tealthwatch system version elease otes · swd-8115 multiple instances of the process...

STEALTHWATCH® SYSTEM VERSION 6.10.3 RELEASE NOTESThis document provides the following information:

l What's New l What's Been Fixed summarizes fixes made for issues reported by customers:

o Version 6.10.3 o Version 6.10.2 o Version 6.10.1

l Known Issues in this release.

For all features included in Stealthwatch v6.10, refer to the release notes for each previous version: v6.10.1 and v6.10.2.

For a list of alarm types and their IDs, access the Alarm IDs file. You can also access this document via the Alarm List topic in the SMC Client Interface online help.

For additional information about the Stealthwatch System, go to the Customer Community.

Important: l For enhanced security, before you add a Flow Collector or Flow Sensor in

the System Setup Tool, you must have first created a management channel between the Flow Collector and/or Flow Sensor and the Stealthwatch Man-agement Console (SMC). If you have not done this, you will receive an error message when you try to add either appliance in the System Setup Tool. The specific instructions are on page 43 in the Stealthwatch Management Con-sole VE and Flow Collector VE Installation and Configuration Guide or page 15 in the Hardware Configuration Guide.

l If your Stealthwatch System is v6.9.0 or v6.9.1, install the latest/any required rollup patch files on Stealthwatch's Download and License Center, https://lan-cope.flexnetoperations.com before upgrading. If your Stealthwatch System is v6.9.2 or later, the rollup patch is not required to upgrade to v6.10.

l Due to an error with the system upgrade file, upmanrepo.swu, you will have to use the individual appliance swu files to update your system. See Known Issues for more information.

l If FIPS mode was enabled in an earlier version of software (prior to v6.10),

RELEASE NOTES | Stealthwatch System v6.10.3

© 2019Cisco Systems, Inc. All Rights Reserved. 1

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_6_10_1_Release_Notes_DV_2_0.pdf

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_6_10_2_Release_Notes_DV_1_2.pdf

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk5e/h0ogYskPTfGbTXudVuFuKyR2QmCguIGhY0e9u5TscDQ

https://lancope.force.com/Customer/CustomerCommLogin

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk4g/SeQOVw3EXIZaIKFsD4tVFOdc78CWKRMV3qwlzv3XgEk

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk4g/SeQOVw3EXIZaIKFsD4tVFOdc78CWKRMV3qwlzv3XgEk

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk4b/54TEumeUZgJOGF547LRILjlv80SV7BuZrLi_7bQ5Dx0

https://lancope.flexnetoperations.com/

https://lancope.flexnetoperations.com/

disable FIPS mode before you update the software to v6.10. l The following non-admin access modifications have been made:

o For any versions prior to v6.10, a non-admin user without an assigned func-tion role can access the SMC Web App but cannot access the SMC client interface. Once an admin user assigns a non-admin user a function role, that user will also be able to access the SMC client interface.

o Beginning with v6.10, a non-admin user cannot access the SMC client interface or the SMC Web App until assigned a function role.

l For increased security, we recommend updating the IDentity 1000/1100 appliance to v3.3.0.x to take advantage of the new openSSL version with TLS 1.2.

WARNING!

It is important to enable an alternative method to access your Stealthwatch appliances for any future service needs, using one of the following:

Hardware*

l Console (serial connection to console port): Refer to the latest Stealthwatch Hard-ware Installation Guide to connect to the appliance using a laptop or a keyboard and monitor. https://www.cisco.com/c/en/us/support/security/stealthwatch/products-install-ation-guides-list.html

l iDRAC Enterprise (Dell appliances): Refer to the latest documentation for your platform at www.dell.com. iDRAC Enterprise requires a license, and iDRAC Express does not allow console access. If you do not have iDRAC Enterprise, direct console or SSH can be used.

l CIMC (UCS appliances): Refer to the latest Cisco UCS guide for your platform at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html

Virtual Machines*

l Console (serial connection to console port): Refer to the latest KVM or VMware documentation for your appliance installation.

l For example, for KVM, see the Virtual Manager documentation at https://virt-manager.org/

l For VMware, see the vCenter Server Appliance Management Interface doc-


2 © 2019Cisco Systems, Inc. All Rights Reserved.

https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html



https://virt-manager.org/

https://virt-manager.org/

umentation for vSphere at https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html

*If you cannot log in to the appliance using these methods, you can enable SSH on the appliance network interface temporarily.

