Patch Release Notes. Release Juniper Secure Analytics. Juniper Networks, Inc.

Transcription

1 Juniper Secure Analytics Patch Release Notes Release Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Published:

2 Copyright Notice Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. The following terms are trademarks or registered trademarks of other companies: Java TM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/tv technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device. Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. JSA Patch Release Notes Release Copyright 2014, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History August 2014 JSA Patch Release Notes The information in this document is current as of the date listed in the revision history. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software: As regards software accompanying the JSA products (the Program ), such software contains software licensed by Q1 Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks. 2

3 For the convenience of Licensee, the Program may be accompanied by a third party operating system. The operating system is not part of the Program, and is licensed directly by the operating system provider (e.g., Red Hat Inc., Novell Inc., etc.) to Licensee. Neither Juniper Networks nor Q1 Labs is a party to the license between Licensee and the third party operating system provider, and the Program includes the third party operating system AS IS, without representation or warranty, express or implied, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement. For an installed Red Hat operating system, see the license file: /usr/share/doc/redhat-release-server-6server/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA as so modified. 3

4 4

5 CONTENTS 1 JSA RELEASE NOTES Installing r2 Patch Clearing the Cache Resolved Issues Issues resolved in JSA r2 Patch Issues resolved in JSA r1 Patch Issues resolved in JSA Patch

6

7 1 JSA RELEASE NOTES r patch resolves several known issues in Juniper Secure Analytics (JSA). Installing r2 Patch Clearing the Cache Resolved Issues Installing r2 Patch If your deployment is installed with version of r or later, you can install r patch. Before you begin Ensure that you take the following precautions: Back up your data before you begin any software upgrade. For more information about backup and recovery, see the Juniper Secure Analytics Administration Guide. To avoid access errors in your log file, close all open JSA webui sessions. The patch for JSA cannot install on a managed host that is at a different software version from the console. All appliances in the deployment must be at the same software revision to patch the entire deployment. Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed. About this task Patches are cumulative software updates to fix known software issues in your JSA deployment. JSA patches are installed by using an SFS file. The patch can update any appliance attached to the JSA console that is at the same software version as the console.

8 8 JSA RELEASE NOTES Step 1 Step 2 Step 3 Procedure Download the r patch from the Juniper Customer Support website. Using SSH, log into your system as the root user. Copy the patch to the /tmp directory on the JSA console. NOTE Note: If space in the /tmp directory is limited, copy the patch to another location that has sufficient space. Step 4 Step 5 Step 6 Step 7 Step 8 Unzip the file in the /tmp directory using the bunzip utility: bunzip r sfs.bz2 To create the /media/updates directory, type the following command: mkdir -p /media/updates Change to the directory where you copied the patch file. For example, cd /tmp To mount the patch file to the /media/updates directory, type the following command: mount -o loop -t squashfs r sfs /media/updates/ To run the patch installer, type the following command: /media/updates/installer NOTE Note: If you have logged in through serial-based console, run the following command to install the patch automatically: /media/updates/installer --no-screen NOTE Note: The first time that you run the patch, there might be a delay before the patch install menu is displayed. Step 9 Using the patch installer, select all. The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.

9 Clearing the Cache 9 If you do not select the all option, you copy the fix to each appliance in your deployment and install the patch. If you manually install patch in your deployment, you must update your appliances in the following order: 1 Console 2 Event Processors 3 Event Collectors 4 Flow Processors 5 Flow Collectors If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes. Results A summary of the patch installation advises you of any managed host that were not updated. If the patch fails to update a managed host, you can copy the patch to the host and run the installation locally. What to do next You are now ready to clear the Java cache and the browser cache. Clearing the Cache After you install the patch, you must clear your Java cache and your web browser cache before you log into JSA. Before you begin Ensure that you have only one instance of your browser open. If you have multiple versions of your browser open, the cache might fail to clear. Ensure that the Java Runtime Environment is installed on the desktop system that you use to view the user interface. You can download Java version 1.7 from the Java website: About this task If you use the Microsoft Windows 7 operating system, the Java icon is typically located under the Programs pane. Step 1 Procedure Clear your Java cache: a On your desktop, select Start > Control Panel. b Double-click the Java icon. c In the Temporary Internet Files pane, click View. d On the Java Cache Viewer window, select all Deployment Editor entries. e Click the Delete icon.

