TEALTHWATCH SYSTEM VERSION ELEASE OTES · l Top Host Groups by Traffic component on the Host Groups Report l Security Events l New Flow Search features l Flow Search Results expansion

STEALTHWATCH® SYSTEM VERSION 6.10.1 RELEASE NOTESThis document provides the following information:

l What's New l What's Been Fixed summarizes fixes made for issues reported by customers:

o Version 6.10.1 l Known Issues in this release.

For additional information about the Stealthwatch System, go to the Lancope Customer Community web site (https://lancope.force.com/Customer/CustomerCommLogin).

For a list of alarm types and their IDs, access the Alarm IDs file. You can also access this document via the Alarm List topic in the SMC Client Interface online help.

Important: l For enhanced security, before you add a Flow Collector or Flow Sensor in

the System Setup Tool, you must have first created a management channel between the Flow Collector and/or Flow Sensor and the Stealthwatch Man-agement Console (SMC). If you have not done this, you will receive an error message when you try to add either appliance in the System Setup Tool. The specific instructions are on page 43 in the Stealthwatch Management Con-sole VE and Flow Collector VE Installation and Configuration Guide or page 15 in the Hardware Configuration Guide.

l If your Stealthwatch System is v6.9.0 or v6.9.1, install the latest/any required rollup patch files on Stealthwatch's Download and License Center, https://lan-cope.flexnetoperations.com. If your Stealthwatch System is v6.9.2, the rollup patch is not required to upgrade to v6.10.

l If FIPS mode was enabled in an earlier version of software (prior to v6.10), disable FIPS mode before you update the software to v6.10.

l The following non-admin access modifications have been made: o For any versions prior to v6.10, a non-admin user without an assigned func-

tion role can access the SMC Web App but cannot access the SMC client interface. Once an admin user assigns a non-admin user a function role, that user will also be able to access the SMC client interface.

RELEASE NOTES | Stealthwatch System v6.10.1

© 2018Cisco Systems, Inc. All Rights Reserved.

https://lancope.force.com/Customer/CustomerCommLogin

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk5e/h0ogYskPTfGbTXudVuFuKyR2QmCguIGhY0e9u5TscDQ

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk4g/SeQOVw3EXIZaIKFsD4tVFOdc78CWKRMV3qwlzv3XgEk

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk4g/SeQOVw3EXIZaIKFsD4tVFOdc78CWKRMV3qwlzv3XgEk

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk4b/54TEumeUZgJOGF547LRILjlv80SV7BuZrLi_7bQ5Dx0

https://lancope.flexnetoperations.com/

https://lancope.flexnetoperations.com/

o Beginning with v6.10, a non-admin user cannot access the SMC client interface or the SMC Web App until assigned a function role.

l For increased security, we recommend updating the IDentity 1000/1100 appliance to v3.3.0.x to take advantage of the new openSSL version with TLS 1.2.

WARNING!

It is important to enable an alternative method to access your Stealthwatch appliances for any future service needs, using one of the following:

Hardware*

l Console (serial connection to console port): Refer to the latest Stealthwatch Hard-ware Installation Guide to connect to the appliance using a laptop or a keyboard and monitor. https://www.cisco.com/c/en/us/support/security/stealthwatch/products-install-ation-guides-list.html

l iDRAC Enterprise (Dell appliances): Refer to the latest documentation for your platform at www.dell.com. iDRAC Enterprise requires a license, and iDRAC Express does not allow console access. If you do not have iDRAC Enterprise, direct console or SSH can be used.

l CIMC (UCS appliances): Refer to the latest Cisco UCS guide for your platform at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html

Virtual Machines*

l Console (serial connection to console port): Refer to the latest KVM or VMware documentation for your appliance installation.

l For example, for KVM, see the Virtual Manager documentation at https://virt-manager.org/

l For VMware, see the vCenter Server Appliance Management Interface doc-umentation for vSphere at https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html

*If you cannot log in to the appliance using these methods, you can enable SSH on the appliance network interface temporarily.


2 © 2018Cisco Systems, Inc. All Rights Reserved.

https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

http://www.dell.com/

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html



https://virt-manager.org/

https://virt-manager.org/

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html



WARNING! When SSH is enabled, the system’s risk of compromise increases. It is important to enable SSH only when you need it. When you are finished using SSH, disable it.

1. Log in to the Appliance Admin interface. SMC: Log in to the SMC. Click the Settings icon > Administer Appliance.

2. Click Configuration > Services. 3. Check the Enable SSH check box to enable SSH.

To allow the root user SSH access, check the Enable Root SSH Access check box. 4. Click Apply.

