STEALTHWATCH SYSTEM VERSION RELEASE NOTES

Transcription

1 STEALTHWATCH SYSTEM VERSION RELEASE NOTES This document provides the following information: What's New What's Been Fixed summarizes fixes made for issues reported by customers: o Version Known Issues in this release. For additional information about the Stealthwatch System, go to the Lancope Customer Community web site ( For a list of alarm types and their IDs, access the Alarm IDs file. You can also access this document via the Alarm List topic in the SMC Client Interface online help. Important: For enhanced security, before you add a Flow Collector or Flow Sensor in the System Setup Tool, you must have first created a management channel between the Flow Collector and/or Flow Sensor and the Stealthwatch Management Console (SMC). If you have not done this, you will receive an error message when you try to add either appliance in the System Setup Tool. The specific instructions are on page 43 in the Stealthwatch Management Console VE and Flow Collector VE Installation and Configuration Guide or page 15 in the Hardware Configuration Guide. If your Stealthwatch System is v6.9.0 or v6.9.1, install the latest/any required rollup patch files on Stealthwatch's Download and License Center, If your Stealthwatch System is v6.9.2, the rollup patch is not required to upgrade to v6.10. If FIPS mode was enabled in an earlier version of software (prior to v6.10), disable FIPS mode before you update the software to v6.10. The following non-admin access modifications have been made: o For any versions prior to v6.10, a non-admin user without an assigned function role can access the SMC Web App but cannot access the SMC client interface. Once an admin user assigns a non-admin user a function role, that user will also be able to access the SMC client interface Cisco Systems, Inc. All Rights Reserved.

2 o Beginning with v6.10, a non-admin user cannot access the SMC client interface or the SMC Web App until assigned a function role. For increased security, we recommend updating the IDentity 1000/1100 appliance to v3.3.0.x to take advantage of the new openssl version with TLS 1.2. Notes: This document uses the term "appliance" for any Stealthwatch System product, including virtual editions (VEs) such as the Flow Collector VE. The Stealthwatch System requires Java version 8 (v1.8) or later. The Stealthwatch System requires TLS v1.1 or later. The Stealthwatch System supports Internet Explorer v11 and later. Where once the setting "disabled" for a security event disabled the event, now disabling will disable the alarm. To view the supported hardware platforms for each system version, refer to the Hardware and Version Support Matrix on the Customer Community. What's New These are the new features and improvements for the Stealthwatch System v release: Cognitive Analytics cloud engine updates New Stealthwatch System APIs New Interfaces page in the Stealthwatch Web App Interface Top Host Groups by Traffic component on the Host Groups Report Security Events New Flow Search features Flow Search Results expansion panel Top Report Jobs and Flow Searches queues Expansion and universal performance of the context menu New filter rules for the Flow Search Results page Non-admin access privileges Updated FIPS Compliance New data storage recommendations Cisco Systems, Inc. All Rights Reserved.

3 New software update process KVM host for virtual appliances Enhanced licensing alerts and notifications Cognitive Analytics cloud engine updates Notes: You must have Cisco Cognitive Analytics configured on your Stealthwatch System to use these features. Cognitive Analytics quickly detects suspicious web traffic and/or Stealthwatch flow records and responds to attempts to establish a presence in your environment and to attacks that are already under way. For more information about Cognitive Analytics, go to their website, their documentation, or the configuration guide. Cognitive Analytics is only available for the default domain or site within Stealthwatch; multiple domains or sites is not supported. Advanced Stealthwatch flow record classification capability and lateral services monitoring Enhanced anomaly detection Cogntive Analytics added a new set of anomaly detectors for Stealthwatch flow records based on global reputation and TLS features. This enhancement improves contextual information of individual incidents and increases the efficacy of the detection engine. New types of incidents Cognitive Analytics added a new set of classifiers for detecting: Stealthy Command and Control communication channels by analyzing long-term behavior of users and devices. Unexpected DNS usage caused by DGA-based malware or data tunneling. Malicious SMB service discovery typical for fast-spreading malware such as WannaCry. Following is an example screen shot of a malicious SMB service discovery incident; note that the infected user is contacting unexpected server IP addresses and countries with SMB service protocol: 2017 Cisco Systems, Inc. All Rights Reserved. 3

4 Following is an example screen shot of unexpected DNS usage, caused by DGA-based malware or data tunneling; note that the user has abnormally high number of DNS requests, valid or invalid, and transfers large amount of data in both directions: Enhanced P2P analytics The new detection mechanism is able to detect BitTorrent clients in the network. The detection is independent of used ports and transferred data, as well as any other network flow statistics. Therefore, the detector is able to detect active BitTorrent clients in the network that use nonstandards (randomized) ports and do not actively participate in file sharing activity. Following is an example screen shot of a torrent incident; note that the user is contacting 972 server IP addresses: Cisco Systems, Inc. All Rights Reserved.