10 Resolved Issues 10 Step 2 Step 3 Step 4 f g Click Close. Click OK. Open your web browser. Clear the cache of your web browser. If you use the Mozilla Firefox web browser, you must clear the cache in the Microsoft Internet Explorer and Mozilla Firefox web browsers. Log in to JSA. Resolved Issues Issues resolved in JSA r2 Patch Since JSA r2 Patch is a cumulative release, the release notes listed below include issues resolved in Patch 1, r1 Patch, and r2 Patch. The following issues are resolved in the patch for r2 Patch: When the customer attempts to edit a search or report an exception is thrown and the edit page does not load properly When editing a report, the customer is able to go through the Wizard, make the changes, but when clicking Finish, an Application Error is received. This error is also observed when editing a search. When the Application Error occurs, the following is written to the JSA logs: console/do/reportwizard] java.lang.classcastexception: com.q1labs.core.types.event.normalizedeventproperties$ DestinationAssetName incompatible with com.q1labs.frameworks.nio.compositekeyserializer Workaround: Contact Juniper Customer Support. Workarounds, if possible, will be customer configuration-specific. On the Admin tab, the reference set management tool might not display reference sets created by users After an upgrade to JSA r1 Patch, an issue exists where the Reference Set Management tool does not display any reference sets in the user interface. Administrators can review any reference sets they have created in the user interface to determine if any values are missing. Saved searches, reports, rules, or offenses that use reference sets to tune false positives might not work as expected when the reference set does not display in the user interface. To verify this issue: Step 1 Step 2 Log in to the console as a user or administrator. Click the Admin tab.

11 Resolved Issues 11 Step 3 Step 4 Click the Reference Set Management icon. Review the user interface. If reference sets created on the system are missing, administrators can contact Juniper Customer Support for assistance. This issue can also be verified by reviewing the log files for a specific error message. When this issue occurs, the following error can be displayed in /var/log/qradar.error: [ReferenceDataMerge] [main]com.q1labs.ariel.ui.referencedatamerge:[error] [NOT: ][IP Address/- -] [-/--]ReferenceDataMerge caught an error : java.lang.nullpointerexception [ReferenceDataMerge] [main] java.lang.nullpointerexception[referencedatamerge] [main] at com.q1labs.ariel.ui.referencedatamerge.updatesavedsearches (ReferenceDataMerge.java:675)[ReferenceDataMerge] [main] com.q1labs.ariel.ui.referencedatamerge.runprogram (ReferenceDataMerge.java:163)[ReferenceDataMerge] [main] com.q1labs.ariel.ui.referencedatamerge.main at at (ReferenceDataMerge.java:100) Workaround: For assistance with this issue, contact Juniper Customer Support. After an upgrade to JSA r1 Patch, new log sources do not automatically discover on managed hosts After an upgrade to JSA r1 Patch, new log sources assigned to managed hosts do not automatically discover. The events are collected by JSA, however, the log sources identify as SIM Generic due to the automatic discovery issue. This issue only affects appliances that contain Event Processor components, such as 15xx, 16xx, 17xx, or 18xx appliances that are installed with JSA r1 Patch. Administrators can review system notifications to determine if they have several notices for "Unable to determine associated log source for IP address. Administrators can verify the issue by reviewing /var/log/qradar.log files on the managed host to determine of the following warning message is displayed:

12 12 JSA RELEASE NOTES NOTE Note: Administrators must first SSH to the console, then SSH to the managed host that is attempting to discover the new log source. [ECS Runtime Thread] com.q1labs.semsources.filters.trafficanalysis.dsminfo:[warn] [NOT: ][/- -] [-/- -]Failed to load a DSM that was specified in the config file: [Your DSM Name] [ECS Runtime Thread] com.q1labs.semsources.filters.trafficanalysis.dsminfo:[warn] [NOT: ][/- -] [-/- -]Failed to load a DSM that was specified in the config file: [Your DSM Name] [ECSRuntimeThread] com.q1labs.semsources.filters.trafficanalysis.dsminfo: [WARN] [NOT: ][/- -] [-/- -]Failed to load a DSM that was specified in the config file: SonicWall NOTE Note: SonicWall in the last error message was entered as an example of a DSM name that could appear in the warning log. Workaround: None. Administrators who experience this issue can contact Juniper Customer Support for assistance. Dell appliances with the OMSA utility installed might display an error when attempting a software upgrade Administrators who attempt to upgrade a Dell appliance to a software version above JSA might experience an upgrade error. If the Dell OMSA tools are installed on the appliance, the following on-screen error message is displayed during the upgrade process: Error Summary [PATCH_UPDATER] [ERROR] Failed to install new packages [PATCH_UPDATER] [ERROR] An error occurred applying patch [PATCH_UPDATER] [ERROR] Patch failed on console. This error message is due to the Dell Open Manage Server Administration (OMSA) utilities conflicting with a new hardware monitoring tool (MegaCLI) that is available in JSA software versions at or above.