Notes: l This document uses the term "appliance" for any Stealthwatch System product,

including virtual editions (VEs) such as the Flow Collector VE. l The Stealthwatch System requires Java version 8 (v1.8) or later. l The Stealthwatch System requires TLS v1.1 or later. l The Stealthwatch System supports Internet Explorer v11 and later. l Where once the setting "disabled" for a security event disabled the event, now dis-

abling will disable the alarm. l To view the supported hardware platforms for each system version, refer to the Hard-

ware and Version Support Matrix on the Customer Community.


© 2018Cisco Systems, Inc. All Rights Reserved. 3

https://lancope.force.com/Customer/kA750000000Gmbl

https://lancope.force.com/Customer/kA750000000Gmbl

What's NewThese are the new features and improvements for the Stealthwatch System v6.10.1 release:

l Encrypted Traffic Analytics l Cognitive Analytics cloud engine update l New Stealthwatch System APIs l New Interfaces page in the Stealthwatch Web App Interface l Top Host Groups by Traffic component on the Host Groups Report l Security Events l New Flow Search features l Flow Search Results expansion panel l Top Report Jobs and Flow Searches queues l Expansion and universal performance of the context menu l New filter rules for the Flow Search Results page l Non-admin access privileges l Updated FIPS Compliance l New data storage recommendations l New software update process l KVM host for virtual appliances l Enhanced licensing alerts and notifications

Encrypted Traffic AnalyticsStealthwatch is now integrated with Encrypted Traffic Analytics (ETA) which is an extension to NetFlow that allows for passive monitoring of encrypted traffic. If you have the new ETA enabled switches and routers, Stealthwatch can identify the encrypted NetFlow fields in the Flow Search Results. Stealthwatch also sends the encrypted traffic to Cognitive Analytics for analysis. For more information about the ETA integration, refer to the Encrypted Traffic Analytics white paper and the Encrypted Traffic Analytics deployment guides.

Cognitive Analytics cloud engine updateNotes:

l You must have Cisco Cognitive Analytics configured on your Stealthwatch System to use these features. Cognitive Analytics quickly detects suspicious web traffic and/or Stealthwatch flow records and responds to attempts to establish a presence in your environment and to attacks that are already under way. For more information about Cognitive Analytics, go to their website, their documentation, or the con-



https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf

https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/campus-wired-wireless.html#~stickynav=1

https://www.cisco.com/c/en/us/products/security/cognitive-threat-analytics/index.html

https://www.cisco.com/c/en/us/td/docs/security/web_security/scancenter/administrator/guide/b_ScanCenter_Administrator_Guide/b_ScanCenter_Administrator_Guide_chapter_011110.html

https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk5P/fobkjz7kwRZXjpE_DnrNfi019zJ7dn.8EWazmLuYaDA

figuration guide. l Cognitive Analytics is only available for the default domain or site within Stealth-

watch; multiple domains or sites is not supported.

Advanced Stealthwatch flow record classification capability and lateral services mon-itoring

Enhanced anomaly detection

Cogntive Analytics added a new set of anomaly detectors for Stealthwatch flow records based on global reputation and TLS features. This enhancement improves contextual information of individual incidents and increases the efficacy of the detection engine.

New types of incidents

Cognitive Analytics added a new set of classifiers for detecting:

l Stealthy Command and Control communication channels by analyzing long-term behavior of users and devices.

l Unexpected DNS usage caused by DGA-based malware or data tunneling. l Malicious SMB service discovery typical for fast-spreading malware such as WannaCry.

Following is an example screen shot of a malicious SMB service discovery incident; note that the infected user is contacting unexpected server IP addresses and countries with SMB service protocol:



https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk5P/fobkjz7kwRZXjpE_DnrNfi019zJ7dn.8EWazmLuYaDA

Following is an example screen shot of unexpected DNS usage, caused by DGA-based malware or data tunneling; note that the user has abnormally high number of DNS requests, valid or invalid, and transfers large amount of data in both directions:

Enhanced P2P analytics

The new detection mechanism is able to detect BitTorrent clients in the network. The detection is independent of used ports and transferred data, as well as any other network flow statistics. Therefore, the detector is able to detect active BitTorrent clients in the network that use non-standards (randomized) ports and do not actively participate in file sharing activity.

Following is an example screen shot of a torrent incident; note that the user is contacting 972 server IP addresses:



Enhanced data filtering

The data sent to the Cognitive Analytics engine is filtered so that only flow records that cross the network perimeter are sent to the cloud. This filter is based on the Host Groups configuration – the flows that are going from the inside to outside host groups are sent for analysis (+DNS requests flows which are sent even for internal DNS servers).