WARNING! When SSH is enabled, the system’s risk of compromise increases. It is important to enable SSH only when you need it. When you are finished using SSH, disable it.

1. Log in to the Appliance Admin interface. SMC: Log in to the SMC. Click the Settings icon > Administer Appliance.

2. Click Configuration > Services. 3. Check the Enable SSH check box to enable SSH.

To allow the root user SSH access, check the Enable Root SSH Access check box. 4. Click Apply.

Notes: l This document uses the term "appliance" for any Stealthwatch product, including vir-

tual editions (VEs) such as the Flow Collector VE. l Stealthwatch does not support installing 3rd party applications on appliances. l Stealthwatch requires Java Version 8 Update 161 (v1.8.0_161) or later. l Stealthwatch requires TLS v1.1 or later. l Stealthwatch supports the latest version of Chrome, Firefox, and Edge, and Internet

Explorer v11. l Where once the setting "disabled" for a security event disabled the event, now dis-

abling will disable the alarm. l To view the supported hardware platforms for each system version, refer to the Hard-

ware and Version Support Matrix on the Customer Community.



https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html



https://lancope.force.com/Customer/kA750000000Gmbl

https://lancope.force.com/Customer/kA750000000Gmbl

What's NewThese are the new features and improvements for the Stealthwatch System v6.10.3 release:

l Cognitive Analytics Enhancements

Cognitive Analytics Enhancements

Note: To see the full list of enhancements for the Cognitive engine, refer to the Cognitive Analytics Release Notes.

Superforest

CTA can now leverage detections from the analysis of WebFlow telemetry to improve the efficacy of analyzing NetFlow telemetry from Stealthwatch. This is accomplished by the system through correlation of both telemetry types. According to measurements by Cisco, the number of both confirmed and detected threats should increase by approximately 10%

Service Modeling

Service modeling is now available for internal servers (on-demand for Stealthwatch customers). The internal servers are specified using the host group definitions. By configuring an internal host group to send Stealthwatch flow records, the user adds additional data to be sent to the Cognitive cloud for analysis. Service Modeling focuses on company internal servers (e.g. mail servers, file servers, web servers, authentication servers etc). Analyzing additional traffic from the end users to those servers can improve the visibility of the exposure of data that may have been misused by malware running on the affected end user devices. Please do not check all the host groups for sending the data. Only check those host groups that represent internal servers.

Stealthwatch Botnet Classifier

CTA can now detect botnets on Stealthwatch flows characterized by a uniform anomalous/unknown communication to many external nodes. In combination with other features, the SVM (Support Vector Machine) classifier is trained specifically to provide high generalization.

Migration to Amazon Web Services (AWS) Cloud

Cognitive Analytics will migrate to the AWS Cloud in August 2018. Due to this, the Cognitive URLs and IP addresses will change. For more information, refer to the Field Notice.



http://cs.co/cognitive-release-notes

https://www.cisco.com/c/en/us/support/docs/field-notices/702/fn70205.html

What's Been FixedThis section summarizes fixes made in this release for issues (bugs/defects) reported by customers in previous releases. The Stealthwatch Defect (SWD or LSQ) number is provided for reference.

Version 6.10.3

Defect Description LSQ

SWD-8115 Multiple instances of the process "acpi_pad" was causing the system to become non-responsive.

We blacklisted the "acpi_pad" process to fix this issue.

LSQ-2836

SWD-8142 The Database backup is generating errors at the final stage of the process.

Improvements have been added to repeat the Vertica backup process in case of resync errors.

LSQ-2838

SWD-9128 Temporary files for flow stats were deleted when disk space was less than 75%.

This code was removed in order to let the code that checks disk usage handle any necessary file removals.

LSQ-3123

SWD-9702 Modified the Flow Collector engine to handle ICMP type and code sent in the NetFlow source port field instead of destination port.

LSQ-3175

SWD-9763 The SMC failed to request user information from Active Directory.

Updated the SMC to take the user information when the format is "domain\username" or "domain username".

LSQ-3262

SWD-9822 Fixed an issue where the database backup failed. LSQ-3447

SWD-9913 Updated the Cognitive Analytics integration to work with trial licenses. LSQ-3675

SWD-9934 Queries for security events failed with a Vertica error.

