2.

3. Run the migration script again. The error should not be reported and the migration script should continue.

Warning When starting a remote component following the installation of the migration update, the component will take longer than normal to start since it has to download an update from the nF Provider.


Post-Migration

Post-Migration

Help UpdateThis point patch updates the online help.


2. Copy the help point patch file (3.1.1_HELP.tar.gz) from $NF_HOME/patches/3.1.1/postinstall to the following directory on the nF Provider:

$NF_HOME/patches

3. Apply the help point patch using the following command:


4. Stop and start the nF WebServer.

JDBC Point PatchThe JDBC point patch upgrades the JDBC Driver.


2. Copy the point patch file (30327.tar.gz) from $NF_HOME/patches/3.1.1/postinstall to the following directory on the nF Provider:

$NF_HOME/patches



4. Stop and start the nF Provider, then restart the nF Engine.

Warning This post-migration procedure is mandatory.

Warning The nF Provider and Oracle Database must be running when the point patch is applied.




Post-Migration

Modifying GroupThe script modifyGroup.sh is designed to modify user permissions for 'nf' and 'oracle' users and is located at $NF_HOME/utils directory on the nF provider machine.

Execute the following command on the nF Provider machine.

sh $NF_HOME/utils/modifyGroup.sh

Signature UpdateThis signature update jar files update all the devices to bring them to the currently supported signature level.

Follow the procedure below to update device signatures.

1. Download the signature update jar files from CCO (Cisco.com) (see Obtaining Technical Assistance on page 23).


3. Copy the signature update jar files to the following directory on the nF Provider:

$NF_HOME/system/signatures

4. Open the Signature Management window. (Admin Options>Alarm Management>Device Alarms>Signature Management).

5. To apply a signature update, select the update (one at a time) from the list of available updates displayed within the Update Window (Updates Tab) and click Save.


Important This script must be run as the 'root' user. In addition, there should be no open sessions of user “nf” and “oracle” when running this script. Close all open sessions prior to running this script.


Important Download the signature update jar files for all the devices listed in the section “Signature Update Releases” on page 21. This consolidates all the earlier signature update releases from SG3.1.0.01 to SG3.1.0.11.

Warning Even if the signature update jar files have been copied, the signature management screen will show only relevant and applicable signature updates based on the agents installed. Apply all the signature updates that are shown!


Post-Migration

6. Stop and start the agents corresponding to the devices for which the signature updates have been applied.

Updating Sender InformationThis script updates the Sender information and Domain information in the action scripts.

1. Execute the following command on all machines where the nF Engine is installed.

sh $NF_HOME/utils/sender_update.sh2. Provide the 'Email User' [i.e.., “nf”], and press Enter.

3. Provide the 'Domain address' [i.e.., “netForensics.com”], and press Enter.

Migration of AgentsIf you have the nF Agent for CheckPoint, Syslog File Agent (not FWSM support), and/or the ISS Agent with Site Protector support installed, the following procedures are required in order to migrate these agents to be functional in 3.1.1.

Migration of nF Agent for Check Point

1. Stop the nF Agent for Checkpoint, if it is currently running.



Important After migration is completed, if any new agent is installed for any of the devices listed in the section “Signature Update Releases” on page 21, then the corresponding Signature Update jar file needs to be applied using the above procedure. This is needed as a post installation step since the signature updates are applied only for existing agents.


Important The sender_update.sh script must be run as the 'nf' user.

Important The following steps are mandatory only in the event that you have the agent installed on your system.

Important Skip this step if you do not have the nF Agent for Checkpoint installed on your system.


Post-Migration

$NF_HOME/patches



» When you run installpatch you will see the following message:

Preparing to install software update. Please wait ...Preparing to apply software update 32250.tar.gzMigrated Checkpoint File Agent on <Server Host Name>Successfully Migrated Checkpoint Agent(s)Please use the Admin UI, Boot Configuration Screen for the Migrated Agent(s) to configure Client SIC Name and Server SIC Name before starting the Agents(s)Successfully applied update 32250.tar.gz

When this patch is successfully applied, from your SIM desktop go to Admin UI Boot Configuration screen and launch screen for 'nF Agent for Checkpoint'. In Data Processor : Data1 tab, go to Protocol Adapter, Adapter Parameters. In the parameters table enter values for Client SIC Name and Server SIC Name and save it.