5 Enhanced data filtering The data sent to the Cognitive Analytics engine is filtered so that only flow records that cross the network perimeter are sent to the cloud. This filter is based on the Host Groups configuration the flows that are going from the inside to outside host groups are sent for analysis (+DNS requests flows which are sent even for internal DNS servers). The enhancement in v6.10 adds the possibility for the user to modify the data that is sent by adding internal host groups to be monitored by the Cognitive Analytics engine. By configuring an internal host group to send Stealthwatch flow records, the user adds additional data to be sent to the cloud for analysis. Adding specific host groups to Cognitive Analytic monitoring is especially useful for company internal servers adding traffic from the end users to those servers can improve visibility of the exposure of data that can be potentially misused by malware running on the affected devices Cisco Systems, Inc. All Rights Reserved. 5

6 Following is a telemetry processing diagram for Lateral Services NetFlow from selected host groups: New Stealthwatch System APIs More APIs have been written for v6.10. For more information, see Stealthwatch System APIs. The following three APIs are being deprecated and will be removed at some point in the future: GET /domains/{domainid}/exporters/{flowcollectordeviceid}/{exporterip}/{interface}/interfaceapplicationtraffic GET /domains/{domainid}/hostgroups/dashboard GET /domains/{domainid}/hostgroups/{hostgroupid}/applicationtraffic New Interfaces page in the Stealthwatch Web App Interface Use this page to view the inbound and outbound interface traffic for a domain since the last reset hour. You can analyze the data to assess the possibility of an attack or other threats against your network and devices. Some examples of the information you can see is as follows: Current Utilization Maximum utilization Average utilization Threshold percentage reached Speed of traffic Cisco Systems, Inc. All Rights Reserved.

7 You can filter the results by choosing to include or exclude specific Flow Collectors and exporters. From this page, you can run a flow search or any of the interface top reports. To do this, click the context menu next to the applicable Interface or Exporter IP to access the relevant options. If you expand a row, you can see more details about that particular entry as well as view the following graphs: Top Application Traffic (bps) Packets (pps) Utilization In the Details section, you can view alarms that have been triggered since the last reset hour. The colored circle next to an alarm name represents the highest severity for that alarm since the last reset hour. The numeral denotes the number of times the alarm has been triggered since the last reset hour. Icon Color Red Orange Yellow Dark Blue Light Blue Alarm Severity Critical Major Minor Trivial Informational 2017 Cisco Systems, Inc. All Rights Reserved. 7

8 From within these graphs, you can access a context menu and run flow search or any of the interface top reports. To do this, click a point in the graph and select the appropriate selection from the context menu. To view historical graph data, click the drop-down list to the right of the Utilization check box and select the desired time frame. The time span (length of time between the FROM and TO fields) must be 24 hours or less. Click the Utilization check box to display an overlay of the Utilization graph on either the Application or Packets graph (whichever is displayed). This gives you the ability to compare utilization data with either top application or packets data. Top Host Groups by Traffic component on the Host Groups Report This component displays the top 10 Inside and Outside host groups with which the current host group (displayed in the middle of the graph) has communicated within the last 12 hours. From this component, you can access the context menu from which you can run a flow search associated with particular host groups or run a top report to conduct a deeper analysis of specific areas of interest. The title bar includes the last time this component was updated. When you access this page, the Stealthwatch System checks to see if this component has been loaded within the last hour. If this has not occurred, the Stealthwatch System queries the Flow Collector to populate the graph. If the component has been loaded within the last hour, the cached data is displayed. When you click Update, the Stealthwatch System queries the Flow Collector and populates the graph with the latest data. At the bottom of this component you can see the number of additional host groups over 10 (outside of both the Inside and Outside host groups) with which the current host group has communicated as well as the percentage of total traffic they represent. This allows you to view the percentage of total traffic that the top 10 Inside and Outside host groups represent Cisco Systems, Inc. All Rights Reserved.