Updated the code to finish installing Vertica default packages.

LSQ-3578

SWD-10129 Associated flows information was incorrect.

Updated SETI and the SMC Web App interface online help to have the correct associated flows information.

LSQ-3415

SWD-10155 Incorrect error message for quarantine and unquaratine failure on the SMC.

Updated the error message.

LSQ-3319




SWD-10202 Flow information was not showing up when using a Cisco 3504 Wireless LAN Controller.

Previously, the engine automatically assigned Interface #1 to flows missing Input and Output SNMP Interface IDs. Because of potential conflicts with an actual Interface #1, we decided to use INT_MAX for this assignment.

LSQ-3432

SWD-10239 DBNodeRetentionManager was not waiting long enough between partition drops which caused all partitions to be dropped.

A back-off algorithm was implemented in the retention code to allow enough time for the disk space to be freed between partition drops.

LSQ-3444

SWD-10284 The Flow Collector 5000 engine had SIGSEGV error at various functions.

Added more data input validation on Information Elements so the engine emits decode errors instead of crashing.

LSQ-3454

SWD-10391 Added a script to set the ethX rx buffers to the maximum allowed value (typically 4096) on physical UDP Directors to improve performance.

LSQ-3463

SWD-10403 Updated the code to handle a "NullPointerException" error when receiving ISE-PIC sessions without username information.

LSQ-3472

SWD-10423 The Admin Interface UI hangs after clicking "Test" on the Remote File System page.

Added better error handling for the Admin UI.

LSQ-3483

SWD-10436 The Flow Collector diagnostic pack stored too many log files.

Updated the diagnostic pack to only contain the vertica.log.

NA

SWD-10444

SWD-10519

Updated the database queries to use AVG function to avoid the sum overflow problems.

LSQ-3487

SWD-10546 Added a check to make sure the Flow Collector engine is up before the SMC sends configuration changes.

LSQ-3466

SWD-10561 The engine had a SIGSEGV error in update_app_definitions.

Ensured that all resource memory pool deletions are followed by setting the variable using the memory to NULL.

LSQ-3529




SWD-10570 The Flow Collector engine had an overflow when calculating BPS values.

Bytes and packets value handling was modified to perform data validation and ensure the average packet size is 65535 bytes or less.

LSQ-3424

LSQ-3433

LSQ-3397

SWD-10593 The unlicensed feature message was being displayed for the Flow Sensor.

Changed the default setting for the message to show the appropriate status.

LSQ-3486

SWD-10647 Top Peers flipping the client/server when selecting "Flows".

Modified the code to now swap hosts when creating a flow filter from Top Peers.

LSQ-3554

SWD-10658 Removed "Inbound" from the legend for two charts on the Interface Traffic Dashboard.

LSQ-3335

SWD-10779 User authentication failed due to login file descriptors not being closed.

Updated the code to close the file descriptors after a user logs out.

LSQ-3579

SWD-10806 Updated the SMC UI to not show the FPS exceeded warning on properly licensed appliances.

LSQ-3537

SWD-10893 The engined crashed with the error "Thread interrupted" while processing flows.

Updated the engine to handle situations where the flow classification threads get backed up temporarily.

LSQ-3600

SWD-10971 Filtering the Flow Table by payload and username fails with 500 internal server error.

Fixed the Flow Table filter xml sequence issue.

LSQ-3630

SWD-10982 Resync from SMC caused the Flow Collector engine to stop.

Fixed the code to restart the engine properly

LSQ-3624

SWD-10995 Updated the Flow Collector to correct permissions on configuration files when needed.

LSQ-3624

SWD-11013 Deleting a domain on a primary SMC did not remove it from a secondary SMC in a failover pair.

The entire configured call list of the selected domain is sent to the secondary SMC on deletion.

LSQ-3479




SWD-11084 The Flow Search wasn't loading the Host Group Selector panel and the Exporter and Interface panel.

Updated the UI components to handle larger amounts of host groups and exporters.

LSQ-3637

SWD-11123 DBNodeRetentionManager was not dropping the large partitions causing new flow data to not be inserted.

Modified retention code to drop any invalid partitions (those with dates before 1980) at each retention check. Any drops of these partitions will be logged with a warning "Dropped invalid partition for <table name>". The code also drops up to 5 partitions each retention period when over the disk usage threshold. Disk space is checked after each drop and when usage drops back below threshold, no more partitions are dropped for that period.