5. Start the nF Agent for Checkpoint.

Migration of nF Agent for ISS Real Secure for Site Protector

1. Stop the nF Agent for ISS Real Secure Site Protector, if it is currently running.



$NF_HOME/patches


$ $NF_HOME/bin/installpatch



Important Skip this step if you do not have the nF Agent for ISS Real Secure for Site Protector on your system. The following procedure is not required for installations of the nF Agent for ISS Real Secure for Workgroup.



Post-Migration

» A log file is created in $NF_HOME/logs/patch

5. Start the nF Agent for ISS Real Secure Site Protector.

Migration of nF Syslog File AgentThis procedure is needed to migrate the nF Syslog File Agent for it to have support for FWSM in 3.1.1. This is also applicable to the nF Syslog File Agent Java installed on Windows.

1. Stop the nF Syslog File Agent, if it is currently running.



$NF_HOME/patches



5. Start the nF Syslog File Agent.


Important Skip this step if you already have the support for FWSM with all nF Syslog File Agents installed.

Important Skip this step if you are migrating on a Cisco Appliance.




Installation of New nF Components

Installation of New nF ComponentsAfter the migration update has been applied, the existing netForensics 3.1 CDs should not be used. Ensure that the netForensics 3.1.1 release is downloaded from CCO (Cisco.com), (see Obtaining Technical Assistance on page 23), and that these files are used for installing any nF components.

UnInstalling nF ComponentsWhen uninstalling nF components, use the uninstall program located in the $NF_HOME/bin directory.

$ sh nf.uninstall.sh

New Features and EnhancementsThis section provides information about enhancements that are available as a result of migration to 3.1.1. The following features and enhancements have been added since the release of netForensics 3.1:

Permissions ChangenF 3.1.1 runs with permissions of 750, with no permissions for others to make it more secure.

New ReportsThe following new reports have been added to the Device Independent section of the netForensics reporting subsystem:

Most Frequent Events by Device Alarm - this report shows device and nF Alarms/Categories for all severities. This report can be used for a high level view of the organization's security risks and dominant security events.

Device Alarm Summary - this report shows details on a specified event set with device alarms and categories.

Device Event Count - this report gives the event count for selected devices.

The following new report has been added to the Vendor Specific section of the netForensics reporting subsystem under netForensics:

Device Alarm Aggregation Pattern - this report provides information about the pattern of aggregation on a device alarm basis per device. This provides Average Aggregation Factor and Maximum Aggregation Factor, which will help users to understand how data is aggregated in the nF database and help them tune the level of aggregation by changing the Aggregation window (Component Options>Engine>Event Aggregation) in the Admin UI.

Sending Reports via EmailThe ability to send reports via email is now included in the netForensics reporting subsystem. Reports can be emailed (either before or after being generated) by selecting Send Mail from the File menu of the Reports window.

Important After migration is completed, if any new agent is installed for any of the devices listed in the section “Signature Update Releases” on page 21, then the corresponding Signature Update jar file needs to be applied again. Please refer to the section “Modifying Group” on page 8 for the procedure to follow.


New Features and Enhancements

Report SchedulingA new option, Retention Days, is available when creating or modifying scheduled reports (Report Scheduling > Manage Report Schedule) in the Admin UI. Retention Days indicates how long (in days) to keep scheduled reports that have already been generated. By default, Retention Days is left blank, indicating that all generated reports will be kept.

Update ManagementChanges were made to the netForensics update management system in order to make it more user friendly, efficient and reliable. Update Management focuses on laying the foundation to build an automatic update management system for the complex distributed netForensics setup. The update management feature provides the following; improvement of the update download process in order to reduce the update application time, modification of the update system eliminating redundant update downloads and simplification of the update application process in general.

Component Debug OptionsA new option, Retain Log Files, is available under the Debug tab for all components (Component Options > Boot Configuration in the Admin UI). Retain Log Files lets administrators select how many component log files should be retained. The default setting, Retain only n, keeps the n most recent files (5 is the default and minimum value). Retain All disables the setting and keeps all component logs.

User Management EnhancementsThe User Management section of the Admin UI has been redesigned to provide the ability to map a user to one or more application groups. Each application group controls the access rights to all applications that belong to that distinct group. In general, users can belong to one or more groups, and any number of users can be associated with a particular group.

In conjunction with this new design, an Application Groups folder has been added to the User Options > User Management section of the Admin UI, in order to facilitate the management of the application groups.

