SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.6 Original Publication: August 3, 2015 Last Updated: August 20, 2015 These release notes are valid for Version 5.3.0.6 of the Sourcefire 3D System. Even if you are familiar with the update process, make sure you thoroughly read and understand these release notes, which describe supported platforms, new and changed features and functionality, known and resolved issues, and product and web browser compatibility.
New and Updated Features and Functionality • Uninstalling the Update on page 12 • Resolved Issues on page 17 • Known Issues on page 28 • Features Introduced in Previous Versions on page 38 • For Assistance on page 45 New and Updated Features and Functionality This section of the release notes summarizes the new and updated features and functionality included in Version 5.3.0.6 of the Sourcefire 3D System.
Before You Begin: Important Update and Compatibility Notes Before You Begin: Important Update and Compatibility Notes Before you begin the update process for Version 5.3.0.6, you should familiarize yourself with the behavior of the system during and after the update process, as well as with any compatibility issues or required pre- or post-update configuration changes.
Before You Begin: Important Update and Compatibility Notes Traffic Inspection and Link State In an inline deployment, your managed devices (depending on model) can affect traffic flow via application control, user control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and VPN. In a passive deployment, you can perform intrusion detection and collect discovery data without affecting network traffic flow.
Before You Begin: Important Update and Compatibility Notes Version Requirements for Management APPLIANCE MINIMUM VERSION TO BE MANAGED BY A DEFENSE CENTER RUNNING VERSION 5.3.1.5 physical and virtual managed devices Version 5.3 of the FireSIGHT System Sourcefire Software for X-Series Version 5.3 of the FireSIGHT System Web Browser Compatibility Version 5.3.0.6 of the web interface for the Sourcefire 3D System has been tested on the browsers listed in the following table.
Updating Your Appliances Updating Your Appliances To update appliances running at least Version 5.3 of the Sourcefire 3D System to Version 5.3.0.6, see the procedures outlined below. The following sections help you to prepare for and install the Version 5.3.0.6 update: • Planning the Update on page 6 • Updating Managed Devices and Sourcefire Software for X-Series on page 9 WARNING! Do not reboot or shut down your appliances during the update until you see the login prompt.
Updating Your Appliances Time and Disk Space Requirements The following table provides disk space and time guidelines for the Version 5.3.0.6 update. Note that when you use the Defense Center to update a managed device, the Defense Center requires additional disk space on its /Volume partition. Do not restart the update or reboot your appliance at any time during the update process.
Updating Your Appliances When to Perform the Update Because the update process may affect traffic inspection, traffic flow, and link state, Sourcefire strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment. Installation Method Use the Defense Center’s web interface to perform the update. Update the Defense Center first, then use it to update the devices it manages.
Updating Your Appliances Updating the Sourcefire Software for X-Series reloads the affected VAPs. If your Sourcefire Software for X-Series is deployed inline and you are using multi-member VAP groups, Sourcefire recommends that you update the VAPs one at a time. This allows the other VAPs in the group to inspect network traffic while the VAP that is being updated reloads. If you are using single-VAP VAP groups in an inline deployment, reloading the VAP causes an interruption in network traffic.
Updating Your Appliances information, see Traffic Flow and Inspection During the Update on page 3. WARNING! Before you update a managed device, use its managing Defense Center to reapply the appropriate access control policy to the managed device. Otherwise, the managed device update may fail. WARNING! Do not reboot or shut down your appliances during the update until after you see the login prompt.
Updating Your Appliances 3. Upload the update to the Defense Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload. The update is uploaded to the Defense Center. 4. Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor. 5. Click the install icon next to the update you are installing. The Install Update page appears. 6.
Uninstalling the Update Uninstalling the Update The following sections help you uninstall the Version 5.3.0.
Uninstalling the Update Uninstalling the Update from Stacked Devices All devices in a stack must run the same version of the Sourcefire 3D System. Uninstalling the update from any of the stacked devices causes the devices in that stack to enter a limited, mixed-version state. To minimize impact on your deployment, Sourcefire recommends that you uninstall an update from stacked devices simultaneously. The stack resumes normal operation when the uninstallation completes on all devices in the stack.