13 Resolved Issues 13 Step 1 Step 2 Workaround: Administrators who have Dell appliances with OMSA utility installed must uninstall the OMSA software before they begin the upgrade process. To remove, use the uninstall script included with the tools: Using SSH, log in to any Dell appliance. To uninstall the Dell OMSA tools, type the following command: /opt/dell/srvadmin/sbin/srvadmin-uninstall.sh Step 3 After the uninstall process is complete, administrators can restart the upgrade process. If upgrade issues persist, contact Juniper Customer Support for assistance. After an upgrade to JSA or JSA Patch 1, a flow outage can occur due to a flow input buffer issue After an upgrade to JSA or JSA Patch 1, an issue can occur where flows stop sending. This issue is due to an exception generated for Unable to create input buffer. NOTE Note: To review the error log on a managed host, administrators must first SSH to the console, then SSH to the managed host. When the problem occurs, administrators might notice an outage from a flow source. Administrators can review /var/log/qradar.error on the managed host. [ecs-ec] [ReceiverServer:ecs-ec/EC/FlowSource] com.q1labs.frameworks.nio.network.receiverserver$protocolimpl: [WARN] [NOT: ][IP Address/- -] [-/- -]Unable to create input buffer. size: java.nio.directbytebuffer[pos=65531 lim=65536 cap=65536] [ecs-ec] [ReceiverServer:ecs-ec/EC/FlowSource] com.q1labs.frameworks.nio.network.receiverserver :32010: [WARN] [NOT: ][IP Address/- -] [-/- -]Error: /IP Address:46283 : IOException : Unable to create input buffer. size: java.nio.directbytebuffer[pos=65531 lim=65536 cap=65536] [ecs-ec] [ReceiverServer:ecs-ec/EC/FlowSource] java.io.ioexception: Unable to create input buffer.

14 14 JSA RELEASE NOTES size: java.nio.directbytebuffer[pos=65531 lim=65536 cap=65536] [ecs-ec] [ReceiverServer:ecs-ec/EC/FlowSource] at com.q1labs.frameworks.nio.network.protocol. Protocol.borrowBuffer (Protocol.java:1133) [ecs-ec] [ReceiverServer:ecs-ec/EC/FlowSource] at com.q1labs.frameworks.nio.network.protocol.protocol. pollmessage(protocol.java:1254) [ecs-ec] [ReceiverServer:ecs-ec/EC/FlowSource] at com.q1labs.frameworks.nio.network.protocol.protocol$2. readfromchannel(protocol.java:125) [ecs-ec] [ReceiverServer:ecs-ec/EC/FlowSource] at com.q1labs.frameworks.nio.network.protocol.protocol.read (Protocol.java:399) Workaround: None. If you experience a flow outage on a managed host with a JSA or JSA r1 Patch system, contact Juniper Customer Support for assistance. Issues resolved in JSA r1 Patch The following issues are resolved in the patch for r1 Patch: Default searches do not show up in quick searches or dashboards for new non-admin users After you upgrade your system to , default quick searches may not be listed in the Quick Searches list box for administrative users that you create after the upgrade. The same issue exists for searches available in the dashboard for these new admin users. Workaround: Load the search in the Edit Search screen and check: Include in my Quick Searches Include in my Dashboard Then click Filter.

15 Resolved Issues 15 Disk replication falling behind notifications are generated repeatedly due to asset updates. On the Dashboard, the system notification: Disk replication is falling behind warning is being generated multiple times for administrators. Multiple notifications for disk replication can occur on systems that are attempting to process large numbers of changes to the asset profile. The volume of changes to the Asset Profile causes the size of the replication to grow and the managed host falls behind on replication. When a managed host falls behind on replication, then the system notification is generated to inform the administrator of the condition. This condition might also generate transaction system notifications. For example, Transaction Sentry: Found an unmanaged process causing unusually long transaction that negatively effects system stability. Workaround: None. If a system notification is becoming a nuisance, the administrators can contact Juniper Customer Support for assistance on this issue. Dropped events due to assetprofiler and tunnel config using different configuration to get port information Events and flows are being dropped on the event pipeline causing a loss of visibility into JSA system notification events. Error found in qradar.log: [WARN] [NOT: ][ /- -] [-/- -]Unable toconnect to server java.net.protocolexception: Wrong protocol from java.nio.channels.socketchannel[connected local=/ :38999 remote=localhost/ :32002] Workaround: In an emergency situation, the database may be internally modified and a service may be restarted through the lead of a Juniper Customer Support.

