SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even if you are familiar with the update process, make sure you thoroughly read and understand these release notes, which describe supported platforms, new and changed features and functionality, known and resolved issues, and product and web browser compatibility.
New and Updated Features and Functionality For more information, see the following sections: • New and Updated Features and Functionality on page 2 • Updates to Sourcefire Documentation on page 3 • Before You Begin: Important Update and Compatibility Notes on page 3 • Updating Your Appliances on page 6 • Uninstalling the Update on page 16 • Issues Resolved in Version 5.3.0.
Updates to Sourcefire Documentation Updates to Sourcefire Documentation In Version 5.3.0.2, the following documents were updated to reflect the addition of new features and changed functionality and to address reported documentation issues: • Sourcefire 3D System User Guide • Sourcefire 3D System Online Help Before You Begin: Important Update and Compatibility Notes Before you begin the update process for Version 5.3.0.
Before You Begin: Important Update and Compatibility Notes Traffic Flow and Inspection During the Update The update process (and any uninstallation of the update) reboots managed devices.
Before You Begin: Important Update and Compatibility Notes Switching and Routing Managed devices do not perform switching, routing, NAT, VPN, or related functions during the update. If you configured your devices to perform only switching and routing, network traffic is blocked throughout the update. Product Compatibility You must use at least Version 5.3 of the Defense Center to manage devices running Version 5.3.0.2. Defense Centers running Version 5.3.0.
Updating Your Appliances Updating Your Appliances To update appliances running at least Version 5.3 of the Sourcefire 3D System to Version 5.3.0.2, see the procedures outlined below. The following sections help you to prepare for and install the Version 5.3.0.
Updating Your Appliances You can run Sourcefire Software for X-Series on the X-Series platform running XOS Version 9.7.2 and later and Version 10.0 and later. For more information, see the Sourcefire Software for X-Series Installation and Configuration Guide. Time and Disk Space Requirements The following table provides disk space and time guidelines for the Version 5.3.0.2 update.
Updating Your Appliances Time and Disk Space Requirements APPLIANCE SPACE ON / SPACE ON /VOLUME SPACE ON /VOLUME ON MANAGER TIME Sourcefire Software for X-Series 433 MB 1 MB on /mnt/aplocal disk 193 MB 14 minutes virtual Defense Centers 1 MB 1723 MB n/a hardware dependent virtual managed devices 1 MB 727 MB 205 MB hardware dependent Configuration and Event Backup Guidelines Before you begin the update, Sourcefire strongly recommends that you back up current event and configuration data
Updating Your Appliances To ensure continuity of operations, do not update paired Defense Centers at the same time. First, complete the update procedure for the secondary Defense Center, then update the primary Defense Center. Installing the Update on Clustered Devices When you install an update on clustered devices, the system performs the update on the devices one at a time.
Updating Your Appliances may also cause a few packets to pass uninspected. For more information, see the Sourcefire 3D System User Guide. There are several additional post-update steps you should take to ensure that your deployment is performing properly.
Updating Your Appliances 2. Download the update from the Sourcefire Support Site: • for Series 2 Defense Centers: Sourcefire_3D_Defense_Center_Patch-5.3.0.2-55.sh • for Series 3 and virtual Defense Centers: Sourcefire_3D_Defense_Center_S3_Patch-5.3.0.2-55.sh IMPORTANT! Download the update directly from the Support Site. If you transfer an update file by email, it may become corrupted. 3.
Updating Your Appliances 9. After the update finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior. 10. Log into the Defense Center. 11. Select Help > About and confirm that the software version is listed correctly: Version 5.3.0.2. Also note the versions of the rule update and VDB on the Defense Center; you will need this information later. 12.
Updating Your Appliances the software. You can update multiple devices at once, but only if they use the same update file. For the Version 5.3.0.2 update, all devices reboot; Sourcefire Software for X-Series VAP groups reload. Managed devices do not perform traffic inspection, switching, routing, NAT, VPN, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state.