The enhancement in v6.10 adds the possibility for the user to modify the data that is sent by adding internal host groups to be monitored by the Cognitive Analytics engine. By configuring an internal host group to send Stealthwatch flow records, the user adds additional data to be sent to the cloud for analysis. Adding specific host groups to Cognitive Analytic monitoring is especially useful for company internal servers – adding traffic from the end users to those servers can improve visibility of the exposure of data that can be potentially misused by malware running on the affected devices.

Following is a telemetry processing diagram for Lateral Services NetFlow from selected host groups:



New Stealthwatch System APIsMore APIs have been written for v6.10. For more information, see Stealthwatch System APIs. The following three APIs are being deprecated and will be removed at some point in the future:

l GET /domains/{domainId}/exporters/{flowCollectorDeviceId}/{exporterIp}/{inter-face}/interfaceApplicationTraffic

l GET /domains/{domainId}/hostgroups/dashboard l GET /domains/{domainId}/hostgroups/{hostGroupId}/applicationTraffic

New Interfaces page in the Stealthwatch Web App InterfaceUse this page to view the inbound and outbound interface traffic for a domain since the last reset hour. You can analyze the data to assess the possibility of an attack or other threats against your network and devices. Some examples of the information you can see is as follows:

l Current Utilization l Maximum utilization l Average utilization l Threshold percentage reached l Speed of traffic

You can filter the results by choosing to include or exclude specific Flow Collectors and exporters. From this page, you can run a flow search or any of the interface top reports. To do



https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk5A/xz6LOvVz9v8jq9Y4rtQUaiRq3_WU3N8grc5oyadRrME

this, click the context menu next to the applicable Interface or Exporter IP to access the relevant options.

If you expand a row, you can see more details about that particular entry as well as view the following graphs:

l Top Application Traffic (bps) l Packets (pps) l Utilization

In the Details section, you can view alarms that have been triggered since the last reset hour. The colored circle next to an alarm name represents the highest severity for that alarm since the last reset hour. The numeral denotes the number of times the alarm has been triggered since the last reset hour.

Icon Color Alarm SeverityRed Critical

Orange Major

Yellow Minor

Dark Blue Trivial

Light Blue Informational

From within these graphs, you can access a context menu and run flow search or any of the interface top reports. To do this, click a point in the graph and select the appropriate selection from the context menu.

To view historical graph data, click the drop-down list to the right of the Utilization check box and select the desired time frame. The time span (length of time between the FROM and TO fields) must be 24 hours or less.

Click the Utilization check box to display an overlay of the Utilization graph on either the Application or Packets graph (whichever is displayed). This gives you the ability to compare utilization data with either top application or packets data.

Top Host Groups by Traffic component on the Host Groups ReportThis component displays the top 10 Inside and Outside host groups with which the current host group (displayed in the middle of the graph) has communicated within the last 12 hours. From this component, you can access the context menu from which you can run a flow search associated with particular host groups or run a top report to conduct a deeper analysis of specific areas of interest. The title bar includes the last time this component was updated. When you access this page, the Stealthwatch System checks to see if this component has been loaded within the last hour. If this has not occurred, the Stealthwatch System queries the



Flow Collector to populate the graph. If the component has been loaded within the last hour, the cached data is displayed. When you click Update, the Stealthwatch System queries the Flow Collector and populates the graph with the latest data.

At the bottom of this component you can see the number of additional host groups over 10 (outside of both the Inside and Outside host groups) with which the current host group has communicated as well as the percentage of total traffic they represent. This allows you to view the percentage of total traffic that the top 10 Inside and Outside host groups represent.

Security EventsImportant: Please be aware of the following information when working with security events:

Security Events shown in the SMC Web App and returned using the Security Event API are limited to a Max Records Returned of 2,000. These new queries pull from a larger data set than the existing default 2,000 records returned using the security event queries in the SMC client interface. This may result in a difference in the number of returned records between the SMC Web App and the SMC client interface. The SMC Web App may return events with higher index points. If you want to retrieve the same events in the SMC client interface, you may need to increase the number of requested records.

When reviewing the Target tab of the Top Security Events Widget for a host, note that all security events triggered prior to a v6.10 install may show a TI point value of 0 (zero) until the first reset hour after deployment.

When you click the arrow beside a security event entry in the Security Events Table, you can now see a description of the security event. Note that until your Stealthwatch System has run on v6.10 for approximately a week, this additional information will not yet be present in all scenarios (the Alarms by Type widget



can typically retrieve information from the previous seven days).

Top Security Events table component now on the Host Report

This component displays the top ten security events (whether or not they have caused any alarms to fire) on two different tabs: one where the host is the source and one where the host is the target. The security events are sorted by volume of Concern Index (CI) points for the host when it is the source and by volume Target Index (TI) points for the host when it is the target. These index points are those that have been active on your network since the last reset hour. From this component, you can pivot to the Security Events table to view all security events for a host that have been active on your network since the last reset hour.