16 16 JSA RELEASE NOTES Deleted reference sets that are defined as part of a building block might drop or store events Administrators might receive frequent notifications when a reference set, map, map of sets, or reference table is removed from the system that is included in a building block. When the reference set is removed, the system might start routing rules directly to storage. If a reference set that a rule or a building block refers to is deleted, then reference set rule test still tries to read from the reference set(s) when the rule or building block tests an event. When this occurs, the following notification is displayed: com.q1labs.semsources.cre.cre: [WARN] [NOT: ][IP Address/- -] [-/- -]Custom Rule Engine has sent a total of event(s) directly to storage event(s) were sent in the last 60 seconds. Queue is at 99 percent capacity. This issue can correspond with warning messages in /var/log/qradar.log related to expensive custom rules: com.q1labs.semsources.cre.cre: [WARN] [NOT: ][IP Address/- -] [-/- -]Expensive Custom Rules Based On Average Throughput in the last 60 seconds - BB:Application Access Control=10.94eps, BB:Data Access=11.39eps Workaround: If a reference set is deleted that affects a building block, it must be readded to correct the issue. The administrator must edit the affected rule, delete the rule test that contains the reference set, and readd the rule test with the new or updated reference set. Rule responses that send an offense summary notification might include an unresolvable address in the URL In the Rules Wizard, any rule response configured to send an offense summary to notify and address might send the notification with an improperly formatted URL. The improperly formatted URL contains an extra forward slash (/) after the IP address or host name of the console. For example, the URL from the system contains an extra forward slash: Address//console/qradar/jsp/QRadar.jsp?appName=Sem& pageid=offensesummary&summaryid=xxxxxx The URL should be formatted with a single forward slash (/) after the IP address of the console. Workaround: Users who receive an offense summary notification can edit the URL to remove the redundant forward slash.

17 Resolved Issues 17 Nullpointerexception error may cause all offenses to be closed when you deploy configuration changes When configuration changes are deployed, an issue might occur during process shutdown that will leave the offenses in an unrecoverable state. When this occurs a Soft SIM Reset is automatically triggered when the processes start again which will automatically close all open offenses. Workaround: None. Dispatched events do not contain mac address but the rule wizard allows to index offenses based on MAC When a rule response includes "Dispatch New Event", the created event inherits some information from the triggering event, but not all. Specifically, the Source MAC address is not populated though the Source IP/Port and Destination IP/Port are populated. Customer wishes to index the created Offense on the Source MAC, but the CRE event does not appear in the Offense (as it has 00:00:00:00:00:00 as the Source MAC). Two observations: 1 The options to "Index offense based on" (in the Ensure the dispatched event is part of an offense section) includes Source MAC Address. As this value is not propagated - it will always be NULL (and so, will not be part of an offense). 2 On the Log Activity, the CRE event in the list does have the Offense icon next to it - but this always pops up the The offense associated with this event has not yet been created, has been purged from the database, or you have reached your maximum number of offenses. message. We should copy source and destination MAC to the dispatched event. Instead of dispatching a new event to create the offense, just create an offense from the original event and index by MAC. Workaround: Instead of dispatching a new event to create the offense, just create an offense from the original event and index by MAC. Unable to open the deployment editor with Java update 51 or later If you have updated your desktop Java to update 51 or later you will be unable to open the deployment editor with default security settings. You will see the following error message in the java console: Missing required Permissions manifest attribute in main jar: Workaround: Where possible you can add the console url to the Exception Site list in Java settings.

18 18 JSA RELEASE NOTES Database transactions are timing out after 20 minutes when running reports Database transactions are timing out after 20 minutes when running reports. To recreate, schedule a report run and the PDF report completes but the output has columns with incorrect data and/or NA in the fields. The report should return the correct data in all fields. Workaround: If the report is not using accumulated data and is an aggregate report then correct that issue but if it is a table then unfortunately no known workarounds exist at this time. QFlow segfaults on IPv6 flows Flow processing is intermittently disrupted. When processing IPv6 flows, the QFlow executable can crash. It will be automatically restarted, but flow collection will be disrupted for a short period of time. Secondary symptoms may include core file accumulation and eventually disk space issues. Steps to recreate: Step 1 Copy the pcap file (/root/prosodie-pcpap5) into your local VM directory. Step 2 Create sflow type flow source through admin/flowsource screen. Step 3 Send sflow from another VM, through command:./tcpreplay -i eth0 -p 100 -l 0 -F -I (destination Mac -00:50:56:B4:63:DB) -e <IP address>:(destination ip) <IP address> /root/prosodie-pcpap5 Step 4 In another window, open another session, run the command: tail -f /var/log/qradar.log grep -i qflow The QFlow will have crashed and restarted. Workaround:Disable flow sources which handle ipv6 traffic, or If occasional gaps in flow processing are acceptable, it is possible to set up a job which removes core files. This will prevent the root filesystem from filling up. Please contact Juniper Contact Support for assistance.