Updating Your Appliances • for 3D9900 managed devices: Sourcefire_3D_Device_x900_Patch-5.3.0.2-55.sh • for virtual managed devices: Sourcefire_3D_Device_Virtual64_VMware_Patch-5.3.0.2-55.sh • for Sourcefire Software for X-Series: Sourcefire_3D_XOS_Device_Patch-5.3.0.2-55.sh IMPORTANT! Download the update directly from the Support Site. If you transfer an update file by email, it may become corrupted. 4.
Updating Your Appliances 11. Reapply device configurations to all managed devices. TIP! To reactivate a grayed-out Apply button, edit any interface in the device configuration, then click Save without making changes. 12. Reapply access control policies to all managed devices. Applying an access control policy may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Sourcefire 3D System User Guide.
Uninstalling the Update • for Series 3 managed devices: Sourcefire_3D_Device_S3_Patch-5.3.0.2-55.sh • for 3D9900 managed devices: Sourcefire_3D_Device_x900_Patch-5.3.0.2-55.sh • for virtual managed devices: Sourcefire_3D_Device_Virtual64_VMware_Patch-5.3.0.2-55.sh IMPORTANT! Download the update directly from the Support Site. If you transfer an update file by email, it may become corrupted. 3. Log into the appliance's shell using an account with Administrator privileges.
Uninstalling the Update Planning the Uninstallation Before you uninstall the update, you must thoroughly read and understand the following sections. Uninstallation Method You must uninstall updates locally. You cannot use a Defense Center to uninstall the update from a managed device. For all physical appliances and virtual Defense Centers, uninstall the update using the local web interface.
Uninstalling the Update Uninstalling the Update from Devices Deployed Inline Managed devices do not perform traffic inspection, switching, routing, or related functions while the update is being uninstalled. Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update on page 4.
Uninstalling the Update To uninstall the update: 1. Read and understand Planning the Uninstallation on page 17. 2. On the managing Defense Center, make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor. 3. On the managed device, view the task queue (System > Monitoring > Task Status) to make sure that there are no tasks in progress.
Uninstalling the Update Uninstalling the Update from a Virtual Managed Device The following procedure explains how to uninstall the Version 5.3.0.2 update from virtual managed devices. You cannot use a Defense Center to uninstall the update from a managed device. Uninstalling the Version 5.3.0.2 update results in a device running Version 5.3. For information on uninstalling a previous version, refer to the release notes for that version. Uninstalling the Version 5.3.0.2 update reboots the device.
Uninstalling the Update Uninstalling the Version 5.3.0.2 update results in the Sourcefire Software for X-Series running Version 5.3. To uninstall the update: 1. Read and understand Planning the Uninstallation on page 17. 2. Log into a VAP where you want to uninstall the update. For example, to log into the first VAP in the intrusion VAP group: CBS# unix su [root@machine admin]# rsh intrusion_1 3.
Uninstalling the Update 3. View the task queue (System > Monitoring > Task Status) to make sure that there are no tasks in progress. Tasks that are running when the uninstallation begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the task queue after the uninstallation completes. The task queue automatically refreshes every 10 seconds. You must wait until any long-running tasks are complete before you begin the uninstallation. 4. Select System > Updates.
Issues Resolved in Version 5.3.0.2 Issues Resolved in Version 5.3.0.2 The following issues are resolved in Version 5.3.0.2: Version 5.3.0.2 • Security Issue Addressed multiple cross-site scripting (XSS) vulnerabilities. • Security Issue Addressed multiple cross-site request forgery (CSRF) vulnerabilities. • Security Issue Addressed multiple injection vulnerabilities, including HTML and command line injections.
Issues Resolved in Version 5.3.0.2 Version 5.3.0.2 • Improved the stability of Snort when a nightly intrusion event performance statistics rotation occurred at the same time as an intrusion policy apply.