This component is more valuable than the Host Snapshot (provided in the SMC client interface) since it captures the highest concerning security events since the last reset hour (whereas the SMC client interface captures only the highest concerning active events).

Additional information available in the Security Events Table

When you click the arrow beside a security event entry in the Security Events Table, you can now see a description of the security event. Additionally, depending on the security event type, other details may be displayed in the expanded section (e.g., packet rate, protocol, port, tolerance). Detailed information is not provided for every security event type, since the details of many events are the event itself (e.g., Ping Scan).



New Flow Search featuresThe following now applies to the Flow Search page:

l The Flow Search page contains many of the same fields that are currently available in the Stealthwatch Management Console client interface.

l Excluded search criteria now appears in a black (it used to be red) text box at the top of the page.

l New option in the Connections section o Port/Protocol - This option has been moved from the Subject and Peer sections to

the Connection section. Now you need only perform one search when you know that a particular IP address has been involved in a conversation over a given port, but you do not know if this host was the subject or peer. In prior releases, you have to perform one search for the Subject and then one for Peer.

l New options in the Advanced section are now available when building a flow search: o Flow Direction - Select the direction of traffic for which you want the search to

return results: All, Bidirectional, or Unidirectional. o Include Interface Data - Select this option if you want to view interface data

related to the search parameters returned for a flow search. o Filter By Flow Action - Select which flows you want flow results to include: Per-

mitted, Denied, or Permitted and Denied. o Exporters & Interfaces - Select the exporters and/or interfaces by which you want

to filter the flow search results. o Encryption - Select the encryption fields by which you want to filter the flow

search results. As you select encryption fields, the available options in each drop-down box is filtered down to possible values to get accurate results from your search. For example, if you select Diffie-Hellman (DH) in the Encryption Key Exchange field, the Encryption Authentication Algorithm field limits your options to RSA, Anon, or DSS.

Note: These fields will have "--" on the Flow Search Results page if you do not have an ETA enabled switch and router. Certain encryption fields may also have "--" if the flow record does not have information for that particular field.

l You can export filtered results for a flow search (as opposed to all of the results). l If you included certain criteria (marked by an informational icon on the page) in your flow

search or run a flow search with a Max Records Returned of 20,000 or more (whose results can only be viewed by downloading them to a .CSV file), you cannot cancel a flow search before it is complete or see what percentage of the job has run thus far. In this case, the



Flow Search Results page simply displays the status of 0% Complete until the search fin-ishes, at which time the status of 100% Complete is displayed.

l For a flow search request with a Max Records Returned of 20,000 or more, both the search and the results are retained on the Job Management page for 7 days from the time the job completed.

l You can perform a flow search for up to 400,000 flows in one search.

Flow Search Results expansion panelThe Flow Search Results page now contains an expansion panel that includes the following information:

l The General tab contains general information (e.g., packets, bytes, and payload) about the associated flow result. To view detailed proxy records, click the View URL Data link loc-ated at the top of the Subject section within this tab.

l The Interface tab contains detailed information about the interfaces associated with the associated flow result. (You must select the Include Interface Data check box on the Flow Search page to enable the Interfaces tab to be displayed.)



Top Report Jobs and Flow Searches queuesAll top report jobs and flow searches with a Max Records Returned of 10,000 or less are run in a different queue from that of flow searches with a Max Records Returned of 20,000 or more.

l You can run a maximum of four jobs at the same time if the Max Records Returned for each of these jobs is 10,000 (it used to be 2,000) or less. It does not matter what the Records Returned value is for a top report job.

l You can run only one flow search at a time if the Max Records Returned is 20,000 or more. l If you start additional top report jobs or flow searches during this time (for either of these

two categories of flow searches), they will be placed in their respective queue with a Pend-ing status.



Expansion and universal performance of the context menuFor your convenience, context menu placement has been increased throughout the SMC Web App. To access the context menu, do one of the following:

l Click the ellipsis beside the applicable IP address. l Click the ellipsis in the Actions column of a data table or configuration table. l Click a point in a graph. Exceptions are as follows:

o For the Traffic by Peer Host Group graph on the Host Report page and the Top Host Groups by Traffic graph on the Host Group Report page, you must click a host group, a column, or the line between two host groups.

Use the information at the bottom of the context menu to identify the context for that menu’s actions. Depending on relevant positioning, you can do a combination of the following using the context menu:

l Run or configure a flow query. l Run or configure an associated flows query. l Run or configure a top report query. l Perform an external lookup.



l Perform a packet query. l Modify a configuration. l Navigate to related configuration pages.