9 Security Events Important: Please be aware of the following information when working with security events: Security Events shown in the SMC Web App and returned using the Security Event API are limited to a Max Records Returned of 2,000. These new queries pull from a larger data set than the existing default 2,000 records returned using the security event queries in the SMC client interface. This may result in a difference in the number of returned records between the SMC Web App and the SMC client interface. The SMC Web App may return events with higher index points. If you want to retrieve the same events in the SMC client interface, you may need to increase the number of requested records. When reviewing the Target tab of the Top Security Events Widget for a host, note that all security events triggered prior to a v6.10 install may show a TI point value of 0 (zero) until the first reset hour after deployment. When you click the arrow beside a security event entry in the Security Events Table, you can now see a description of the security event. Note that until your Stealthwatch System has run on v6.10 for approximately a week, this additional information will not yet be present in all scenarios (the Alarms by Type widget can typically retrieve information from the previous seven days). Top Security Events table component now on the Host Report This component displays the top ten security events (whether or not they have caused any alarms to fire) on two different tabs: one where the host is the source and one where the host is the target. The security events are sorted by volume of Concern Index (CI) points for the host when it is the source and by volume Target Index (TI) points for the host when it is the target. These index points are those that have been active on your network since the last reset hour. From this component, you can pivot to the Security Events table to view all security events for a host that have been active on your network since the last reset hour Cisco Systems, Inc. All Rights Reserved. 9

10 This component is more valuable than the Host Snapshot (provided in the SMC client interface) since it captures the highest concerning security events since the last reset hour (whereas the SMC client interface captures only the highest concerning active events). Additional information available in the Security Events Table When you click the arrow beside a security event entry in the Security Events Table, you can now see a description of the security event. Additionally, depending on the security event type, other details may be displayed in the expanded section (e.g., packet rate, protocol, port, tolerance). Detailed information is not provided for every security event type, since the details of many events are the event itself (e.g., Ping Scan). New Flow Search features The following now applies to the Flow Search page: The Flow Search page contains many of the same fields that are currently available in the Stealthwatch Management Console client interface. Excluded search criteria now appears in a black (it used to be red) text box at the top of the page. New option in the Connections section o Port/Protocol - This option has been moved from the Subject and Peer sections to the Connection section. Now you need only perform one search when you know that a particular IP address has been involved in a conversation over a given port, but you do not know if this host was the subject or peer. In prior releases, you have to perform one search for the Subject and then one for Peer. New options in the Advanced section are now available when building a flow search: o Flow Direction - Select the direction of traffic for which you want the search to return results: All, Bidirectional, or Unidirectional. o Include Interface Data - Select this option if you want to view interface data related to the search parameters returned for a flow search. o Filter By Flow Action - Select which flows you want flow results to include: Permitted, Denied, or Permitted and Denied Cisco Systems, Inc. All Rights Reserved.

11 o Exporters & Interfaces - Select the exporters and/or interfaces by which you want to filter the flow search results. You can export filtered results for a flow search (as opposed to all of the results). If you included certain criteria (marked by an informational icon on the page) in your flow search or run a flow search with a Max Records Returned of 20,000 or more (whose results can only be viewed by downloading them to a.csv file), you cannot cancel a flow search before it is complete or see what percentage of the job has run thus far. In this case, the Flow Search Results page simply displays the status of 0% Complete until the search finishes, at which time the status of 100% Complete is displayed. For a flow search request with a Max Records Returned of 20,000 or more, both the search and the results are retained on the Job Management page for 7 days from the time the job completed. You can perform a flow search for up to 400,000 flows in one search. Flow Search Results expansion panel The Flow Search Results page now contains an expansion panel that includes the following information: The General tab contains general information (e.g., packets, bytes, and payload) about the associated flow result. To view detailed proxy records, click the View URL Data link located at the top of the Subject section within this tab. The Interface tab contains detailed information about the interfaces associated with the associated flow result. (You must select the Include Interface Data check box on the Flow Search page to enable the Interfaces tab to be displayed.) 2017 Cisco Systems, Inc. All Rights Reserved. 11

12 Top Report Jobs and Flow Searches queues All top report jobs and flow searches with a Max Records Returned of 10,000 or less are run in a different queue from that of flow searches with a Max Records Returned of 20,000 or more. You can run a maximum of four jobs at the same time if the Max Records Returned for each of these jobs is 10,000 (it used to be 2,000) or less. It does not matter what the Records Returned value is for a top report job. You can run only one flow search at a time if the Max Records Returned is 20,000 or more. If you start additional top report jobs or flow searches during this time (for either of these two categories of flow searches), they will be placed in their respective queue with a Pending status Cisco Systems, Inc. All Rights Reserved.