In the event that a user requires permission for individual applications within any particular group (but not the entire group), applications can be selected using the supplied nF Custom User Group.

The following important characteristics apply to the Application Groups feature:

• Adding, Deleting, and Editing Application Groups is reserved for users with Admin privileges.

• Only user-defined Application Groups will be available for deletion.

• In addition, all Application Groups supplied with netForensics cannot be edited or deleted.

Signature ManagementThe Signature Management feature provides an informative and “user friendly” method of applying signature updates to the netForensics SIM system via the Admin UI. Each signature update release is bound to a distinct device type and contains all the new device alarms and the associated device alarm mappings for that update.

The directory path (located on the nF Provider machine) used as the centralized repository for storing all signature update files is:



$NF_HOME/system/signatures

The naming convention for the Signature Update jar files is as follows:

nFSigupdate_<vendor's name>_<devicetype>_<version>.jarFor example:

nFSigupdate_Cisco_csidsS44_S54.jarThe Signature Management Window provides the following sections designed to help manage signature updates:

• Updates Tab - allows the user to view information about signature updates that have not yet been applied.

• History Tab - allows the user to view information about signature updates that have been applied.

Updates TabThe Updates tab displays all relevant/applicable signature updates that have not been applied along with their associated information:

Once a signature update is selected, detailed information associated with the selected signature update is displayed within the Alarms tab’s display.

By default, the Normal radio button is selected which provides the following field data:

Selecting the Advanced radio button yields an additional three fields to the Alarms Tab display:

Check New UpdatesIn certain scenarios (such as a newly obtained file during an active instance of the Signature Management window), there may be signature update files that are available but are not shown within the updates tab. In this case click the Check New Updates button.

Important All signature update files must reside within this directory in order for them to be made available for selection. Please refer to the netForensics Administration Guide for information on obtaining and copying signature update files to the above directory.

Signature Name Name of the Signature Update.

Release Date The netForensics release date for the signature JAR file.

Device Type The device type being updated by the signature update.

Dev Version The signature version.

Release Date The vendor’s release date for the device signature.

Alarm The Device Alarm ID and Description.

nF Alarm The netForensics Alarm ID and Description

App Severity The severity associated to the alarm by the application.

nF Severity The netForensics-defined level of an alarm.

Action The action taken based on the type of alarm.

Protocol The protocol used by the associated alarm.

Cve Id Common Vulnerabilities and Exposures



Applying Signature UpdatesTo apply a signature update, select the update (one at a time) from the list of available updates displayed within the Update Window (Updates Tab) and click Save.

Readme TabThe Readme tab displays information about the currently selected signature update.

History TabSignature updates that have been previously applied are displayed within the History tab. The fields displayed when selecting a signature update that has been previously applied are exactly the same as the fields displayed when selecting a signature update via the Updates tab. See “Updates Tab” on Page 14 for more information.

Similar to the Updates tab, the Readme tab (accessed via the History tab) displays information about the currently selected signature update.

Device Alarm Based Aggregation and NotificationIn addition to nF Alarms, aggregation and notification can now be performed according to device alarms. Device alarm based aggregation is more accurate and more effective than nF Alarm based aggregation. See the netForensics Administration Guide for more information.

Alarm Upgrade/Degrade Using Admin UIThe changes to alarm mapping files are handled centrally by the Provider and distributed to the respective agents. Any user changes to the alarm mapping files such as alarm upgrade/degrade should be done using the Admin UI only. The Provider will automatically generate the alarm mapping files whenever changes are made using the Admin UI. Whenever any agent is restarted, the latest alarm mapping file is downloaded from the Provider.

To change alarm severity using the Admin UI, access the nF Severity Overide By Device screen (Administration>Admin Options>Alarm Management>Device Alarms>nF Severity Overide By Device). Any specific device type, device alarm and device instance (IP Address) can be chosen for changing the nF Severity. These changes will be effective whenever the corresponding nF Agent is restarted.

Alarm HelpDetails about device alarms can be displayed by clicking Help > Alarm Help from the SIM Desktop toolbar. Information is displayed in tree format, and the following details are shown for each device alarm: nF Category, nF Alarm, and nF Severity. To show only alarms for one or more specific device types, click the Device Type button and check the box next to each desired device, then click Set.

Match Criteria HelpA new Help Screen for showing Match Criteria for nF and Device Alarms is now available. The different match criteria parameters are shown as columns with the appropriate columns selected to show the match criteria for a particular alarm.