19 Resolved Issues 19 Array index out of range error is displayed in place of a report chart After patching to some report charts will no longer be displayed in the generated report content. It will be replaced with "Array index out of range: #". The following error can also be seen in qradar.error: [report_runner] [main] com.q1labs.reporting.reportservices: [ERROR] [NOT: ][IP/- -] [-/- -]Unexpected error [report_runner] [main] java.lang.arrayindexoutofboundsexception: Array index out of range: 2[report_runner] [main] at com.q1labs.frameworks.nio.compositekey.getfor(compositekey.java :109)[report_runner] [main] at com.q1labs.cve.aggregation.props.aggregatedrecordkeyproperty.cr eatekey(aggregatedrecordkeyproperty.java:42) [report_runner] [main] at com.q1labs.cve.aggregation.props.aggregatedrecordkeyproperty.cr eatekey(aggregatedrecordkeyproperty.java:12) [report_runner] [main] at com.q1labs.cve.resultset.cveresultset.getobject (CVEResultSet.java:440)[report_runner] [main] at com.q1labs.cve.resultset.cveresultset.getstring (CVEResultSet.java:479)[report_runner] [main] at com.q1labs.cve.resultset.cveresultset.getstring (CVEResultSet.java:484)[report_runner] [main] at com.q1labs.dal.charts.sqlchart.getchartdatafortimeseries (SQLChart.java:204)[report_runner] [main] at com.q1labs.dal.charts.sqlchart.getchartdata (SQLChart.java:292)[report_runner] [main] at com.q1labs.dal.charts.abstractchart.createchart (AbstractChart.java:527)[report_runner] [main] at com.q1labs.dal.charts.sqlchart.<init>(sqlchart.java:118) [report_runner] [main] at com.q1labs.dal.charts.sqlchart.<init>(sqlchart.java:126) [report_runner] [main] at com.q1labs.reporting.charts.arielchart.processresultset (ArielChart.java:756)[report_runner] [main] at

20 20 JSA RELEASE NOTES com.q1labs.reporting.charts.arielchart.getdata(arielchart.java: 1452)[report_runner] [main] at com.q1labs.reporting.chart.getxml(chart.java:217) [report_runner] [main] at com.q1labs.reporting.report.createdata(report.java:251) [report_runner] [main] at com.q1labs.reporting.report.process(report.java:295) [report_runner] [main] at com.q1labs.reporting.reportrunner.main(reportrunner.java:235) To Recreate: 1 Create a search with 3 aggregate keys. 2 Make a report using the search using a bar chart (put time on xaxis), line (time is only x axis) stacked line (time is default), stacked bar (put time on x axis). Workaround: Switch the chart to a table. QFlow crashing on corrupt netflowv9 template If QFlow receives a netflow v9 template whose fieldcount is greater than the number of actual defined fields a segfault occurs causing qflow to abort and flow collection to stop. Workaround:Ensure proper netflowv9 templates are being sent by devices. The UI may become unavailable during periods of high system load and frequent user permission checks The UI may become unavailable if the console is under high load and multiple users are accessing components of the UI which require user permissions validation. The following can be found in qradar.log: Found a process on host <ip address>: tomcat, pid=1843,14732,14751,14727, TX age=646 secs TX on host <ip address>: pid=14751 age=645 IP= port=59944 locks=6 query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=ariel_query_handle age=645 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1'

21 Resolved Issues 21 Lock acquired on host <ip address>: rel=ariel_query_handle_uname_idx age=645 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=userrole age=645 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=users_username_key age=645 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=users age=645 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=ariel_query_handle_pkey age=645 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' TX on host <ip address>: pid=14732 age=646 IP= port=59936 locks=6 query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=users_username_key age=646 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=userrole age=646 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=ariel_query_handle age=646 granted=t mode=accesssharelock

22 22 JSA RELEASE NOTES query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=ariel_query_handle_pkey age=646 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=users age=646 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' Lock acquired on host <ip address>: rel=ariel_query_handle_uname_idx age=646 granted=t mode=accesssharelock query='select * FROM public.userrole WHERE id = $1' TX on host <ip address>: pid=14727 age=646 IP= port=59933 locks=6 query='select * FROM public.userrole WHERE id = $1' TX on host <ip address>: pid=1843 age=646 IP= port=40124 locks=4 query='select * FROM public.userrole WHERE id= $1' Workaround:None. Search based on reference set - with ignore case not working correctly If you create an AlphaNumeric Case Insensitive reference set and attempt to use it in a search filter, the search filter will not work as expected. For example, if the reference set is set to store usernames as case insensitive it will set them all to lower case before storing them. When the search filter is applied, it is not correctly setting the username in the event to lowercase before testing against the reference set. For this reason only events with lowercase values will match the reference set. Workaround:None.