LSQ-3623

SWD-11124 Vertica was inserting data when the database disk space was full, causing the system to crash.

Modified the Flow Collector 5000 engine code to query Vertica for disk usage over the database channel. This allows the engine to stop database inserts when disk usage reaches the critical level on the database node even if the communication channel is down.

LSQ-3623

SWD-11138 Cleaned up the svc-ise-client.log to help with troubleshooting issues. LSQ-3639

SWD-11197 The Flow Collector 5200 engine was running out of memory.

The fix is to limit the number of processing threads based on the available memory. The calculated process_instance_count will be limited to 13 on a Flow Collector 5200 series appliance. This value can still be manually set in lc_thresholds.txt.

LSQ-3600

SWD-11198 Multiple errors causing the Flow Collector engine to crash.

Fixed an out of bounds array reference that could corrupt memory and lead to a crash.

LSQ-3600

SWD-11210 Updated SETI version. NA

SWD-11275 Improved performance by updating the code to select the newest Vertica par-tition to search for the last flow identifier used instead of searching all Vertica partitions.

LSQ-3656

LSQ-3670

SWD-11310 Updated the fileshare password field to accept the special character |. LSQ-3665

SWD-11311 Updated the User Details field for Subject and Peer on the Flow Search page to allow usernames with special characters and wildcard characters.

LSQ-3667




SWD-11379 Added support for the underscore character in ST_Value pattern of /lancope/admin/lib/system.xsd.

LSQ-3678

SWD-11480 Removed the code to swap Security Group Tag IDs when client and server were swapped in the engine.

LSQ-3650

SWD-11552 Removed "Inbound" from the Host Group Traffic Chart legend. LSQ-3704

SWD-11650 The Flow Sensor was missing flowsensor.xml after install.

Updated the start_fs process so that it will write out a default flowsensor.xml when the service is started.

LSQ-3725

LSQ-3729

SWD-11671 Updated the high total traffic associated flow table to include the sum of client and server bytes whether the traffic is from the client or server.

LSQ-3632

Version 6.10.2


SWD-8225 Updated SETI version. NA

SWD-9122 The SMC was not getting ISE sessions.

Removed the Kafka service.

NA

SWD-9559 The Flow Collector engine had a SIGSEGV error at search_threat_host.

Reworked threat feed code to minimize the locking time of the processing threads.

LSQ-3208

SWD-9873 The alarm count was mismatched from the Alarming Hosts component on the Security Insight Dashboard and the alarms on the host list view.

Updated the help text pop-up to explain that the number in the Alarming Host component displays the number of hosts receiving alarms since the last reset hour. Clicking on the alarm number will navigate to a host list view with an alarm category filter applied. These two numbers can be different.

LSQ-3330

SWD-9875 The Flow Sensor 3000 system memory was running low.

The packet buffer size for the flowsensor process was decreased to free up approximately 1G on 16G platforms.

LSQ-3344

SWD-9902 SMC triggered "Cisco ISE Management Channel Down" false alarm.

Updated the alarm to use the svc-ise-client microservice to ascertain status of configured ISE clusters.

LSQ-3319




SWD-9983 The database storage "Worst Case" value for "capacity in days" and "remaining days" was incorrect.

Fixed the code so that the values are no longer negative.

LSQ-3367

SWD-9996 The “Not Matched” field in the output.log did not increment when the source/destination IP address mismatched the forwarding rules configuration on the UDP Director.

A fix has been provided to increase the “Not Matched” count.

LSQ-3370

SWD-10101 The SMC and Flow Collector did not have enough memory allocated for Tomcat.

Separated the JVM settings for each appliance so that Tomcat memory allocation varies depending on the appliance.

LSQ-3305

LSQ-3453

SWD-10147 Improved packet query logging. LSQ-3418

SWD-10204 The Update Progress window showed a negative number.

Changed the logic that's used for determining the total expected file size so that it can support values greater than 2GB.

LSQ-3424

SWD-10329 Updated Security Group Tags (SGT) information in the SMC Web App infer-face online help.

LSQ-3461

SWD-10387 Increased the default buffer length for the UDP Director to reduce "Last Dropped" counts.