Uninstalling the Update Uninstalling the Update from a Managed Device The following procedure explains how to use the local web interface to uninstall the Version 5.3.0.6 update from managed devices. You cannot use a Defense Center to uninstall the update from a virtual managed device. Uninstalling the Version 5.3.0.6 update results in a device running Version 5.3.0.5. For information on uninstalling a previous version, refer to the release notes for that version. Uninstalling the Version 5.3.0.
Uninstalling the Update 5. Click the install icon next to the uninstaller that matches the update you want to remove, then confirm that you want to uninstall the update and reboot the device. The uninstallation process begins. You can monitor the uninstallation progress in the task queue (System > Monitoring > Task Status). WARNING! Do not use the web interface to perform any other tasks until the uninstallation has completed and the device reboots.
Uninstalling the Update 3. At the CLI prompt, type expert to access the bash shell. 4. At the bash shell prompt, type sudo su -. 5. Type the admin password to continue the process with root privileges. 6. At the prompt, enter the following on a single line: install_update.pl /var/sf/updates/Sourcefire_3D_ Device_Virtual64_VMware_Patch_Uninstaller-5.3.0.6-11.sh The uninstallation process begins. WARNING! If you encounter issues with the uninstallation, do not restart the uninstallation.
Resolved Issues 4. At the prompt, type the following on a single line and press Enter: install_update.pl /var/sf/updates/Sourcefire_3D_XOS_Device_Patch_Uninstaller5.3.0.6-11.sh The update is removed and the VAP reloads. If your Sourcefire Software for X-Series is deployed inline, traffic to that VAP is interrupted while the VAP reloads. Note, however, that if there are other VAPs in the VAP group, traffic is load balanced among the other VAPs. 5.
Resolved Issues Issues Resolved in Previous Updates You can track defects resolved in this release using the Cisco Bug Search Tool (https://tools.cisco.com/bugsearch/). A Cisco account is required. To view defects addressed in older versions, refer to the legacy caveat tracking system. Because you can update your appliances from Version 5.3 to Version 5.3.0.6, this update also includes the changes from Version 5.3. Previously resolved issues are listed by version. Version 5.3.0.
Resolved Issues Version 5.3.0.3: Version 5.3.0.6 • Security Issue Addressed an arbitrary injection vulnerability allowing unauthenticated, remote attackers to execute commands via Bash to address CVE-2014-6271 and CVE-2014-7169. (144862/CSCze95477, 144941/CSCze95479, 144948/CSCze96159) • Resolved an issue where, if you edited any of the applied intrusion policies, the system marked all intrusion policies as out-of-date. (134066, 140135/CSCze91908) • Improved responsiveness of link state propagation.
Resolved Issues • Resolved an issue where, if you disabled any access control rules containing either an intrusion policy or a variable set different from any enabled rules and the access control policy’s default action, policy apply failed and the system experienced issues. (143809/CSCze94944) • Improved diskmanager cleanup during report generation.
Resolved Issues Version 5.3.0.6 • Resolved an issue where, in rare cases, the system displayed incorrect, extremely high packet counts in the dashboard and event views for Series 3 managed devices. (138608/CSCze91081) • Improved the stability of clustered state sharing on 3D8250 and 3D8350 managed devices.
Resolved Issues Version 5.3.0.6 • Resolved an issue where querying the external database to access packet data from intrusion events on a Defense Center returned incorrect data. (141144/CSCze92564) • Resolved an issue where creating a saved search that used a VLAN tag object caused the system to save the search with the value 0 in the field where you used the VLAN tag object.
Resolved Issues Version 5.3.0.1 Version 5.3.0.6 • Resolved an issue where, in rare cases, configuring an intrusion policy that contained local intrusion rules in a layer that was shared with another intrusion policy caused intrusion policy exports to fail. (132312) • Resolved an issue where, in rare cases, Snort stopped processing packets if any of your intrusion rules contained the Sensitive Data (sdf) rule classification.