13 Expansion and universal performance of the context menu For your convenience, context menu placement has been increased throughout the SMC Web App. To access the context menu, do one of the following: Click the ellipsis beside the applicable IP address. Click the ellipsis in the Actions column of a data table or configuration table. Click a point in a graph. Exceptions are as follows: o For the Traffic by Peer Host Group graph on the Host Report page and the Top Host Groups by Traffic graph on the Host Group Report page, you must click a host group, a column, or the line between two host groups. Use the information at the bottom of the context menu to identify the context for that menu s actions. Depending on relevant positioning, you can do a combination of the following using the context menu: Run or configure a flow query. Run or configure an associated flows query. Run or configure a top report query. Perform an external lookup Cisco Systems, Inc. All Rights Reserved. 13

14 Perform a packet query. Modify a configuration. Navigate to related configuration pages. New filter rules for the Flow Search Results page The following filter rules now apply to the Flow Search Results page: When entering multiple criteria in one field, leave a space between each entry To exclude an item, preface the entry with an exclamation point Return results including a portion of an alphanumeric entry: Enter HTTP to return flows containing HTTP, HTTPS, HTTP (unclassified) and HTTPS (unclassified) Exact alphanumeric match: HTTP (You do not have to use quotation marks for numeric data to return an exact match.) Use K, M, G, and T for units of measurement: 10M You can use >, >=, <. <= with numeric entries: >=5min Use hr, min, and s for time entries. Examples: 3hr15min0s; 2hr; 29min59s Range of data: 50M-100M Non-admin access privileges For any versions prior to v6.10, a non-admin user without an assigned function role can access the SMC Web App but cannot access the SMC client interface. When an admin user assigns a non-admin user a function role, that non-admin user can then access the SMC client interface. Beginning with v6.10, an admin user must assign a non-admin user a function role to enable that non-admin user to access the SMC client interface and the SMC Web App. Updated FIPS Compliance The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by United States federal government agencies, contractors, and other organizations that process information using a computer or telecommunications system on behalf of the federal government to accomplish a federal function. For updated FIPS compliance, update all user passwords and enable FIPS mode on every appliance in the Stealthwatch System. FIPS mode is disabled by default. The procedure includes updating user passwords, updating the appliance software to version 6.10, installing your own FIPS compliant certificate (optional), and restarting the Cisco Systems, Inc. All Rights Reserved.

15 appliance. It is important to enable FIPS mode at a time that will cause the least amount of disruption. If FIPS mode was enabled in an earlier software version (prior to 6.10), disable FIPS mode before you update the software. The following features are not available when FIPS mode is enabled: TACACS, Radius authentication. For details, log in to the Admin Appliance. Select Configuration > Global Settings > Help. New data storage recommendations The data storage recommendations have been updated for the installation of Stealthwatch virtual appliances. Review the following table and see the Data Storage section of the Stealthwatch Management Console VE and Flow Collector VE Installation and Configuration Guide to expand the data storage manually. Stealthwatch VE Model Stealthwatch Management Console VE Stealthwatch Management Console VE 2000 Flow Collector NetFlow VE Flow Collector NetFlow VE 2000 Flow Collector NetFlow VE 4000 Flow Collector sflow VE Flow Collector sflow VE 2000 Flow Collector sflow VE 4000 Flow Sensor UDP Director Minimum Data Storage 100 GB 200 GB 200 GB 600 GB 1.5 TB 100 GB 600 GB 1.5 TB 50 GB 50 GB New software update process The System Management page and appliance software update process have improved. These improvements are available in software version Note: The changes to the System Management page and software update process are available after you update the appliance software to version For performance improvement and file handling, we've removed the ability to upload the System SWU, and we've added the ability to upload individual appliance SWUs for each appliance type Cisco Systems, Inc. All Rights Reserved. 15