New filter rules for the Flow Search Results pageThe following filter rules now apply to the Flow Search Results page:

l When entering multiple criteria in one field, leave a space between each entry l To exclude an item, preface the entry with an exclamation point l Return results including a portion of an alphanumeric entry: Enter HTTP to return flows con-

taining HTTP, HTTPS, HTTP (unclassified) and HTTPS (unclassified) l Exact alphanumeric match: “HTTP” (You do not have to use quotation marks for numeric

data to return an exact match.) l Use K, M, G, and T for units of measurement: 10M l You can use >, >=, <. <= with numeric entries: >=5min l Use hr, min, and s for time entries. Examples: 3hr15min0s; 2hr; 29min59s l Range of data: 50M-100M

Non-admin access privileges l For any versions prior to v6.10, a non-admin user without an assigned function role can

access the SMC Web App but cannot access the SMC client interface. When an admin user assigns a non-admin user a function role, that non-admin user can then access the SMC client interface.

l Beginning with v6.10, an admin user must assign a non-admin user a function role to enable that non-admin user to access the SMC client interface and the SMC Web App.

Updated FIPS ComplianceThe United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by United States federal government agencies, contractors, and other organizations that process information using a computer or telecommunications system on behalf of the federal government to accomplish a federal function.

For updated FIPS compliance, update all user passwords and enable FIPS mode on every appliance in the Stealthwatch System.

l FIPS mode is disabled by default. l The procedure includes updating user passwords, updating the appliance software to ver-

sion 6.10, installing your own FIPS compliant certificate (optional), and restarting the



appliance. It is important to enable FIPS mode at a time that will cause the least amount of disruption.

l If FIPS mode was enabled in an earlier software version (prior to 6.10), disable FIPS mode before you update the software.

l The following features are not available when FIPS mode is enabled: TACACS, Radius authentication.

l For details, log in to the Admin Appliance. Select Configuration > Global Settings > Help.

New data storage recommendationsThe data storage recommendations have been updated for the installation of Stealthwatch virtual appliances. Review the following table and see the Data Storage section of the Stealthwatch Management Console VE and Flow Collector VE Installation and Configuration Guide to expand the data storage manually.

Stealthwatch VE Model Minimum Data Storage

Stealthwatch Management Console VE 100 GB

Stealthwatch Management Console VE 2000 200 GB

Flow Collector NetFlow VE 200 GB

Flow Collector NetFlow VE 2000 600 GB

Flow Collector NetFlow VE 4000 1.5 TB

Flow Collector sFlow VE 100 GB

Flow Collector sFlow VE 2000 600 GB

Flow Collector sFlow VE 4000 1.5 TB

Flow Sensor 50 GB

UDP Director 50 GB

New software update processThe System Management page and appliance software update process have improved. These improvements are available in software version 6.10.

Note: The changes to the System Management page and software update process are available after you update all appliances to software v6.10. This new function cannot be used to upgrade an appliance from v6.9.x.

l For performance improvement and file handling, we've removed the ability to upload the System SWU, and we've added the ability to upload individual appliance SWUs for each



appliance type. l If you have a Flow Collector 5000 series appliance installed, the engine and database can

be updated from the System Management page. l Use the Stealthwatch Software Update Guide for complete instructions. It is important to fol-

low the appliance update order and install the latest rollup patch file.

KVM host for virtual appliancesStealthwatch virtual appliances can be installed in a Kernel-based Virtual Machine (KVM) environment. There are several methods to install a VM on a KVM host using an ISO file. Use the Installation and Configuration Guide for your Stealthwatch appliance to install a virtual appliance through Virtual Machine Manager running on a compatible Linux distribution.

Enhanced licensing alerts and notificationsIt is important to keep your product licenses current. For example, if the Flow Rate License expires, the Flow Collectors in the Stealthwatch System may stop collecting flow data. For more information, see the Downloading and Licensing Guide. To obtain a new license, update an existing license, or for help with a corrupt license, contact your local Cisco Partner or Cisco Stealthwatch Support.



https://lancope.my.salesforce.com/sfc/p/300000000QWy/a/38000000Tk50/7_EOsroSnzCUOQFWTRpkyuGBNPMiaxVV30jxUBCUW7A

Contacting support

If you need technical support, please do one of the following:

l Contact your local Cisco Partner l Contact Cisco Stealthwatch Support

o To open a case by web: http://www.cisco.com/c/en/us/support/index.html o To open a case by email: [email protected] o For phone support: 1-800-553-2447 (U.S.) o For worldwide support numbers: www.cisco.com/en/US/partner/support/tsd_cisco_

worldwide_contacts.html



http://www.cisco.com/c/en/us/support/index.html

http://[email protected]/

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

What's Been FixedThis section summarizes fixes made in this release for issues (bugs/defects) reported by customers in previous releases. The Stealthwatch Defect (SWD or LSQ) number is provided for reference.