Resolved Issues Version 5.3.0.6 • Resolved an issue where, if your managed device originated at Version 5.1.1.x and you updated it to Version 5.2.x and then to Version 5.3, the system generated extraneous health alerts for high unmanaged disk usage. (135689) • Resolved an issue where, if you updated an appliance from Version 5.2.x to Version 5.3 and later created a backup, you could not restore the backup on Defense Centers that were reimaged to Version 5.3.
Resolved Issues Version 5.3 Version 5.3.0.6 • Improved the performance and stability of VPN. (116996, 119698, 123636) • Resolved an issue where modifying the device configuration on a clustered stack and immediately applying the changes caused the apply to fail and the system to display an error message in the task status queue.
Resolved Issues Version 5.3.0.6 • Security Issue Resolved an issue where the system granted incorrect access privileges to users with limited user roles. (126016, 127428, 127779) • Resolved multiple synchronization issues on managed devices in clustered, stacked, and clustered and stacked configurations. (126106, 128724) • Improved the stability of syslog alert responses when sending connection events to the syslog.
Resolved Issues Version 5.3.0.6 • Resolved an issue where, in some cases, the system restore boot option did not output to the serial port on managed devices even if you selected Physical Serial Port as the remote console access option. (130772) • Improved the stability of clustered managed devices when failing over after a hardware failure. (130811, 130812, 131031, 133088, 130602) • Resolved a failover synchronization issue on clustered managed devices.
Known Issues Known Issues The following known issues are reported in Version 5.3.0.6: • In some cases, if you create an access control policy and enable URL filtering without enabling Cloud communications (System > Local> Configuration> Cloud Services), the system does not warn you that URL filtering capabilities are non-functional without Cloud services. (CSCus15243) • If you cannot connect to the cloud through your HTTP proxy but you can connect via direct connection, contact Support.
Known Issues Version 5.3.0.6 • Defense Center local configurations (System > Local > Configuration) are not synchronized between high availability peers. You must edit and apply the changes on all Defense Centers, not just the primary. (130612/CSCze89250, 130652) • In some cases, large system backups may fail if disk space usage exceeds the disk space threshold before the system begins pruning.
Known Issues Version 5.3.0.6 • Scheduling and running simultaneous system backup tasks negatively impacts system performance. As a workaround, stagger your scheduled tasks so only one backup runs at a time. (134575/CSCze89679) • If you edit a previously-configured LDAP connection where user and group access control parameters are enabled, clicking Fetch Groups does not populate the Available Groups box. You must re-enter your password when editing an LDAP connection in order to fetch available groups.
Known Issues Version 5.3.0.6 • If you configure a Security Intelligence feed and specify a Feed URL that was created on a computer running a Windows operating system, the system does not display the correct number of submitted IP addresses in the tooltips on the Security Intelligence tab. As a workaround, use dos2unix commands to convert the file from Windows encoding to Unix encoding and click Update Feeds on the Security Intelligence page.
Known Issues • If the latest version of the geolocation database (GeoDB) is installed on your Defense Center and you attempt to update the GeoDB with the same version, the system generates an error message. (138348/CSCze90813) • The Sourcefire 3D System User Guide incorrectly states that, in a high availability deployment: If a secondary device fails, the primary device continues to sense traffic, generate alerts, and send traffic to all secondary devices.
Known Issues accessible only to trusted users and use a complex, non-dictionary-based password. If you enable LOM and expose this vulnerability, change the complex password every three months. For LOM password requirements, see the Sourcefire 3D System User Guide. (139286/CSCze91556, 140954) Version 5.3.0.6 • In rare cases, the Task Status page (System > Monitoring > Task Status) incorrectly reports that a failed system policy apply succeeded.
Known Issues Version 5.3.0.6 • Files that are intentionally not stored by the system (such as files seen for the first time, or files outside the size limit) incorrectly appear with a File Storage value of Failed. (141196/CSCze92629, 141505/CSCze92908) • The system-provided saved search Public Addresses Only incorrectly includes the private 172.x.x.x IP address range.