Issues Resolved in Version 5.3.0.2 • Resolved an issue where, if you created a custom workflow with a large number of pages, the time window in the top right portion of the page obscured the link to the final pages of the workflow. (141335) • Resolved an issue where, in some cases, FireSIGHT rule recommendations attempted to activate a preprocessor rule that was already active, causing system problems.
Issues Resolved in Version 5.3.0.2 Version 5.3.0.2 • Resolved an issue where the Security Intelligence page of your access control policy did not display more than 100 available security zones. (133418) • Resolved an issue where configuring a proxy server to authenticate with a user name and Message Digest 5 (MD5) password encryption caused communication issues with the Defense Center.
Issues Resolved in Version 5.3.0.2 • Security Issue Eliminated an XSS vulnerability (CVE-2014-2012) in the intrusion rule editor pages that could allow an attacker to access and disclose information, imitate user actions and requests, or execute arbitrary JavaScript. Special thanks to Liad Mizrachi Check Point Security Research Team for reporting this issue.
Issues Resolved in Version 5.3.0.2 Version 5.3.0.2 • The system now generates an error message when you attempt to install an intrusion rule update while the system is already running an update of the Sourcefire 3D System. (124290) • Resolved an issue where, in rare cases, the Defense Center did not back up events onto remote storage. (124350) • Resolved an issue where, in some cases, the system displayed an erroneous Please wait, loading... message.
Issues Resolved in Version 5.3.0.2 Version 5.3.0.2 • Resolved an issue where if you disabled user detection in LDAP traffic using your network discovery policy, the Defense Center stopped logging User Agent login data. (128741) • Resolved an issue where, in some cases, you could not perform on-demand user data retrieval and download if you scheduled automatic LDAP user data retrieval. (128962) • Security Issue Resolved multiple XSS vulnerabilities in the object manager and rule editor.
Known Issues • Resolved an issue where the system misplaced the home directory files for user accounts after updating to a major version of the Sourcefire 3D System. (132503) • Resolved an issue where disabling the Quoted-Printable Decoding Depth advanced option in your intrusion policy did not prevent the system from generating events on intrusion rule 124:11.
Known Issues Version 5.3.0.2 • You can only import a HTTPS certificate once. Modifying or re-importing a server certificate fails. (140283) • Although you cannot enable bypass mode for clustered devices, the option still appears in the web interface. (140604) • If you create a report in bar graph report form that shows data organized by day, only a maximum of 10 days can appear in the graph. As a workaround, create multiple reports in 10-day increments.
Known Issues • On 3D9900 devices, passive interfaces not in security zones do not generate intrusion or connection events. As a workaround, create and specify a security zone for all passive interfaces on this device model. (141663) • In rare cases, when your system triggers an alert on the first data packet of a TCP session from a server, the alert may not specify the egress interface.
Known Issues Version 5.3.0.2 • In rare cases, the system may not generate events for intrusion rules 141:7 or 142:7. (132973) • In some cases, remote backups of managed devices include extraneous unified files, generating large backup files on your Defense Center. (133040) • You must edit the maximum transmission unit (MTU) on a Defense Center or managed device using the appliance’s CLI or shell. You cannot edit the MTU on a Defense Center or managed device via the user interface.
Known Issues Version 5.3.0.2 • The system requires additional time to reboot appliances running Version 5.3 or later due to a database check. If errors are found during the database check, the reboot requires additional time to repair the database. (135564, 136439) • In some cases, the system may generate a false positive for the SSH preprocessor rule 128:1.
Known Issues Version 5.3.0.2 • In some cases, if you enabled Simple Network Management Protocol (SNMP) polling in your system policy, modifying the high availability (HA) link interface configuration on one of your clustered managed devices causes the system to generate inaccurate SNMP polling requests. (137546) • In some cases, configuring your access control policy to log blacklisted connections to the syslog or SNMP trap server causes system issues.