23 Resolved Issues 23 JSA Vulnerability Manager upgrade excessive data migration time When performing a JSA Vulnerability Manager migration the patch remained on Applying mainpatch script (7/10) for a very long time. Patch completed successfully after 2.5 hours and in the patches.log file it appears it was migrating asset.model data that took 2.5 hours to do. The following is the query found in patches.log that took excessive time. At 17:14:45 the query started and the next entry in the log is at 19:45:56 Patch applied successfully! Wed Apr 2 17:14:45 CDT 2014: Added db changes from /opt/qvm/db/sql-qradar/q1_sync_qvmui_asset_data.sql Wed Apr 2 17:14:45 CDT 2014: psql -U qradar -p d qradar -v ON_ERROR_STOP=1 -c SELECT * FROM qvmui.sync_with_asset_model() NOTICE: Inserted assets and IPs, updated display names NOTICE: Inserted 0 networks in qvmui.vuln_mgt_netowrk NOTICE: Inserted 0 openservices in qvmui.vuln_mgt_openservices NOTICE: Inserted 0 vulns in qvmui.vuln_mgt_vulnerability NOTICE: Inserted 0 rows into qvmui.vuln_mgt_vuln_network_xref NOTICE: Inserted 0 rows into qvmui.vuln_mgt_vuln_open_services_xref NOTICE: Inserted 0 rows into qvmui.vuln_mgt_open_services_asset_xref sync_with_asset_model Wed Apr 2 19:45:56 CDT 2014: Patch applied successfully! The migration did complete successfully and the error logs also indicate no errors occurred.

24 24 JSA RELEASE NOTES Issues resolved in JSA Patch 1 The following issues are resolved in JSA Patch 1: Error message might be displayed when you sort the annotation pane by the time parameter An error message might be displayed when you sort the Annotation pane by the Time parameter. The following error message is displayed: An error has occurred. Refresh your browser (press F5) and attempt the action again. If the problem persists, please contact customer support for assistance. Workaround:None. Non-administrator user roles that do not include the maintain custom rules privilege display a rule disabled message Non-administrator users who have user roles for Offenses, Log Activity, and Network Activity without the Maintain Custom Rules check boxes selected might see an error when they attempt to view a rule. This user role configuration displays a popup error that states the following message: This rule will be disabled The message that is displayed to the user does not seem to provide the correct text as the user role contains the View Custom Rule permission. Workaround: None.

25 Resolved Issues 25 Hostcontext & Tomcat may not function properly due to special characters in the global configuration password After upgrade to , or restoring a config backup, hostcontext & Tomcat may not function properly. You may see the following error in /var/log/qradar.log: Caused by: java.lang.runtimeexception: There were errors initializing your configuration: <openjpa snapshot-runknown fatal user error> org.apache.openjpa.util.userexception: A connection could not be obtained for driver class "com.mchange.v2.c3p0.combopooleddatasource" and URL "null". You may have specified an invalid URL. at org.apache.openjpa.jdbc.schema.datasourcefactory. newconnectexception(datasourcefactory.java:255) Workaround: Go to the System Configuration (webmin) section on port and change the Global Configuration Password to a simple string that does not contain special characters. This needs to be done for all hosts in the deployment. Tomcat service threshold for maximum number of clients might be reached when adding managed hosts If the number of managed hosts in your deployment exceeds a certain threshold, the Tomcat service may indicate that you have reached the maximum number of clients. Workaround: None. For more information, contact Juniper Customer Support. Error occurs when investigating events on the offenses tab when using the Microsoft Internet 8 web browser If you use the Microsoft Internet 8 web browser, an error occurs when you investigate events from the Offenses tab. When you click the Events icon on an offense summary page, the list of corresponding events do not display. A javascript error is displayed. Workaround:None.

26 26 JSA RELEASE NOTES Errors may occur when performing a search grouped or sorted on a custom property Exceptions or possible Out Of Memory errors may occur when you perform a search that is grouped by or sorted on a custom property whose value may be greater than 1024 characters. A typical example would be grouping the a URL custom property that contains the entire request. An example exception from qradar.log: [ariel.ariel_proxy_server] [idle_ariel_client:query:] java.lang.runtimeexception: java.lang.classnotfoundexception: ad.doubleclick.net/adi/ebay.ebayus.vip/mpu... com.q1labs.core.shared.ariel.nullableobject.fromstring(nullable Object.java:67) com.q1labs.core.shared.ariel.nullableobjectkeyserializer.put( NullableObjectKeySerializer.java:67) com.q1labs.core.shared.ariel.nullableobjectkeyserializer.put (NullableObjectKeySerializer.java:14) com.q1labs.cve.aggregation.aggregatedrecordpropertyaccessor. put(aggregatedrecordpropertyaccessor.java:60) com.q1labs.cve.aggregation.aggregatedrecordcursormapping.put (AggregatedRecordCursorMapping.java:55) com.q1labs.cve.aggregation.aggregatedrecordcursormapping.put (AggregatedRecordCursorMapping.java:12) com.q1labs.frameworks.nio.recordmanager.write(recordmanager. java:235) com.q1labs.ariel.cursoruniquekey.writerecord (CursorUniqueKey.java:322)