16 If you have a Flow Collector 5000 series appliance installed, the engine and database can be updated from the System Management page. Use the Stealthwatch Software Update Guide for complete instructions. It is important to follow the appliance update order and install the latest rollup patch file. KVM host for virtual appliances Stealthwatch virtual appliances can be installed in a Kernel-based Virtual Machine (KVM) environment. There are several methods to install a VM on a KVM host using an ISO file. Use the Installation and Configuration Guide for your Stealthwatch appliance to install a virtual appliance through Virtual Machine Manager running on a compatible Linux distribution. Enhanced licensing alerts and notifications It is important to keep your product licenses current. For example, if the Flow Rate License expires, the Flow Collectors in the Stealthwatch System may stop collecting flow data. For more information, see the Downloading and Licensing Guide. To obtain a new license, update an existing license, or for help with a corrupt license, contact your local Cisco Partner or Cisco Stealthwatch Support. Contacting support If you need technical support, please do one of the following: Cisco Systems, Inc. All Rights Reserved.

17 Contact your local Cisco Partner Contact Cisco Stealthwatch Support o To open a case by web: o To open a case by tac@cisco.com o For phone support: (U.S.) o For worldwide support numbers: worldwide_contacts.html 2017 Cisco Systems, Inc. All Rights Reserved. 17

18 What's Been Fixed This section summarizes fixes made in this release for issues (bugs/defects) reported by customers in previous releases. The Stealthwatch Defect (SWD or LSQ) number is provided for reference. Version Defect Description LSQ LVA-221 STE-84 Vim did not properly validate values for tree length when handling a spell file, which may have resulted in an integer overflow at a memory allocation site and a resultant buffer overflow. Port number for the server and protocol information have been added to the Response. STE-97 Updated Support Contact information within Stealthwatch. NA SWD-7143 The lc_profiles process on the Flow Collector was very slow. Revamped the host group lookup functionality to fix a bottleneck. NA NA LSQ-2713 SWD-7540 SWD-7688 SWD-7549 SWD-7599 SWD-7615 SWD-7621 The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. The flow traffic on the Flow Sensor 4010 showed no utilization with non-zero inbound traffic. We fixed the SMC detection of the Flow Sensor fiber port interface speeds used in utilization calculations. There was a database backup return error on system configuration. Updated the backup routines to handle file copies to CIFS destinations differently. The Hardware Configuration Guide had an error in the Configure Primary UDP Director section. The guide was updated with the correct information. The Top Conversations Report was not returning all results when a host filter was used. The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report. LSQ-2652 LSQ-2649 LSQ-2621 LSQ-2572 LSQ-2674 LSQ-2679 LSQ Cisco Systems, Inc. All Rights Reserved.

19 Defect Description LSQ SWD-7643 The delete option for an SSL Client certificate did not work on a secondary SMC. The fix was to allow the add/delete function for SSL client certificates in a secondary SMC. LSQ-2626 SWD-7644 The Top Conversations transaction report was showing incorrect values. A fix has been provided to avoid duplicate values and show the appropriate number of records for each Flow Collector in the transaction report. LSQ-2593 SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1. LSQ-2712 SWD-7676 SWD-7689 SWD-7692 SWD-7700 SWD-7708 SWD-8137 The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC. Users could not create a diagnostics pack for an appliance. The fix corrected an exception in the audit log when creating a diagnostics pack. The CPU average load calculation, on the SMC client interface dashboard, was incorrect. The CPU average load has been updated to reflect the updated appliances. The Top Conversations Report did not return all results when filtering hosts. In the Top Conversations report, the problem was in generating reports if more than one Flow Collector was configured. The fix corrects the query to collect all required data from data base for all required Flow Collectors. The Flow Collection Trend chart had gaps due to TextCopyHandler failing to read files at /lancope/var/smc/tmp folder. Resolved an issue where scheduled reports would terminate existing SMC data loading processes under certain conditions. Users could not import of DAR and XML files to Document Builder. This patch fixes issue with launching a new report from document builder that has several pages that are named alphabetically. LSQ-2692 LSQ-2677 LSQ-2593 LSQ-2727 LSQ Cisco Systems, Inc. All Rights Reserved. 19

