|
|
These release notes are for use with Cisco Threat Response running on a Windows 2000 platform.
Cisco Threat Response (Threat Response) is part of the Cisco Intrusion Protection System. Threat Response provides an automated, just-in-time analysis of each targeted host to determine whether a compromise has actually occurred. As a result, false alarms are eliminated and real intrusions are quickly identified and addressed, saving you time, resources, and the high costs associated with recovering from a successful attack.
Threat Response consists of two components:
 |
Note Users may run the GUI on the same system as the Threat Response server, but because of performance and speed considerations, we recommend that you run the GUI on a separate system. |
The requirements for the Threat Response server and client are described in Table 1 and Table 2.
Table 1 Threat Response System Requirements—Server
| 1Threat Response has been tested with IE 5.5 SP2 up to 6.0.2800.1106 128-bit high encryption SP1. |
|
Note Threat Response consumes approximately 120 MB. |
Table 2 Threat Response System Requirements—Client
| 1Threat Response has been tested with IE 5.5 SP2 up to 6.0.2800.1106 128-bit high encryption SP1. |
|
Note To work with the Threat Response interface, we recommend that you set the client resolution to 1024 x 768 or higher. |
|
Note Threat Response does not support any version of Netscape. Threat Response supports only the English version of Windows. |
Because Threat Response works in conjunction with intrusion detection systems, your network should have an installation of either or both:
Table 3 lists ports that must be opened if Threat Response is separated from your IDS sensors or RealSecure event collectors by a firewall. Depending on your network configuration, you may need to open additional ports to ensure that port traffic is permitted to flow between the Threat Response server and the IDS sensors or RealSecure event collectors. See "Limitations and Restrictions" for additional ports that must be opened to allow for Level 1 and Level 2 investigation.
| For... | Ports... |
|---|---|
|
UDP 45000—if the Cisco Secure IDS version 3.x sensor and Threat Response server are separated by a firewall |
Review the following notes before installing Threat Response:
To uninstall Threat Response, use the Windows Add/Remove Programs feature.
If you experience problems when you attempt to provide an administrator name and password during installation, follow this workaround to configure the Apache service manually:
Step 2 Select NO, do not reboot the system.
Step 3 To manually install the Apache service, follow these steps:
a. From the Windows Start menu, select Run and browse to the c:\ProgramFiles\CiscoSystems\ThreatResponse\apache\bin directory.
Step 4 To edit the registry key, follow these steps:
a. From the Windows Start menu, select Run and type regedt32.
b. Click OK to run the program.
c. Select the HKEY_LOCAL_MACHINE window.
d. To locate the DependOnService key for the Apache service, expand the following folders: System > CurrentControlSet > Services > Apache.
e. Double-click the DependOnService key.
f. In the Multi-String Editor popup, type MySQL to add it to the list.
 |
Caution Do not replace the Tcpip or Afd data strings. |
Step 5 From the Control Panel, open Administrative Tools and launch the Services utility.
Step 6 Right-click Apache and select Properties.
Step 7 In the Log On tab, select This account, and click Browse to display the Select User dialog box.
Step 8 In the Select User dialog box, select the desired administrative user from the list, and click OK.
Step 9 In the Log On tab, type and confirm a password for the administrator (ignoring the series of asterisks that are already displayed), and click OK.
Step 10 Reboot the system to complete the workaround for the Apache service.
The Cisco Threat Response User Guide provides a complete discussion of the policy and software update process, including instructions on how to configure Threat Response to automatically check for and download updates. At a minimum, you should perform the following tasks:
You can use the Active Update Notification service on Cisco.com to receive information on product updates.
Use this procedure to receive e-mail notifications about product information and updates.
http://www.cisco.com/warp/public/779/largeent/it/ids_news/subscribe.html
Step 2 Enter your e-mail address in the E-mail Address box.
Step 3 Enter your password in the Password box.
Step 4 Click Submit.
When information on updates is released, you receive an e-mail with download instructions.
To download policy or software updates for Threat Response, you must have a Cisco.com (CCO) account with cryptographic access.
Use this procedure to apply for cryptographic access.
If you do not have a Cisco.com account, register for one by going to the following URL:
http://tools.cisco.com/RPF/register/register.do .
Step 2 Go to the following URL:
http://www.cisco.com/cgi-bin/Software/Crypto/crypto_main.pl
The Enter Network Password dialog box appears.
Step 3 Log in with your Cisco.com account.
The Encryption Software Export Distribution Authorization Form product selection page appears.
Step 4 Select Cisco Threat Response from the drop-down box and click Submit.
The Encryption Software Export Distribution Authorization Form appears.
Step 5 Review and complete the Encryption Software Export Distribution Authorization form and click Submit.
The Cisco Encryption Software: Crypto Access Granted message appears.
|
Note It takes approximately 4 hours to process your application. You will not be able to download the software until the entitlement process is complete. You will not receive notification. |
You must open certain ports, depending on the level of investigation you want Threat Response to perform.