Warning Changing the alarm mapping files manually should be avoided since the alarm mapping files are auto-generated whenever changes are made from the Admin UI. Any changes made manually will be lost when the alarm mapping files are auto-generated.



Duplicate Login NotificationIf a user attempts to log in to the SIM Desktop with a user ID that is already logged in, a warning dialog is displayed. The user has the option to cancel the login or continue and terminate the other session.

SIM Desktop ShortcutsSIM Desktop shortcuts (e.g., Event Console, Device Status, etc.) are now launched by double-clicking instead of a single click.

Saving SIM Desktop PreferencesUser preferences can now be saved for the Event Console, External Applications, as well as from the SIM Desktop.

Saving Event Console Preferences

Event Console preferences are saved on a per user basis. The Save Preferences button (located at the upper right portion of the Event Console) saves the following preferences:

• Column settings.

• Filter information at the point in which the save was committed.

• The direction used to feed events to the console. (Feed From the Bottom (default)/Feed from the Top).

• The console view (Console mode, Chart mode (Real-Time Trends), Chart mode (Line Chart)).

External Application Functionality

When an external application (such as Telnet, Ping, etc.) is launched, and user input for host name or IP address is accepted, the command is executed. When the same external application is launched again, it remembers the Host Name or IP Address previously assigned which can be selected using the drop-down list next to the Host Name input box.

In addition, each external application has the ability to retain and display (up to) the ten most recently entered values.

Saving Desktop Session Information

Saving session information from the SIM Desktop enables each application running in each virtual desktop to be relaunched upon the subsequent session. Saving preferences from SIM Desktop affects the following functionality upon reentry to the desktop:

• The Event Console will be brought back with the preferences last saved. If no preferences have been set, then the Event Console will be launched displaying the Filter screen.

• Real-time reports run from the SIM Desktop (Threat Assessment, Event Query, Frequent Events, Risk Assessment, IPActivity Query) will be launched and will show the Report Options screen.

• The main Forensics window will be launched afresh although all reports launched from Forensics will not be loaded into the desktop.

• The Admin UI will be launched afresh, but will not open any windows that were running inside the Admin UI at the time of the save session.

• Device Status, Device Map and the System Health Monitor will be launched afresh.

Warning Preferences will not be saved for each Event Console running on different Virtual Desktops. When running multiple Event Consoles during a session, only the last preferences saved will be carried over into the next session.



• Device List will be brought back with the information it was showed earlier.

To save the preferences set for the current session, select the Session button (located at the right side of the SIM Desktop Taskbar), then click OK to confirm the save operation.

Event Console EnhancementsThe following enhancements have been made to the netForensics Event Console:

New Fields - the following new fields have been added for use in the Event Console: nF Category, Device Alarm, Other IP, Other Port, Status, Action, Direction, Username, Process Name, Process Path, Char1, Char2, Number1, Number2

Only the nF Category and Device Alarm fields appear in the Event Console, by default. Other fields can be added, if desired, from the Customize menu.

Clear Option - the current contents of the Event Console can be cleared by clicking the Clear button.

Insert Location - the location where new events are inserted in the Event Console can be toggled by clicking the yellow arrow button at the top of the Event Console. When the arrow points up, new events are inserted at the top of the console. When the arrow points down, new events are inserted at the bottom of the console.

Source and Destination with Asset and Intruder - if an event has an incoming source or destination IP address that is defined as an Asset or Intruder, that information is displayed in the Event Console.

Category in nF Alarm Filters - alarm categories are now listed (in addition to specific nF Alarms) under nF Alarm when creating event filters.

Multiple Filter SelectionThe Event Console (and Custom Event Console) now supports selecting and applying multiple filters simultaneously. This increases the flexibility and power of the Event Console since the user can create multiple filters with more specific criteria and apply these filters simultaneously.

Individual filters are created in the same manner as before and then saved. Clicking on the newly added button, “Select Filter(s) for Console” displays a list of filters where one or more may be selected in order to apply the combined filter. “Ctrl-Click” and “Shift-Click” can be used to select multiple filters from the list. The Apply button applies all of the selected filters from the Select Filter(s) for Console drop-down menu.

A new column "Filter Name" is added to the Event Console display which shows the combined name of all selected filters. This column can be added whenever needed by customizing the columns to be displayed.