Version 6.10.1

Defect Description LSQ

LVA-221 Vim did not properly validate values for tree length when handling a spell file, which may have resulted in an integer overflow at a memory allocation site and a resultant buffer overflow.

NA

LVA-356 Security update for Wheezy: CVE-2017-10672 NA

LVA-358 Security update for Jessie: CVE-2017-14746, CVE-2017-15275 NA

STE-84 Port number for the server and protocol information have been added to the Email Response.

NA

STE-97 Updated Support Contact information within Stealthwatch. NA

SWD-7143 The lc_profiles process on the Flow Collector was very slow.

Revamped the host group lookup functionality to fix a bottleneck.

LSQ-2713

SWD-7540

SWD-7688

The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway.

LSQ-2652

SWD-7549 The flow traffic on the Flow Sensor 4010 showed no utilization with non-zero inbound traffic.

We fixed the SMC detection of the Flow Sensor fiber port interface speeds used in utilization calculations.

LSQ-2649

SWD-7599 There was a database backup return error on system configuration.

Updated the backup routines to handle file copies to CIFS destinations differently.

LSQ-2621

LSQ-2572

LSQ-2674

SWD-7615 The Hardware Configuration Guide had an error in the Configure Primary UDP Director section.

The guide was updated with the correct information.

LSQ-2679



https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10672




SWD-7621 The Top Conversations Report was not returning all results when a host filter was used.

The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report.

LSQ-2593

SWD-7643 The delete option for an SSL Client certificate did not work on a secondary SMC.

The fix was to allow the add/delete function for SSL client certificates in a secondary SMC.

LSQ-2626

SWD-7644 The Top Conversations transaction report was showing incorrect values.

A fix has been provided to avoid duplicate values and show the appropriate number of records for each Flow Collector in the transaction report.

LSQ-2593

SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1.

The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC.

LSQ-2712

SWD-7676 Users could not create a diagnostics pack for an appliance.

The fix corrected an exception in the audit log when creating a diagnostics pack.

LSQ-2692

SWD-7689 The CPU average load calculation, on the SMC client interface dashboard, was incorrect.

The CPU average load has been updated to reflect the updated appliances.

LSQ-2677

SWD-7692 The Top Conversations Report did not return all results when filtering hosts.

In the Top Conversations report, the problem was in generating reports if more than one Flow Collector was configured. The fix corrects the query to collect all required data from data base for all required Flow Collectors.

LSQ-2593

SWD-7700 The Flow Collection Trend chart had gaps due to TextCopyHandler failing to read files at /lancope/var/smc/tmp folder.

Resolved an issue where scheduled reports would terminate existing SMC data loading processes under certain conditions.

LSQ-2727

SWD-7708

SWD-8137

Users could not import of DAR and XML files to Document Builder.

This patch fixes issue with launching a new report from document builder that has several pages that are named alphabetically.

LSQ-2738




SWD-7765 Flow data queries across multiple flow collectors do not return consistent ordering.

The fix is to order the records returned for a flow query by flowid when a specific ordering is not requested. This prevents different invocations of this method from returning different results.

LSQ-2652

SWD-7787 The Flow Table Service Summary and Service Port columns had mismatched port addresses.

Fixed an issue where the service summary port was not updated to match the server port for certain flows.

LSQ-2710

SWD-7824 Flow query was failing for IPv6 IP address range 0000-FFFF.

The flow query filter has been corrected to recognize and search IPv6 input values.

LSQ-2613

SWD-7862 Associated flow table carried previous advanced filter values.

The Flow Table retain filter option has been excluded from the associated flow table.

LSQ-2709

SWD-7865 Stealthwatch Management Console had high memory usage for uWSGI appliance update process.

Implemented a mechanism designed to prevent memory usage exceeding 4 GB by the uWSGI UPServ application.

LSQ-2722

SWD-7963 The client interface help was not showing topics when using the search tab.

Fixed encoding error caused by a tomcat update.

NA

SWD-7971 On the SMC Web app, Error retrieving host snapshot to build host entity view constantly received on Host Search.

We updated the SMC Web app and the Vertica query to accommodate large numbers and overflow.

LSQ-2773

SWD-8072 Top Reports returns more records than the set limit when there are two or more Flow Collectors (LSQ-2822).

The Top Reports queries have been updated to split the amount of records evenly between Flow Collectors.

LSQ-2822

SWD-8089 The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway.