20 Defect Description LSQ SWD-7765 Flow data queries across multiple flow collectors do not return consistent ordering. The fix is to order the records returned for a flow query by flowid when a specific ordering is not requested. This prevents different invocations of this method from returning different results. LSQ-2652 SWD-7787 SWD-7824 SWD-7862 SWD-7865 SWD-7963 SWD-7971 SWD-8072 SWD-8089 The Flow Table Service Summary and Service Port columns had mismatched port addresses. Fixed an issue where the service summary port was not updated to match the server port for certain flows. Flow query was failing for IPv6 IP address range 0000-FFFF. The flow query filter has been corrected to recognize and search IPv6 input values. Associated flow table carried previous advanced filter values. The Flow Table retain filter option has been excluded from the associated flow table. Stealthwatch Management Console had high memory usage for uwsgi appliance update process. Implemented a mechanism designed to prevent memory usage exceeding 4 GB by the uwsgi UPServ application. The client interface help was not showing topics when using the search tab. Fixed encoding error caused by a tomcat update. On the SMC Web app, Error retrieving host snapshot to build host entity view constantly received on Host Search. We updated the SMC Web app and the Vertica query to accommodate large numbers and overflow. Top Reports returns more records than the set limit when there are two or more Flow Collectors (LSQ-2822). The Top Reports queries have been updated to split the amount of records evenly between Flow Collectors. The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. LSQ-2710 LSQ-2613 LSQ-2709 LSQ-2722 NA LSQ-2773 LSQ-2822 LSQ Cisco Systems, Inc. All Rights Reserved.

21 Defect Description LSQ SWD notifications for scheduled documents were not being logged properly. We fixed the log base path location from pointing to the incorrect directory. LSQ-2834 SWD-8136 SWD-8142 SWD-8153 SWD-8182 SWD-8200 SWD-8210 SWD-8239 SWD-8271 The Flow Collector changed models after upgrade. Updated the model.xml file to not change a system's memory size during upgrade. The Database backup is generating errors at the final stage of the process. Improvements have been added to repeat the Vertica backup process in case of resync errors. Flows were not being associated with all Host Groups that contained the associated IP address. The flow table was updated to allow a larger character limit (65,000) in the client and server host group strings, and we now allow 256 host groups per IP address. UDP Director 2010 could not boot after upgrade. Fixed an issue with the kernel upgrading process. A Flow search with too many characters for a IP address range caused Vertica to crash. Changed the logic around constructing IP range searches. ISE "devicetype" field was empty. Provided value to "devicetype" from the "endpoint Policy" pxgrid field. Error when creating and configuring Custom Applications. A new java constructor has been added to avoid a bad request error when adding multiple custom application rules in the SMC. The Flow Sensor Management Channel Down alarm, triggered in the client interface, did not go inactive after one hour. Resolved an issue where certain alarms would fail to go inactive on the primary node of an SMC failover pair. LSQ-2845 LSQ-2838 LSQ-2846 LSQ-2866 LSQ-2869 LSQ-2880 LSQ-2765 LSQ-2829 LSQ-2865 LSQ-2893 LSQ Cisco Systems, Inc. All Rights Reserved. 21

22 Defect Description LSQ SWD-8314 The Flow Collector was not processing a non-zero DSCP field. LSQ-2911 Added support for the DSCP field. SWD-8317 External Lookup failed with a 500 internal server error. Fixed the null pointer error when loading the External Lookup configuration page. LSQ-2912 SWD-8323 The SMC was utilizing a high amount of memory. LSQ-2904 SWD-8438 SWD-8477 SWD-8540 SWD-8542 SWD-8559 SWD-8590 SWD-8591 SWD-8598 We refactored the SMC client interface code to improve UI responsiveness. The Flow Collector saved flow records from one source ID and discarded records with the other source ID. Added observation domain binding to the exporter stats in the cases where more than one exporting engine is exporting from a single exporter IP address using different source ID values. Vertica MergeOut process was very slow for the flow_stats table. Added several Vertica database tuning parameters to remedy the ROS container backup problems. Unable to create and save maps when logged in as a non-admin user. Updated the error message to be more meaningful when a non-admin user creates a map without the proper permissions. Security Event details were missing in web application interface. Fixed an issue where Security Event details were always empty. The Online Help referred to an incorrect alarm name. Updated the help to refer to "Ping Oversized Packet" instead of "Long Ping". Tor traffic with no packets from server were alarming as "Successful". The alarm was updated to "Attempted". The Flow Sensor eth4 log was showing an invalid pointer error. Fixed the code to output the log message correctly. The Flow Sensor 3000 was not processing packets with multilayer VLAN tags. The engine has been modified to handle up to 4096 layered tags. LSQ-2557 LSQ-2935 LSQ-2963 LSQ-2956 LSQ-2982 LSQ-2989 LSQ-2992 NA LSQ Cisco Systems, Inc. All Rights Reserved.