Features Introduced in Previous Versions • If you disable Drop When Inline in your intrusion policy, inline normalization stops modifying packets seen in traffic and the system does not indicate what traffic would be modified. In some cases, other devices or applications on your network may not function in the same way after you re-enable Drop When Inline.
Features Introduced in Previous Versions 5.3 The following features and functionality were introduced in Version 5.3: File Capture and Storage LICENSE: Malware SUPPORTED DEVICES: Series 3, Virtual, X-Series SUPPORTED DEFENSE CENTERS: Any except DC500 The file capture feature provides the ability to automatically carve files of interest out of network traffic based on the file type or the file disposition.
Features Introduced in Previous Versions Custom Detection LICENSE: Malware SUPPORTED DEVICES: Series 3, Virtual, X-Series SUPPORTED DEFENSE CENTERS: Any except DC500 Custom file detection can be used to identify and block any files moving around your network, even if Sourcefire has not identified the file as malicious. You do not need a cloud connection to perform these lookups, so custom file detection is ideal for use with any type of private intelligence data you have.
Features Introduced in Previous Versions AMP Cloud Connectivity LICENSE: Malware, URL Filtering SUPPORTED DEFENSE CENTERS: Any except DC500 Prior to Version 5.3, to connect to the Sourcefire cloud you had to use TCP Port 32137 and a direct connection from the Defense Center to the cloud. Version 5.3 introduced proxy support for connecting to the Sourcefire cloud to do malware detection and dynamic analysis.
Features Introduced in Previous Versions Simplified Intrusion Policy Variable Management LICENSE: Protection SUPPORTED DEVICES: Any SUPPORTED DEFENSE CENTERS: Any The addition of variable sets streamlines and centralizes variable management in the object manager. You create custom variable sets and customize the default variable set to suit your network environment.
Features Introduced in Previous Versions devices. They also provide increased power for faster connection speeds: 15Gbps on the 3D8350, 30Gbps on the 3D8360, 45Gbps on the 3D8370, and 60Gbps on the 3D8390. Dedicated AMP Appliances SUPPORTED DEVICES: AMP7150 and AMP8150 Version 5.3 also introduced two new Series 3 FirePOWER managed devices designed with additional processing power to maximize the performance of Sourcefire’s AMP features.
Features Introduced in Previous Versions Virtual Appliance Initial Setup Improvements LICENSE: Any SUPPORTED DEVICES: Virtual, X-Series SUPPORTED DEFENSE CENTERS: Virtual As of Version 5.3, you can perform the initial setup on virtual devices without leaving the vCloud workflow by using the vSphere Hypervisor or the vCloud Director.
For Assistance • As of Version 5.3 you can identify unique Initiator and Responder IP addresses when creating IPv6 fast-path rules on Series 3 managed devices. Before Version 5.3, the fields were fixed and set to Any. • For fresh installations of Version 5.3 on Series 3 managed devices, the Automatic Application Bypass (AAB) feature is enabled by default. If you update from a previous version of the Sourcefire 3D System, your AAB settings are not affected.
For Assistance If you have any questions or require assistance with the Sourcefire Defense Center or managed devices, please contact Sourcefire Support: • Visit the Sourcefire Support Site at https://support.sourcefire.com/. • Email Sourcefire Support at support@sourcefire.com. • Call Sourcefire Support at 410.423.1901 or 1.800.917.4134. If you have any questions or require assistance with the X-Series platform, please visit the Blue Coat Support Site at: https://www.bluecoat.
For Assistance WEBSITE, THE DOCUMENTATION AND/OR ANY PRODUCT INFORMATION. CISCO-CONTROLLED WEBSITES, THE DOCUMENTATION AND ALL PRODUCT INFORMATION ARE PROVIDED "AS IS" AND CISCO DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO WARRANTIES OF TITLE AND THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.