LSQ-2652




SWD-8107 Email notifications for scheduled documents were not being logged properly.

We fixed the log base path location from pointing to the incorrect directory.

LSQ-2834

SWD-8136 The Flow Collector changed models after upgrade.

Updated the model.xml file to not change a system's memory size during upgrade.

LSQ-2845

SWD-8142 The Database backup is generating errors at the final stage of the process.

Improvements have been added to repeat the Vertica backup process in case of resync errors.

LSQ-2838

SWD-8153 Flows were not being associated with all Host Groups that contained the associated IP address.

The flow table was updated to allow a larger character limit (65,000) in the client and server host group strings, and we now allow 256 host groups per IP address.

LSQ-2846

SWD-8182 UDP Director 2010 could not boot after upgrade.

Fixed an issue with the kernel upgrading process.

LSQ-2866

SWD-8200 A Flow search with too many characters for a IP address range caused Vertica to crash.

Changed the logic around constructing IP range searches.

LSQ-2869

SWD-8210 ISE "deviceType" field was empty.

Provided value to "deviceType" from the "endPoint Policy" pxGrid field.

LSQ-2880

SWD-8239 Error when creating and configuring Custom Applications.

A new java constructor has been added to avoid a bad request error when adding multiple custom application rules in the SMC.

LSQ-2765

LSQ-2829

LSQ-2865

LSQ-2893

SWD-8271 The Flow Sensor Management Channel Down alarm, triggered in the client interface, did not go inactive after one hour.

Resolved an issue where certain alarms would fail to go inactive on the primary node of an SMC failover pair.

LSQ-2859




SWD-8314 The Flow Collector was not processing a non-zero DSCP field.

Added support for the DSCP field.

LSQ-2911

SWD-8317 External Lookup failed with a 500 internal server error.

Fixed the null pointer error when loading the External Lookup configuration page.

LSQ-2912

SWD-8323 The SMC was utilizing a high amount of memory .

We refactored the SMC client interface code to improve UI responsiveness.

LSQ-2904

SWD-8438 The Flow Collector saved flow records from one source ID and discarded records with the other source ID.

Added observation domain binding to the exporter stats in the cases where more than one exporting engine is exporting from a single exporter IP address using different source ID values.

LSQ-2557

SWD-8477 Vertica MergeOut process was very slow for the flow_stats table.

Added several Vertica database tuning parameters to remedy the ROS container backup problems.

LSQ-2935

LSQ-2963

SWD-8540 Unable to create and save maps when logged in as a non-admin user.

Updated the error message to be more meaningful when a non-admin user creates a map without the proper permissions.

LSQ-2956

SWD-8542 Security Event details were missing in web application interface.

Fixed an issue where Security Event details were always empty.

LSQ-2982

SWD-8559 The Online Help referred to an incorrect alarm name.

Updated the help to refer to "Ping Oversized Packet" instead of "Long Ping".

LSQ-2989

SWD-8590 Tor traffic with no packets from server were alarming as "Successful".

The alarm was updated to "Attempted".

LSQ-2992

SWD-8591 The Flow Sensor eth4 log was showing an invalid pointer error.

Fixed the code to output the log message correctly.

NA

SWD-8598 The Flow Sensor 3000 was not processing packets with multilayer VLAN tags.

The engine has been modified to handle up to 4096 layered tags.

LSQ-2995




SWD-8608 The SMC document builder was not saving filter criteria.

Fixed the document builder to retain appropriate input values in the common filter criteria.

LSQ-2968

SWD-8629 The SMC client interface was missing the "user management" menu.

Users with "SMC manager" rights now have access to the "user management" menu.

LSQ-3013

SWD-8635 Cisco Senderbase links were incorrect on the External Lookup configuration page.

Fixed broken links.

LSQ-3002

SWD-8636 The Traffic by Peer Host Group component was not displaying flow information.

Updated the component to display flow data correctly.

LSQ-3005

SWD-8661 Updated the flow-forwarder Docker container v2.2.2 to use less memory and turned on heap debugging options so that more information may be gathered when there is an issue with the Java (JVM) heap.

LSQ-3022

SWD-8670 The support information updated for STE-97 was translated into Korean, Chinese, and Japanese.

NA

SWD-8676 The flow rate dropped when the Flow Sensor cache was full.

Fixed an issue that caused packets to be dropped during processing when under load.

LSQ-3023

SWD-8689 "Client Port Filtering" was not working with Fast Query selected.

A query fix has been provided to make ‘Client Port Filtering’ work correctly, with or without enabling fast query.

LSQ-3031

SWD-8701 OVF resource defaults did not match documented minimums.

Updated the SMC and Flow Collector OVFs to 16 GB ram.