LSQ-3463

Version 6.10.1


LVA-221 Vim did not properly validate values for tree length when handling a spell file, which may have resulted in an integer overflow at a memory allocation site and a resultant buffer overflow.

NA

STE-84 Port number for the server and protocol information have been added to the Email Response.

NA

STE-97 Updated Support Contact information within Stealthwatch. NA

SWD-7143 The lc_profiles process on the Flow Collector was very slow.

Revamped the host group lookup functionality to fix a bottleneck.

LSQ-2713




SWD-7540

SWD-7688

The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway.

LSQ-2652

SWD-7549 The flow traffic on the Flow Sensor 4010 showed no utilization with non-zero inbound traffic.

We fixed the SMC detection of the Flow Sensor fiber port interface speeds used in utilization calculations.

LSQ-2649

SWD-7599 There was a database backup return error on system configuration.

Updated the backup routines to handle file copies to CIFS destinations differently.

LSQ-2621

LSQ-2572

LSQ-2674

SWD-7615 The Hardware Configuration Guide had an error in the Configure Primary UDP Director section.

The guide was updated with the correct information.

LSQ-2679

SWD-7621 The Top Conversations Report was not returning all results when a host filter was used.

The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report.

LSQ-2593

SWD-7643 The delete option for an SSL Client certificate did not work on a secondary SMC.

The fix was to allow the add/delete function for SSL client certificates in a secondary SMC.

LSQ-2626

SWD-7644 The Top Conversations transaction report was showing incorrect values.

A fix has been provided to avoid duplicate values and show the appropriate number of records for each Flow Collector in the transaction report.

LSQ-2593

SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1.

The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC.

LSQ-2712

SWD-7676 Users could not create a diagnostics pack for an appliance.

The fix corrected an exception in the audit log when creating a diagnostics pack.

LSQ-2692




SWD-7689 The CPU average load calculation, on the SMC client interface dashboard, was incorrect.

The CPU average load has been updated to reflect the updated appliances.

LSQ-2677

SWD-7692 The Top Conversations Report did not return all results when filtering hosts.

In the Top Conversations report, the problem was in generating reports if more than one Flow Collector was configured. The fix corrects the query to collect all required data from data base for all required Flow Collectors.

LSQ-2593

SWD-7700 The Flow Collection Trend chart had gaps due to TextCopyHandler failing to read files at /lancope/var/smc/tmp folder.

Resolved an issue where scheduled reports would terminate existing SMC data loading processes under certain conditions.

LSQ-2727

SWD-7708

SWD-8137

Users could not import of DAR and XML files to Document Builder.

This patch fixes issue with launching a new report from document builder that has several pages that are named alphabetically.

LSQ-2738

SWD-7765 Flow data queries across multiple flow collectors do not return consistent ordering.

The fix is to order the records returned for a flow query by flowid when a specific ordering is not requested. This prevents different invocations of this method from returning different results.

LSQ-2652

SWD-7787 The Flow Table Service Summary and Service Port columns had mismatched port addresses.

Fixed an issue where the service summary port was not updated to match the server port for certain flows.

LSQ-2710

SWD-7824 Flow query was failing for IPv6 IP address range 0000-FFFF.

The flow query filter has been corrected to recognize and search IPv6 input values.

LSQ-2613

SWD-7862 Associated flow table carried previous advanced filter values.

The Flow Table retain filter option has been excluded from the associated flow table.

LSQ-2709




SWD-7865 Stealthwatch Management Console had high memory usage for uWSGI appliance update process.

Implemented a mechanism designed to prevent memory usage exceeding 4 GB by the uWSGI UPServ application.

LSQ-2722

SWD-7963 The client interface help was not showing topics when using the search tab.

Fixed encoding error caused by a tomcat update.

NA

SWD-7971 On the SMC Web app, Error retrieving host snapshot to build host entity view constantly received on Host Search.

We updated the SMC Web app and the Vertica query to accommodate large numbers and overflow.

LSQ-2773

SWD-8072 Top Reports returns more records than the set limit when there are two or more Flow Collectors (LSQ-2822).

The Top Reports queries have been updated to split the amount of records evenly between Flow Collectors.

LSQ-2822

SWD-8089 The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway.

LSQ-2652

SWD-8107 Email notifications for scheduled documents were not being logged properly.

We fixed the log base path location from pointing to the incorrect directory.