Known Issues Version 5.3.0.6 • In some cases, if your Defense Center and managed devices experience high volumes of traffic, the system generates incorrect CPU health alerts. (143986/CSCze95067) • In some cases, if you edit the security zone of an interface on the Objects Management page (Objects > Object Management) of a stacked device, the system doesn’t allow you to apply the device configuration changes to the stack.
Known Issues Version 5.3.0.6 • In some cases, Lights Out Management (LOM) appears to be disabled on the LOM page (System > Local > Configuration > Console Configuration > Lights Out Management) even if it is not. If you are unsure what the LOM status is, use the ipmitool command in expert shell mode to enable or disable LOM.
Known Issues Version 5.3.0.6 • In some cases, the system may log you out of the web interface after the session timeout threshold expires if you open different tabs on the Object Manager page (Objects > Object Management) without saving an object, refreshing, or redirecting the page. (CSCut29803) • In some cases, if your Defense Center's database experiences system issues, you may be missing your access control policy or your access control policy may be missing rules.
Features Introduced in Previous Versions • If you register a stack of devices running Version 5.3 to a Defense Center running Version 5.3.1.4 and attempt to update the stack, at least one of the devices in the stack may fail updating. As a workaround, break up the stack and update the devices individually, then recreate the stack.
Features Introduced in Previous Versions You can manually submit captured files for dynamic analysis or download them from the FirePOWER appliance through event table views, the network file trajectory feature, and the captured files table view. Dynamic Analysis, Threat Scores, and Summary Reports LICENSE: Malware SUPPORTED DEVICES: Series 3, Virtual, X-Series SUPPORTED DEFENSE CENTERS: Any except DC500 Version 5.
Features Introduced in Previous Versions Spero Engine LICENSE: Malware SUPPORTED DEVICES: Series 3, Virtual, X-Series SUPPORTED DEFENSE CENTERS: Any except DC500 The Spero engine feature provided another cloud-based method for detecting suspicious and potentially new malware in executable files using big data.
Features Introduced in Previous Versions This feature introduced Sourcefire-provided Indications of Compromise (IOC) rules that allow you to control whether the system generates IOC events for particular types of compromise and correlates those events with the host involved. At the time of event generation, the system sets an IOC tag on the affected host impacted by that IOC event.
Features Introduced in Previous Versions network. Create geolocation objects to save and organize custom groupings of countries. URL Filtering License Change LICENSE: Protection + URL Filtering SUPPORTED DEVICES: Series 3, Virtual, X-Series SUPPORTED DEFENSE CENTERS: Any except DC500 Sourcefire no longer requires a Control license to enable URL filtering. Only a Protection license is required.
Features Introduced in Previous Versions AMP8150, which is shipped with additional storage). Malware storage packs are also supported on stacked or clustered 8000 Series devices (except for the AMP8150). Compatible managed devices detect if a malware storage pack is added and automatically transfer existing file captures to the added drive, freeing space on the main drive. WARNING! Do not attempt to install third-party hard drives. Installing an unsupported hard drive may damage the device.
Features Introduced in Previous Versions • Sourcefire identifies traffic referred by a web server as the web application for referred connections as of Version 5.3. For example, if an advertisement accessed via advertising.com is actually referred by CNN.com, Sourcefire identifies CNN.com as the web application. • You can no longer configure access control rules containing any of the following port conditions: IP 0, IP-ENCAP 4, IPv6 41, IPv6-ROUTE 43, IPv6-FRAG 44, GRE 47, ESP 50, or IPv6-OPTS 60.
For Assistance • The system includes file policy UUID metadata for type 502 intrusion events as of Version 5.3. • The file disposition Neutral is now Unknown. Files with an Unknown disposition indicate that a malware cloud lookup occurred before the cloud assigned a disposition. • Added several new Snort decoder rules to identify packets containing malformed authentication headers.
For Assistance The copyright in the Documentation is owned by Cisco and is protected by copyright and other intellectual property laws of the United States and other countries.