Advanced Event Query Search EnhancementThe event query search enhancement provides the user the ability to enhance the search by allowing multiple search values to input fields when running reports. Multiple input values are utilized via a drop-down list, or by entering comma delineated text when setting up query input parameters for certain real-time and scheduled reports. The following reports provide this functionality:

• Event Query• Threat Assessment• Risk Assessment• Threat Assessment by Source

The following are Drill-Down reports that inherit the multiple values from their parent reports:

• Category by Severity Summary• Asset by Category Summary



• NFAlarm by Severity Summary• NF Alarm Summary• NF Alarm Drilldown• Device Alarm Summary• Device Alarm Drilldown• Source and Destination Summary• Source and destination Drilldown• IP Activity Query• Event Details

Selecting and/or Entering Multiple Input Values

Selecting and entering multiple input values for the above mentioned reports is accomplished in the same manner whether you are:

• using the Query Inputs section of the Report Options>Preferences tab associated with various reports accessed via Forensics on the SIM Desktop (real-time reports).

• using the Inputs tab and section located on the Manage Report Groups window (Report Scheduling>Manage Report Groups) accessed via the Admin UI.

Please refer to the netForensics User Guide and the netForensics Reports Guide for more information on creating reports.

Automatic Trouble Ticket Creation with Remedy AR SystemThis new feature provides the ability to send XML based event data to Remedy for further processing and creation of a related trouble ticket via the netForensics form being provided. In order to facilitate this new functionality a new Notification Type “Remedy” has been added to the Notification Destination.

In addition, the ability to launch the Remedy AR System User client is now available by right-clicking on any event displayed within the Event Console.

Prerequisites

1. Remedy Email Engine must be installed, running and configured with the Remedy Server.

2. The Remedy Email Engine must be installed, running and configured in conjunction with the mail server being used to handle all email accounts set to receive event notification. Please refer to the Remedy Action Request Systems Email Engine Guide for information on installing, configuring, and setting up mail boxes in conjunction with the Remedy Email Engine.

3. The email server being utilized by the Remedy Email Engine, must be the same email server being used by the netForensics Engine.

4. The mail server being used must have an email account established that corresponds with the email address being utilized for Remedy Notification and is supported by the netForensics Engine.

Important The input parameters selected for the parent report affect all associated drill-down reports.

Warning Only one mail server is supported with this current configuration.



Configuration

In order for the Remedy/netForensics integration to be completed successfully, please consult the following netForensics documentation associated with the task to be completed:

• For information on importing the netForensics form definition into the Remedy Client AR System, please refer to the “Remedy Form Configuration” section of the netForensics Configuration and Maintenance Guide.

• For information on adding and configuring the Remedy server via the Admin UI, please refer to the “Remedy Integration” section (Admin Options>External Applications) of the netForensics Administration Guide.

• For information on enabling the Remedy Notification type and setting the Notification Destination, please refer to the “Add a Notification Destination” section (Component Options>Engine>Configure Notification Destinations) of the netForensics Administrator Guide

Whois Server EnhancementsThe following enhancements have been made to the netForensics Whois functionality:

The ability to set the Whois System Server - Upon installation, there are six system servers available for selection. The default server (whois.crsnic.net) may be changed using the Admin UI, although the default system Whois server can be overridden on a per user basis via the SIM desktop.

The ability to Change the Whois server on a per user basis - Each user has the ability to change the Whois server on the fly using the Whois external application tool.

Adding a Custom Whois Server - In addition to the Whois servers available upon installation, the ability to add (and delete) valid Whois servers is accomplished via the Admin UI.

Right Click Access to the Whois External Application - The Whois application can be accessed via the reports by right-clicking on either the source or destination value.

Access to Dragon ConsoleThe Dragon Console can be launched from the nF Desktop either from the Event Console or from one of the Dragon related Forensics Reports by using the right-click mouse function and then selecting “Dragon”. This will launch a browser and show the Dragon Console with information related to the Event.

See the netForensics User Guide for more information on the following procedures:

• Launching the Dragon Console from Forensics

• Launching the Dragon Console from the Event Console

Important In order for netForensics to communicate with the Dragon web server, its IP Address must be declared within the Dragon Server window. See the netForensics Administration guide for Dragon configuration information.



Collaborative AreaThis feature enables events to be tagged, and then added to the Collaborative Area for further investigation. An event may be tagged from either the Event Console, or any real-time reports displaying an Event ID. Once an event is tagged, the default status is set to “Under Investigation” and only that user may operate and change the status of that particular event. Once further exploration of the event is complete, only that user has the permissions to change the status to “Investigation Completed”.