LSQ-2834

SWD-8136 The Flow Collector changed models after upgrade.

Updated the model.xml file to not change a system's memory size during upgrade.

LSQ-2845

SWD-8142 The Database backup was generating errors at the final stage of the process.

Improvements have been added to repeat the Vertica backup process in case of resync errors.

LSQ-2838

SWD-8153 Flows were not being associated with all Host Groups that contained the associated IP address.

The flow table was updated to allow a larger character limit (65,000) in the client and server host group strings, and we now allow 256 host groups per IP address.

LSQ-2846




SWD-8182 UDP Director 2010 could not boot after upgrade.

Fixed an issue with the kernel upgrading process.

LSQ-2866

SWD-8200 A Flow search with too many characters for a IP address range caused Vertica to crash.

Changed the logic around constructing IP range searches.

LSQ-2869

SWD-8210 ISE "deviceType" field was empty.

Provided value to "deviceType" from the "endPoint Policy" pxGrid field.

LSQ-2880

SWD-8239 Error when creating and configuring Custom Applications.

A new java constructor has been added to avoid a bad request error when adding multiple custom application rules in the SMC.

LSQ-2765

LSQ-2829

LSQ-2865

LSQ-2893

SWD-8271 The Flow Sensor Management Channel Down alarm, triggered in the client interface, did not go inactive after one hour.

Resolved an issue where certain alarms would fail to go inactive on the primary node of an SMC failover pair.

LSQ-2859

SWD-8314 The Flow Collector was not processing a non-zero DSCP field.

Added support for the DSCP field.

LSQ-2911

SWD-8317 External Lookup failed with a 500 internal server error.

Fixed the null pointer error when loading the External Lookup configuration page.

LSQ-2912

SWD-8323 The SMC was utilizing a high amount of memory .

We refactored the SMC client interface code to improve UI responsiveness.

LSQ-2904

SWD-8438 The Flow Collector saved flow records from one source ID and discarded records with the other source ID.

Added observation domain binding to the exporter stats in the cases where more than one exporting engine is exporting from a single exporter IP address using different source ID values.

LSQ-2557




SWD-8477 Vertica MergeOut process was very slow for the flow_stats table.

Added several Vertica database tuning parameters to remedy the ROS container backup problems.

LSQ-2935

LSQ-2963

SWD-8540 Unable to create and save maps when logged in as a non-admin user.

Updated the error message to be more meaningful when a non-admin user creates a map without the proper permissions.

LSQ-2956

SWD-8542 Security Event details were missing in web application interface.

Fixed an issue where Security Event details were always empty.

LSQ-2982

SWD-8559 The Online Help referred to an incorrect alarm name.

Updated the help to refer to "Ping Oversized Packet" instead of "Long Ping".

LSQ-2989

SWD-8590 Tor traffic with no packets from server were alarming as "Successful".

The alarm was updated to "Attempted".

LSQ-2992

SWD-8591 The Flow Sensor eth4 log was showing an invalid pointer error.

Fixed the code to output the log message correctly.

NA

SWD-8598 The Flow Sensor 3000 was not processing packets with multilayer VLAN tags.

The engine has been modified to handle up to 4096 layered tags.

LSQ-2995

SWD-8608 The SMC document builder was not saving filter criteria.

Fixed the document builder to retain appropriate input values in the common filter criteria.

LSQ-2968

SWD-8629 The SMC client interface was missing the "user management" menu.

Users with "SMC manager" rights now have access to the "user management" menu.

LSQ-3013

SWD-8635 Cisco Senderbase links were incorrect on the External Lookup configuration page.

Fixed broken links.

LSQ-3002

SWD-8636 The Traffic by Peer Host Group component was not displaying flow information.

Updated the component to display flow data correctly.

LSQ-3005




SWD-8661 Updated the flow-forwarder Docker container v2.2.2 to use less memory and turned on heap debugging options so that more information may be gathered when there is an issue with the Java (JVM) heap.

LSQ-3022

SWD-8670 The support information updated for STE-97 was translated into Korean, Chinese, and Japanese.

NA

SWD-8676 The flow rate dropped when the Flow Sensor cache was full.

Fixed an issue that caused packets to be dropped during processing when under load.

LSQ-3023

SWD-8689 "Client Port Filtering" was not working with Fast Query selected.

A query fix has been provided to make ‘Client Port Filtering’ work correctly, with or without enabling fast query.