27 Resolved Issues 27 com.q1labs.ariel.cursoruniquekey.add_(cursoruniquekey.java:142) com.q1labs.ariel.cursoruniquekey.finishadding (CursorUniqueKey.java:131) com.q1labs.ariel.cursoruniquekey.close (CursorUniqueKey.java:181) com.q1labs.ariel.query.query.afterexecute(query.java:119) com.q1labs.ariel.query.query.execute(query.java:221) com.q1labs.ariel.query.query.call(query.java:251) com.q1labs.ariel.query.query.call(query.java:29) java.util.concurrent.futuretask$sync.innerrun (FutureTask.java:303) java.util.concurrent.futuretask.run(futuretask.java:138) java.util.concurrent.threadpoolexecutor$worker.runtask( ThreadPoolExecutor.java:886) java.util.concurrent.threadpoolexecutor$worker.run (ThreadPoolExecutor.java:908) java.lang.thread.run(thread.java:662) [ariel.ariel_proxy_server] [idle_ariel_client:query:] Caused by:java.lang.classnotfoundexception: ad.doubleclick.net/adi/ebay.ebayus.vip/mpu... java.lang.class.forname0(native Method)

28 28 JSA RELEASE NOTES java.lang.class.forname(class.java:169) com.q1labs.core.shared.ariel.nullableobject.fromstring (NullableObject.java:57) [ariel.ariel_proxy_server] [idle_ariel_client:query:] more Workaround: None. Exception occurs when you add a rule for a custom property that contains an ampersand When you add a rule test for a custom property that contains an ampersand (&), an exception is logged in qradar.log and the custom property does not get added to the rule. Workaround: None. Wincollect agents, schedules, or destinations might display incorrect counts and sort incorrectly in the user interface On the WinCollect page of the Admin tab, the user interface might display an incorrect agent count and column headings might not sort properly in the user interface. This issue can occur for lists of WinCollect agents, schedules, or destinations. When the agent count issue occurs, the user interface might display the text, "Displaying 0 to 0 of 0 items" when the actual agent count should be displayed for the page. This issue can make sorting the agent list difficult for administrators. Workaround: None. Log sources might display duplicate events when a single log source forward events to multiple event processors In the Log Activity tab, duplicate events can be recorded when a network security appliance forwards events to multiple managed hosts that are capable of processing events. This issue can also lead to each indivdual managed host automatically discovering the log source and causing the system to generate duplicate log sources.

29 Resolved Issues 29 This issue might occur when a load balancing system is placed between network security appliances forwarding events and managed hosts in the deployment that are responsible for processing events. The load balancer attempts to manage the event load, which causes duplicate events or unexpected log sources in the system. Workaround: None. Event rules that match events to a function counter rule test might not dispatch multiple offense as expected In the Rule Wizard, event rules that use function - counters to dispatch an offenses with the event might not generate multiple offenses as expected. The system generates the first offense when the rule is triggered. However, additional offense are not dispatched when enough events occur to trigger the rule test multiple times. Function - counter rules are used to track events that occur over a time span. For example, you can specify a rule to dispatch an offense when rule (A) matches (X) times in (Y) minutes. To ensure that the a function - counter rule dispatches offenses, you can update your rule to match against an additional event property. Workaround: To ensure that the a function - counter rule dispatches offenses, you can edit your rule to match against an event property. Procedure: Step 1 In the Rules Wizard, edit your rule to include a rule test with an event property. For example, use the rule: When rule (A) matches (X) times with the same event property (B) in (Y) minutes. Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Configure an event property in the new rule, such as Source IP. Click Next. Select the Dispatch New Event check box. Select the Ensure the dispatched event is part of an offense check box. In the Index offense based on list, select Source IP or the property you selected in Step 2. Click Finish. The event when triggered dispatches offenses as expected. If you continue to have issues with event rules, contact Juniper Customer Support. Workaround: None.

30 30 JSA RELEASE NOTES Cisco ASA devices that send netflow v9 information might report the first packet time correctly On the Network Activity tab, flow sources that use Netflow v9 might display the wrong time for a flow. This issue is due to the configuration of the Internet Protocol Flow Information Export (IPFIX) template where Cisco ASA is not sending the FIRST_SWITCHED fields correctly. When the first packet time is not provided correctly, this can cause issues in when calculating flow start and end times. Since the templates on Cisco ASA cannot be modified, QFlow needs to be able to adapt to the time values specified. Workaround: None. Quick search fails first time after a filter and time range were applied On Log Activity tab, pause the streaming events add a log source filter. Then, select a time range from View list box. Type a search string in Quick Search field and press Enter. The search completes, but no events are removed from the display. If you add another quick search, both the original and current Quick Search filters are applied. This issue only occurs when a time range is selected from the View list box. Workaround: None. Unable to print offense details On the Offenses tab, the Print icon on the offense details page does not function. Workaround: None. There is no audit entry when 'flow log hashing' is modified in the admin tab If a user modifies the value of 'Flow Log Hashing' in System Settings of the Admin Tab there is no audit entry to indicate they have done so. Workaround: None. The deployment editor window fails to open when you use Java 7 (1.7) and the microsoft internet explorer 8 or 9 web browser If you use the Microsoft Internet Explorer 8 or 9 web browser, the Deployment Editor window fails to open. The version of Java is incompatible; however, the error message that is displayed does not advise you that the Java version is incompatible. Workaround: Contact Juniper Customer Support.