The Collaborative Area can be launched from two locations:

• The SIM Desktop Taskbar - (Apps>netForensics>Collaborative Area)

• The Event Console - Launches the Collaborative Area once an event is tagged (providing the user has permissions to do so).

The Collaborative Area provides filtering (based on User Name and Status) which are accessible via the drop-down lists at the top left of the window. Event records (by default) are displayed 500 rows per page, after which, Previous (<) and Next (>) functions are made available in order to access the additional event records.

The events within the Collaborative Area are sorted based on their TimeStamp, but further sorting may be accomplished by clicking on the nF Event ID Column header or any other column headers. A refresh function is made available in order to provide the latest event data.

Tagging an Event

Tagging an event is accomplished in one of two ways:

• from real-time reports - Select any event with an associated Event ID, then right-click and select Tag Event. Events with Event IDs are represented with an Magnifying Glass icon under the nF Event ID field.

• from the Event Console - Select any event from the Event Console, then right-click and select Tag Event from the menu.

Changing the Status of a Tagged Event

Once an event is done being investigated, the user that has tagged the event has the ability to change the status from “Under Investigation” to “Investigation Completed”.

The default setting for a tagged event within the Collaborative Area is “Under Investigation”. Only the user who tagged the event can change the status to “Investigation Completed”. If an attempt to tag an event that has been previously tagged is made, a pop-up message will be displayed stating ownership of the event.

Automatic updates to the Collaborative Area

Automatic updates to the Collaborative Area screen are supported whenever a new event is tagged and added to the Collaborative Area. This provides a scrolling display similar to the Event Console.

For more information on the Collaborative Area including getting tagged Event details and deleting tagged events, see the netForensics User Guide.


Issues Fixed

Support for Additional Security DevicesSupport for the following security devices has been added since the release of netForensics 3.1:

1. NetScreen

2. Nokia IPSO

3. Support for Firewall Service Module

4. Intruvert

5. Symantec ITA

6. Entercept 4.0

7. Network Flight Recorder

8. Cisco Security Agent

9. Support for Real Secure Site Protector Database

10. Apache Web Server

11. IIS Web Server

12. iPlanet Web Server

13. McAfee Anti-Virus

14. Support for Checkpoint NG

Signature Update ReleasesThe following signature updates have been provided since the release of netForensics 3.1:

1. Cisco Secure IDS (Up to S54 for 3.0, 4.0) - nFSigupdate_Cisco_csidsS44_S54.jar

2. Cisco Secure PIX (Up to 6.3.2) - nFSigupdate_Cisco_pix63_632.jar

3. Cisco VPN (through February 14, 2003) - nFSigupdate_Cisco_vpn.jar

4. Dragon Sensor (through September 24, 2003 for 5.x, 6.x) - nFSigupdate_Enterasys_dragonsensor.jar

5. Entercept Host IDS (through August 8, 2003) - nFSigupdate_Entercept_hids25x_40.jar

6. ISS RealSecure HIDS (XPU 21.1 for Real Secure 6.5 and 7.0) - nFSigupdate_RealSecure_isshids2011_211.jar

7. ISS RealSecure NIDS (XPU 21.1 for Real Secure 6.5 and 7.0) - nFSigupdate_RealSecure_issnids2012_213.jar

8. Manhunt (Signature Pack 2 for Manhunt 2.2) - nFSigupdate_Symantec_manhunt_sigpack2.jar

9. Snort NIDS (through September 16, 2003 for 1.9) - nFSigupdate_Sourcefire_snort.jar

Issues FixedThe following issues have been fixed in the netForensics 3.1.1 release:

1. Database archival fails if no events exist in Related Events. (CSCed33186)

2. Reports fail if '&' is present in Business Unit Name. (CSCed33194)

3. Signature analysis report comes up empty. (CSCed33198)

4. Event console times are out of sync with system/user times. (CSCed33201)


Known Issues

5. Non-managed devices count against number of licenses. (CSCed33204)

6. Admin user should be able to view all reports scheduled by other users. (CSCed33213)

7. The limitations in handling used tablespace over 100GB with 9itsfree are fixed. (CSCed33217)

8. Admin user can not edit other users’ filters. (CSCed33229)

9. If a user is mapped to multiple device groups and if devices are mapped to multiple device groups then the device list (SIM desktop - Tools -> Device List) displays duplicate entries. (CSCed33232)