Threat Response performs Level 2 investigation on Windows systems. Level 2 investigation uses advanced investigation agents that require password access to a system (configured under the Protected Systems tab of the Basic Configuration procedures). Level-2 agents can confirm whether an attack was successful. We recommend the use of level-2 agents to best determine which attacks are false and which are real.
|
Note Although every effort has been made to validate the accuracy of the information in the printed and electronic documentation, you should also review the documentation on Cisco.com for any updates. To access the Threat Response documentation on Cisco.com, click Products and Services and select Security and VPN Software > Threat Response. |
Use these publications to learn how to install and use Cisco Threat Response:
Table 4 describes problems known to exist in this release.
|
Note To obtain more information about known problems, access the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl . (You will be prompted to log into Cisco.com.) For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. |
Table 4 Known Problems in Cisco Threat Response Version 2.0
| Bug ID | Summary | Explanation |
|---|---|---|
Browser show blank java applet window certificate window upon logon |
Symptom—Threat Response Client browser shows blank certificate applet window upon logon. |
|
Symptom—Java Applet Window appears below Java Applet Windows. Conditions—This message can't be disabled by the software. It is a security precaution used by the java plugin to warn the user that the above window is rendered by the java applet. |
||
Symptom—Alarm status reports "Unrecognized vendor alarm id" Condition—Event with Sub ID exists but Sub Id is not 0 2. Select Advanced Configuration tab 4. Select appropriate Product tab 6. Fill in the information regarding the alarm which reported "Unrecognized vendor alarm id" Recommend referring to the event with the same Sig Id where the Sub Id is set to 0. |
||
Alarm feed inactive events (EXCEPTION: Unable to load MSSQL JDBC... |
Symptom—Continuously receiving "Alarm feed inactive" events in the Alarm display window. Alarm context indicates the following:
Condition—ISS sensor configured and have not installed Microsoft JDBC Drivers onto Threat Response server. Workaround—Install Microsoft JDBC Drivers by: 1. Download Microsoft JDBC Drivers from the following URL http://www.microsoft.com/sql/default.asp 2. Run the setup.exe intsallation program. By default installs into C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC\lib\msbase.jar C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC\lib\mssqlserver.jar C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC\lib\msutil.jar |
|
Symptom—While loading the applet for the Alarm GUI or Config GUI, Internet Explorer puts a blank dialog on the screen. You are unable to determine what Internet Explorer is asking for or informing you of. Conditions—You are attempting to connect to a HTTPS site that doesn't have a valid SSL certificate. Workaround—Hitting 'Enter' on the keyboard selected the default action which allows you to access the secure website even though the SSL certificate is invalid. Background—This is a bug in the java plugin/MS Internet Explorer.The dialog in question is put on the screen when the browser detects that you are attempting to connect to a HTTPS site that doesn't have a valid certificate, but the dialog displayed by Internet Explorer is blank so you won't be able to read what it is asking. This occurs while Internet Explorer is loading the applet, so the applet has no control over the display of this window. The problem is most likely a bug in IE or an incompatibility in the Java Plugin for IE 6 SP1 128 bit. |
||
Symptom—The following error message appears: "Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly." Conditions—An access violation occurred when the ActiveX cab installation mechanism tried to access the Sun Microsystems java plugin web site. The java plugin auto download and installation process uses the Microsoft cab file mechanism. If the security levels for Internet Explorer are set to the highest level, the cab files are unavailable to perform the java plugin installation. Loss of Internet connectivity, firewalls, and virus download/Internet filters may also prevent automatic installation. Workaround—Download and install the Java plugin manually from the Threat Response server home page. |
||
Cisco OEM Version of IE has double spaced fonts with 1.4.1 plugin |
Symptom—The java GUI displays fonts in double line spacing, which makes it unreadable. Conditions—The Java 1.4.1 plugin is incompatible with the special Cisco OEM version of Internet Explorer. This condition might occur with other specialized versions of Internet Explorer. Workaround—The Alarms and Configuration pages were changed to try to detect if this version of IE was being used and if so will install the Java 1.4.0 version. Java 1.4.0 can also be downloaded and installed from the Threat Response Home Page. |
|
Symptom—Unable to change encryption mode of a sensor configuration. Conditions —Sensor maintains original encryption mode. 1. Remove the sensor from the configuration. 2. Select Apply Configuration. 3. Re-add the sensor configuration with desired encryption mode. |
||
Server backing store has issues due to MySQL 4 Gig table size limit |
Symptom—Server may become unresponsive. Server may not process new or old events. Conditions—Due to a limitation of 4 Gig per database table the server may reach maximum capacity and be unable to continue any event processing. Workaround—User should perform frequent archiving to prevent the situation. |
|
ap_sendwithtimeout(): WSAENOTSOCK Socket Operation on nonsocket |
Symptom—error logs similar to the following entries appear in the error.log file.
Conditions—When the either the alarm or config GUI is attached to the Threat Response server. Workaround—No action is required. Background—This is an innocuous issue which is caused by an apache failure while handling a communications session between the browser and JServ servlet. The failure does not cause any known problems and is handled transparently by apache, other than the error log entries. |
|
Alarms in the process of being archived show in the verify window |
Symptom—Alarms that have been cleared show up in the Verifying window in the Alarm GUI while they are being archived. Conditions—After an archive process has been initiated, the Alarm GUI will refresh the display and may include in the Verifying window alarms which it is in the process of archiving if you are also viewing cleared alarms. Workaround—Not required. Just ignore these alarms in the Verifying window. |
|
Archiving causes Alarm Display and Java Console to stop responding |
Symptom—After starting an Archive operation, unlocking the Alarm Display causes the Alarm Display to stop responding. Conditions—Whenever an Archive operation is in progress. Workaround—Wait until the Archive operation is complete. This is caused by the Database Table LOCK operation on the alarm table while the Archive operation is in progress. |
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
International Cisco web sites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
http://www.cisco.com/en/US/partner/ordering/index.shtml
http://www.cisco.com/go/subscription
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can email your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
To obtain customized information and service, you can self-register on Cisco.com at this URL:
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:
http://www.cisco.com/en/US/support/index.html
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magaz ine.html
http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=tru e&kbns=1.html
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_ protocol_journal.html
http://www.cisco.com/en/US/learning/le31/learning_recommended_training _list.html
This document is to be used in conjunction with the documents listed in the "Cisco Threat Response Documentation" section.
Copyright © 2003, Cisco Systems, Inc.
All rights reserved.
Posted: Fri May 2 10:09:55 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