31 Resolved Issues 31 Data backups occur for the console even when event data and flow data are unchecked If you have chosen Configuration and Data Backups for your deployment in the Backup and Recovery screen you may notice that data backups are generated for the console even if you have unchecked Event Data and Flow Data. This occurs because the console contains other Data items that are currently not optional. These items include generated report data, indices, reference set elements, and audit log. Workaround: None. Custom rule tests that are based on geographic region not working as expected Geography-based rule tests do not function properly. The tests should detect two remote-sourced connections with the same user name but from different continents. Offense generated from this rule test includes events that have two remote-sourced connections from the continent but are from different countries. Workaround: None. Source if index and destination if index column values from a flow might display an incorrect interface value On the Network Activity tab, the columns Source IF Index and Destination IF Index might display incorrect or unexpected values for the unique number assigned to an interface. This issue can be determined by viewing the values displayed on the Network Activity tab to the flow details of an individual flow to determine if the source or destination index value differs. Administrators with root access can also use tcpdump to compare against the user interface. Workaround:None. Offense rule test might not function correctly Offense rules that use the when the offense matches any of the following offense rules test might not function correctly and the following exception message might be displayed in the error log: Failed to initialize" com.q1labs.sem.magi.cre.tests.offensetestloggingdecorator"

32 32 JSA RELEASE NOTES "Accumulated Data is not available" error in generated report only when using table view Some reports based using table charts may display Accumulated Data is not available when it is actually available. Here is the associated error in qradar.log: [report_runner] [main] com.q1labs.reporting.reportservices: [WARN] [NOT: ][ /- -] [-/- -]Error occurred creating Accumulated Result Set. Trying to fall back to raw query if possible. [report_runner] [main] java.lang.illegalargumentexception: keycreator should not be null [report_runner] [main] at com.q1labs.frameworks.nio.sortorder.<init>(sortorder.java:31) [report_runner] [main] at com.q1labs.frameworks.nio.sortorder.<init>(sortorder.java:26) [report_runner] [main] at com.q1labs.ariel.queryparams.setsortorder(queryparams.java:316) [report_runner] [main] at com.q1labs.reporting.charts.arielchart.getdata (ArielChart.java:1347) [report_runner] [main] at com.q1labs.reporting.chart.getxml(chart.java:212) [report_runner] [main] at com.q1labs.reporting.report.createdata(report.java:238) [report_runner] [main] at com.q1labs.reporting.report.process(report.java:281) [report_runner] [main] at com.q1labs.reporting.reportrunner.main(reportrunner.java:176) Workaround: None.

33 Resolved Issues 33 Log Analytics contains two unnecessary system settings On System Settings window for Log Analytics , the following system settings are not required: Attacker Retention Period Target Retention Period Workaround: Ignore these settings. They have no impact on your system. The deployment editor window fails to open when you use Java 7 (1.7) and the google chrome web browser On the Admin tab, the Deployment Editor interface might not open as expected due to an issue with Google Chrome. When this issue occurs, the Deployment Editor should display an error, "Unable to Detect Java", but the error message is not displayed in Chrome and the user interface appears to take no action. This issue has been reported by users on Google Chrome v Workaround: Until the issue is resolved, administrators who experience this problem can make any changes in the Deployment Editor using Mozilla Firefox. Server discovery displays an error message when the building block for the host definition contains a CIDR address On the Assets tab, Server Discovery is used to locate network assets that are likely servers by examining the default ports that are open on the asset. The port examination returns a list of assets that matches the defined ports. When the building block in the Server Type Definition field is edited to contain a CIDR address, an application error might be displayed. The following error message is present in /var/log/qradar.error when the application error occurs: com.q1labs.uiframeworks.action.exceptionhandler: [ERROR] [NOT: ][IP address/- -] [-/- -]Root cause: java.lang.numberformatexception: Value out of range. Value:" " Radix:10 java.lang.short.parseshort(short.java:119) java.lang.short.parseshort(short.java:143) com.q1labs.core.dao.util.host.parseunsignedbyte (Host.java:18 6 ) com.q1labs.core.dao.util.host.parseipaddress(host.java:167) com.q1labs.core.dao.util.host.parseipaddress(host.java:118) com.q1labs.core.dao.util.host.<init>(host.java:96) com.q1labs.core.dao.util.cidrnetwork.contains