23 Defect Description LSQ SWD-8608 The SMC document builder was not saving filter criteria. Fixed the document builder to retain appropriate input values in the common filter criteria. LSQ-2968 SWD-8629 SWD-8635 SWD-8636 SWD-8661 SWD-8670 SWD-8676 SWD-8689 SWD-8701 SWD-8702 The SMC client interface was missing the "user management" menu. Users with "SMC manager" rights now have access to the "user management" menu. Cisco Senderbase links were incorrect on the External Lookup configuration page. Fixed broken links. The Traffic by Peer Host Group component was not displaying flow information. Updated the component to display flow data correctly. Updated the flow-forwarder Docker container v2.2.2 to use less memory and turned on heap debugging options so that more information may be gathered when there is an issue with the Java (JVM) heap. The support information updated for STE-97 was translated into Korean, Chinese, and Japanese. The flow rate dropped when the Flow Sensor cache was full. Fixed an issue that caused packets to be dropped during processing when under load. "Client Port Filtering" was not working with Fast Query selected. A query fix has been provided to make Client Port Filtering work correctly, with or without enabling fast query. OVF resource defaults did not match documented minimums. Updated the SMC and Flow Collector OVFs to 16 GB ram. Unable to edit response management rules in the SMC client interface. Fix added to handle null pointer errors when editing the rules in response management. LSQ-3013 LSQ-3002 LSQ-3005 LSQ-3022 NA LSQ-3023 LSQ-3031 NA LSQ-3038 SWD-8705 A Database Restore failed on a Flow Collector LSQ-3040 Fixed an issue where Vertica was not stopping correctly Cisco Systems, Inc. All Rights Reserved. 23

24 Defect Description LSQ SWD-8708 TextCopyHandler failed to read files at /lancope/var/smc/tmp. LSQ-2987 SWD-8727 SWD-8758 SWD-8791 SWD-8807 SWD-8819 SWD-9049 SWD-9051 SWD-9207 Scheduled reports temporary file handling process has been improved to avoid SQL errors. Top Alarming Hosts widget was not loading due to unknown host exception error. The svc-sw-reporting container was updated to better handle dealing with exceptional data within the database. Default Services were missing under Host Locking Configuration. Updated the conditions to populate the services list correctly. The MongoDB compact script failed to save SMC configuration. Fixed a typo that caused the script to fail. The client interface would redirect the user to the license manager page on a licensed SMC. Updated the code so that users are able to access the client interface on a properly licensed appliance. The Interface Service Traffic report was broken. Corrected an issue with the database query group used by the report. Limited the Vertica MaxMrgOutROSSizeMB parameter to 4096 in order to improve query response performance. The SMC client interface would not load due to a SSL Certificate corruption after restoring default certificates. Added additional actions to correctly restore the default certificates. HTML code appeared in the name of some graphs in the SMC client interface. The <br> HTML tag was removed. LSQ-3048 LSQ-2987 LSQ-3004 LSQ-3048 LSQ-3052 LSQ-3012 NA LSQ-3066 LSQ-3071 LSQ-3094 LSQ Cisco Systems, Inc. All Rights Reserved.