10. Login error messages through the SIM Desktop were misleading, reporting an authentication failure regardless of the underlying cause. (CSCed33244)

11. It is now possible to launch Dragon Console from Event Console or Forensics.(CSCed33247)

12. The problem with right-click of Ext App in Events Details Report is fixed. (CSCed33252)

13. When preferences are saved in Event Console with the direction as "Feed from Top", the direction is shown correctly when the Event Console is launched, but the Event Console is still showing the data in "Feed from Bottom" only. The workaround will be to click twice on direction to set it correctly to "Feed from Top". (CSCeb86498)

14. The addition of a failover device fails when the maximum number of devices, allowed by your netForensics license, has been reached. The creation of a failover device should not count toward the number of allowed devices, but it is not currently allowed by the software. (CSCeb64603)

15. Support for Context buffer information on IDS Vers 4 is provided. (CSCed33273)

16. Line Charts summarized by hour fails. (CSCed33278)

17. After 3.1.0.06 patch, provider_out log grows with unnecessary information. (CSCed33282)

18. In Event console bar chart view, chart does not show any data. (CSCeb86466)

19. In Collaborative Area, when an event is deleted, the user is not prompted for any confirmation. (CSCeb74950)

20. SIM Desktop shortcuts (e.g., Event Console, Device Status, Admin UI, and Reports) are now launched by double-clicking instead of a single click. (CSCed33341)

21. PIX alarm 106100 is not parsed correctly and is shown as “unknown/suspicious”. (CSCed33346)

22. nF 3.1.1 runs with permissions of 750. (CSCea79244)

23. nF Agent for Checkpoint gives a core dump on Solaris. (CSCea51712)

Known IssuesThis section lists known issues with the netForensics 3.1.1 migration update release.

1. On applying 311 patch, nf.manifest.patch does not get updated, only nf.manifest.system gets updated. nf.manifest.patch does not get updated even while applying patches on top of 3.1.1. (CSCed33936)

2. A point patch (CSCed135000) was released to resolve the issue of Threshold based Archive and Purge to work properly on non-appliance servers. This point patch is NOT included in the 3.1.1 Migration Update. If this point patch was applied prior to 3.1.1 Migration, then Threshold based Archive and Purge will not be functional in 3.1.1 after migration is complete. A new point patch will be released shortly to resolve this problem.


Obtaining Technical Assistance

3. Although the framework for the Update Roll Back feature has been implemented, it is not supported in the 3.1.1 release. It is not possible to rollback an applied update at this time, including the 3.1.1 Release.

The screen “S/W Update/Rollback” found under S/W Update Management in the Admin UI is not completely functional.

Future releases of this feature will provide a means of rolling back sequentially through existing releases while allowing production systems to function as they had before applying the updates. The Update Roll Back feature will restore changes made to all the components installed in the production system. Point patch releases are ineligible for rollback. (CSCed65269)

4. Even though the Rollback feature is not available there is a scenario where the remote server is in a different time zone and is ahead of the Provider server, then the rollback feature becomes momentarily available for a short duration, which is the time difference between the two servers. (CSCed66708)

Workaround: The point patch file 34397.tar.gz needs to be applied in order to resolve this issue. The point patch file 34397.tar.gz can be downloaded from CCO (Cisco.com), (see “Obtaining Technical Assistance” on page 23).

Obtaining Technical AssistanceCisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.comCisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

• Streamline business processes and improve productivity

• Resolve technical issues with online support

• Download and test software packages

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certification programs

To obtain customized information and service, you can self-register on Cisco.com at this URL:

http://www.cisco.com

Technical Assistance CenterThe Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

We categorize Cisco TAC inquiries according to urgency:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.


http://www.cisco.com

Obtaining Technical Assistance

• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Cisco TAC WebsiteYou can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://tools.cisco.com/RPF/register/register.do

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

http://www.cisco.com/en/US/support/index.html

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation CenterThe Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.


http://www.cisco.com/tac

http://tools.cisco.com/RPF/register/register.do

http://www.cisco.com/en/US/support/index.html

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

netForensics 3.1.1 Migration Update Release Notes · 2 netForensics 3.1.1 Migration Update Release...

Documents

Transcript of netForensics 3.1.1 Migration Update Release Notes · 2 netForensics 3.1.1 Migration Update Release...