LSQ-3031

SWD-8701 OVF resource defaults did not match documented minimums.

Updated the SMC and Flow Collector OVFs to 16 GB ram.

NA

SWD-8702 Unable to edit response management rules in the SMC client interface.

Fix added to handle null pointer errors when editing the rules in response management.

LSQ-3038

SWD-8705 A Database Restore failed on a Flow Collector 5000.

Fixed an issue where Vertica was not stopping correctly.

LSQ-3040

SWD-8708 TextCopyHandler failed to read files at /lancope/var/smc/tmp.

Scheduled reports temporary file handling process has been improved to avoid SQL errors.

LSQ-2987

LSQ-3048

SWD-8727 Top Alarming Hosts widget was not loading due to unknown host exception error.

The svc-sw-reporting container was updated to better handle dealing with exceptional data within the database.

LSQ-2987

LSQ-3004

LSQ-3048

SWD-8758 Default Services were missing under Host Locking Configuration.

Updated the conditions to populate the services list correctly.

LSQ-3052

SWD-8791 The MongoDB compact script failed to save SMC configuration.

Fixed a typo that caused the script to fail.

LSQ-3012




SWD-8807 The client interface would redirect the user to the license manager page on a licensed SMC.

Updated the code so that users are able to access the client interface on a properly licensed appliance.

NA

SWD-8819 The Interface Service Traffic report was broken.

Corrected an issue with the database query group used by the report.

LSQ-3066

SWD-9049 Limited the Vertica MaxMrgOutROSSizeMB parameter to 4096 in order to improve query response performance.

LSQ-3071

SWD-9051 The SMC client interface would not load due to a SSL Certificate corruption after restoring default certificates.

Added additional actions to correctly restore the default certificates.

LSQ-3094

SWD-9207 HTML code appeared in the name of some graphs in the SMC client interface.

The <br> HTML tag was removed.

LSQ-9207



Known IssuesThis section summarizes issues (bugs) that are known to exist in this release. Where possible, workarounds are included. The defect number is provided for reference.

Defect Number Description Workaround

LVA-306, LVA-307

If you have an untrusted virtual machine installed on the same physical cluster/system as a Stealthwatch appliance, the Stealthwatch appliance is vulnerable to a side-channel attack that can expose private keys.

A vulnerability was disclosed for the gnupg software package suite. This vulnerability involves a side-channel attack against the gnupg implementation of the RSA cryptographic algorithm. When RSA keys are in use on the system, the implementation allows for the recovery of 1024-bit length private keys. Additionally, it experimentally appears that 13% of the 2048 keyspace is vulnerable as well. More details about the vulnerability can be found by reading the white paper located at https://eprint.iacr.org/2017/627.

The risk from this side-channel attack applies where the private key is in use on the system. For Stealthwatch customers, this applies to SSH and HTTPS sessions. For

Important: Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch System appliances.

Important: If you are upgrading the system to v6.10 from an earlier version, confirm all appliances have the latest patch files installed.

To review the Stealthwatch appliance vulnerability, complete the following steps:

1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > Services. Review the

SSH section. If the Enable SSH box is checked, you need to regenerate the RSA host key pair using the instructions shown below.

3. Click Configuration > SSL Certificate. Review the installed certificates. If there are custom certificates installed using the RSA-1024 or RSA-2048 bit keys, you must regen-erate new certificates.

4. Click Configuration > Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates.

If the SSH service is enabled on the appliance, regenerate the RSA host key using the following instructions. You will regenerate the RSA host key on every appliance in the system.

1. SSH onto the SW Appliance as root or using the root terminal option in the sysadmin menu.

2. To delete the public and private keys in the primary location, run the following command: rm –f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub.

3. To delete the public and private keys in the



https://eprint.iacr.org/2017/627


customers running hardware appliances and in fully controlled Virtual Machine infrastructures, the risk of exposure is mitigated by access to the physical and virtual systems. For customers running in a co-located VM infrastructure, the risk of exposure is greater.

backup location, run the following command: rm –f /lancope/var/admin/ssh/ssh_host_rsa_key /lan-cope/var/admin/ssh/ssh_host_rsa_key.pub

4. To regenerate a new RSA host key pair, run the following command: /lancope/admin/bin/GenerateSSHKeys

5. Do one of the following to restart the SSHD ser-vice:

o If the appliance software version is 6.9 and later, run the following command: systemctl restart ssh.ser-vice

o If the appliance version is earlier than 6.9, run the following command: /etc/init.d/ssh restart

6. Repeat these steps on every appliance in the Stealthwatch System.

If you have installed custom certificates using RSA-1024 or RSA-2048 bit keys on your Stealthwatch appliances, you must regenerate new X509 certificates.