25 Known Issues This section summarizes issues (bugs) that are known to exist in this release. Where possible, workarounds are included. The defect number is provided for reference. Defect Number Description Workaround LVA-306, LVA-307 If you have an untrusted virtual machine installed on the same physical cluster/system as a Stealthwatch appliance, the Stealthwatch appliance is vulnerable to a side-channel attack that can expose private keys. A vulnerability was disclosed for the gnupg software package suite. This vulnerability involves a side-channel attack against the gnupg implementation of the RSA cryptographic algorithm. When RSA keys are in use on the system, the implementation allows for the recovery of bit length private keys. Additionally, it experimentally appears that 13% of the 2048 keyspace is vulnerable as well. More details about the vulnerability can be found by reading the white paper located at The risk from this side-channel attack applies where the private key is in use on the system. For Stealthwatch customers, this applies to SSH and HTTPS sessions. For Important: Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch System appliances. Important: If you are upgrading the system to v6.10 from an earlier version, confirm all appliances have the latest patch files installed. To review the Stealthwatch appliance vulnerability, complete the following steps: 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > Services. Review the SSH section. If the Enable SSH box is checked, you need to regenerate the RSA host key pair using the instructions shown below. 3. Click Configuration > SSL Certificate. Review the installed certificates. If there are custom certificates installed using the using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates. 4. Click Configuration > Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates. If the SSH service is enabled on the appliance, regenerate the RSA host key using the following instructions. You will regenerate the RSA host key on every appliance in the system. 1. SSH onto the SW Appliance as root or using the root terminal option in the sysadmin menu. 2. To delete the public and private keys in the primary location, run the following command: rm f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub. 3. To delete the public and private keys in the 2017 Cisco Systems, Inc. All Rights Reserved. 25

26 Defect Number Description Workaround customers running hardware appliances and in fully controlled Virtual Machine infrastructures, the risk of exposure is mitigated by access to the physical and virtual systems. For customers running in a co-located VM infrastructure, the risk of exposure is greater. backup location, run the following command: rm f /lancope/var/admin/ssh/ssh_ host_rsa_key /lancope/var/admin/ssh/ssh_host_rsa_ key.pub 4. To regenerate a new RSA host key pair, run the following command: /lancope/admin/bin/generatesshkeys 5. Do one of the following to restart the SSHD service: o If the appliance software version is 6.9 and later, run the following command: systemctl restart ssh.service o If the appliance version is earlier than 6.9, run the following command: /etc/init.d/ssh restart 6. Repeat these steps on every appliance in the Stealthwatch System. If you have installed custom certificates using RSA or RSA-2048 bit keys on your Stealthwatch appliances, you must regenerate new X509 certificates. 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > SSL Certificate. 3. Click the? icon to open the Help page. o o Use the SSL Certificate instructions to generate a new X509 certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. 4. Delete the old (vulnerable) X509 certificate from the appliance. 5. Click Configuration> Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, regenerate new certificates. o o Click the? icon to open the Help page. Use the Certificate Authority Certificates instructions to add a new X Cisco Systems, Inc. All Rights Reserved.

27 Defect Number Description Workaround o certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. SWD-7627 SWD-7655 SWD-8197 SWD-8673 If you reboot your Flow Collector, it deletes all alarm history; however, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a specific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm values in the Hosts table on the Host List View. The generation of a diagnostics pack may fail in large systems as a result of timing out. The Flow Sensor was not detecting enough applications. SystemConfig special character fonts look bad when using the SecureCRT client in ANSI mode. None currently available; the feature will be available in a future release. To overcome this, open the SSH console for the appliance and run this command: dodiagpack. This will allow the generation of the diagnostic pack without timing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP. To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library. To overcome this, disable ANSI Color when connecting or use a different client to view the SystemConfig script. SWD-9052 Offline license activation failing This error may occur if you moved a virtual machine, 2017 Cisco Systems, Inc. All Rights Reserved. 27

28 Defect Number Description Workaround SWD-9300 SWD-9563 or "Storage Binding Break" error The Selected Cipher Suite does not appear in the Flow Search Results when using a non-standard port. When you log in to the Stealthwatch Web App using Internet Explorer v11 and at any point you refresh the Home page, the Desktop Client dropdown arrow and the three navigation icons to the left of this list (top right corner of page) disappear. These three icons include the following: Search (magnifying glass icon) Help (person icon) Global Settings (geer icon) Additionally, the fonts look different from how they appear when displayed using other browsers. uploaded a license more than once, or if the license is corrupted. Please contact Stealthwatch Customer Community for assistance. None currently available; this will be fixed in a future release. Close the browser and log in again. NA On the Flow Sensor VE, Export Application Identification is off by default. To enable application identification, this advanced setting will need to be manually selected Cisco Systems, Inc. All Rights Reserved.

29 2017 Cisco Systems, Inc. All Rights Reserved. SW_6_10_0_Release_Notes_DV_1_0