1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > SSL Certificate. 3. Click the ? icon to open the Help page.

o Use the SSL Certificate instructions to generate a new X509 certificate.

o If the certificate is X509 certificate is RSA, create it with a size of 4096 bits.

4. Delete the old (vulnerable) X509 certificate from the appliance.

5. Click Configuration> Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, regenerate new certificates.

o Click the? icon to open the Help page. o Use the Certificate Authority Cer-

tificates instructions to add a new X509




certificate. o If the certificate is X509 certificate is

RSA, create it with a size of 4096 bits.

SWD-7627 If you reboot your Flow Collector, it deletes all alarm history; how-ever, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a spe-cific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm val-ues in the Hosts table on the Host List View.

None currently available; the feature will be available in a future release.

SWD-7655 The generation of a diagnostics pack may fail in large systems as a result of timing out.

To overcome this, open the SSH console for the appli-ance and run this command: doDiagPack. This will allow the generation of the diagnostic pack without tim-ing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP.

SWD-8197 The Flow Sensor was not detect-ing enough applications.

To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library.

SWD-8673 SystemConfig special character fonts look bad when using the SecureCRT client in ANSI mode.

To overcome this, disable ANSI Color when con-necting or use a different client to view the Sys-temConfig script.

SWD-9052 Offline license activation failing This error may occur if you moved a virtual machine,




or "Storage Binding Break" error. uploaded a license more than once, or if the license is corrupted. Please contact Stealthwatch Customer Community for assistance.

SWD-9300 The Selected Cipher Suite does not appear in the Flow Search Results when using a non-stand-ard port.

None currently available; this will be fixed in a future release.

SWD-9542 After configuring Active Directory in the SMC, User Info is empty. The user details are included in the flows but User Info does not show the information due to inconsistencies when querying ISE certificate attributes.

The User Info is available if ISE returns Active Dir-ectory UPN (User Principal Name) as "username" in the session. To configure ISE to return UPN, go to ISE Administration > External Identity Sources > Cer-tificate Authentication Profile settings.

SWD-9563 When you log in to the Stealthwatch Web App using Internet Explorer v11 and at any point you refresh the Home page, the Desktop Client drop-down arrow and the three navigation icons to the left of this list (top right corner of page) disappear. These three icons include the following:

• Search (magnifying glass icon)• Help (person icon)• Global Settings (geer icon)

Additionally, the fonts look different from how they appear when displayed using other browsers.

Close the browser and log in again.

SWD-10264 After a license is activated in the Desktop Client License Man-ager, the Status column does not update from "Trial" to "Installed" until after the appliance is

Reboot the appliance and log in to the Desktop Client License Manager again. The Status will update after the system is rebooted.






rebooted.

SWD-10428 The Security Event Queries API is providing results from a larger time span than set in the timeRange filter.

None currently available; this will be fixed in a future release.

SWD-12102 Users are unable to upgrade their system using the upman-repo.swu file.

Use the individual appliance swu files to update your system. This will be fixed in a future release.

SWD-12420 Users unable to install an appli-ance on a KVM host if they change the CPU Type.

Use the default CPU Type when you deploy an appli-ance on a KVM host.

NA On the Flow Sensor VE, “Export Application Identification” is off by default.

To enable application identification, this advanced set-ting will need to be manually selected.

Contacting SupportIf you need technical support, please do one of the following:

l Contact your local Cisco Partner l Contact Cisco Stealthwatch Support

o To open a case by web: http://www.cisco.com/c/en/us/support/index.html o To open a case by email: [email protected] o For phone support: 1-800-553-2447 (U.S.) o For worldwide support numbers: www.cisco.com/en/US/partner/support/tsd_cisco_

worldwide_contacts.html



http://www.cisco.com/c/en/us/support/index.html

http://[email protected]/

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

tealthwatch system version elease otes · swd-8115 multiple instances of the process...

Documents