NA

SWD-8702 Unable to edit response management rules in the SMC client interface.

Fix added to handle null pointer errors when editing the rules in response management.

LSQ-3038

SWD-8705 A Database Restore failed on a Flow Collector 5000.

Fixed an issue where Vertica was not stopping correctly.

LSQ-3040




SWD-8708 TextCopyHandler failed to read files at /lancope/var/smc/tmp.

Scheduled reports temporary file handling process has been improved to avoid SQL errors.

LSQ-2987

LSQ-3048

SWD-8727 Top Alarming Hosts widget was not loading due to unknown host exception error.

The svc-sw-reporting container was updated to better handle dealing with exceptional data within the database.

LSQ-2987

LSQ-3004

LSQ-3048

SWD-8758 Default Services were missing under Host Locking Configuration.

Updated the conditions to populate the services list correctly.

LSQ-3052

SWD-8791 The MongoDB compact script failed to save SMC configuration.

Fixed a typo that caused the script to fail.

LSQ-3012

SWD-8807 The client interface would redirect the user to the license manager page on a licensed SMC.

Updated the code so that users are able to access the client interface on a properly licensed appliance.

NA

SWD-8819 The Interface Service Traffic report was broken.

Corrected an issue with the database query group used by the report.

LSQ-3066

SWD-9049 Limited the Vertica MaxMrgOutROSSizeMB parameter to 4096 in order to improve query response performance.

LSQ-3071

SWD-9051 The SMC client interface would not load due to a SSL Certificate corruption after restoring default certificates.

Added additional actions to correctly restore the default certificates.

LSQ-3094

SWD-9207 HTML code appeared in the name of some graphs in the SMC client interface.

The <br> HTML tag was removed.

LSQ-9207

SWD-9494 The hostname field was missing from the HostAlarm structure in the MIB.

Added the missing field.

LSQ-3209




SWD-9511 Newer ISR firewalls export firewall events with different formats than earlier versions.

Made changes to the NetFlow engine to honor the updated ISR template definitions so that the firewall "Denies" will now be processed correctly.

LSQ-3204

SWD-9515 The Flow Collector 5020 (NIC card: 0x800008a4) failed to load the 10G driver.

Modified the grub configuration files to allow the Intel 10G network card to work with the Jessie kernel.

LSQ-3235

SWD-9564 The Proxy Log Configuration Guide had a graphic error in the Configure the Upload Client section.

The port number was corrected in the graphic.

LSQ-3237



Known IssuesThis section summarizes issues (bugs) that are known to exist in this release. Where possible, workarounds are included. The defect number is provided for reference.

Defect Number Description Workaround

LVA-306, LVA-307

If you have an untrusted virtual machine installed on the same physical cluster/system as a Stealthwatch appliance, the Stealthwatch appliance is vulnerable to a side-channel attack that can expose private keys.

A vulnerability was disclosed for the gnupg software package suite. This vulnerability involves a side-channel attack against the gnupg implementation of the RSA cryptographic algorithm. When RSA keys are in use on the system, the implementation allows for the recovery of 1024-bit length private keys. Additionally, it experimentally appears that 13% of the 2048 keyspace is vulnerable as well. More details about the vulnerability can be found by reading the white paper located at https://eprint.iacr.org/2017/627.

The risk from this side-channel attack applies where the private key is in use on the system. For Stealthwatch customers, this applies to SSH and HTTPS sessions. For

Important: Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch System appliances.

Important: If you are upgrading the system to v6.10 from an earlier version, confirm all appliances have the latest patch files installed.

To review the Stealthwatch appliance vulnerability, complete the following steps:

1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > Services. Review the

SSH section. If the Enable SSH box is checked, you need to regenerate the RSA host key pair using the instructions shown below.

3. Click Configuration > SSL Certificate. Review the installed certificates. If there are custom certificates installed using the RSA-1024 or RSA-2048 bit keys, you must regen-erate new certificates.

4. Click Configuration > Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates.

If the SSH service is enabled on the appliance, regenerate the RSA host key using the following instructions. You will regenerate the RSA host key on every appliance in the system.

1. SSH onto the SW Appliance as root or using the root terminal option in the sysadmin menu.

2. To delete the public and private keys in the primary location, run the following command: rm –f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub.

3. To delete the public and private keys in the



https://eprint.iacr.org/2017/627


customers running hardware appliances and in fully controlled Virtual Machine infrastructures, the risk of exposure is mitigated by access to the physical and virtual systems. For customers running in a co-located VM infrastructure, the risk of exposure is greater.

backup location, run the following command: rm –f /lancope/var/admin/ssh/ssh_host_rsa_key /lan-cope/var/admin/ssh/ssh_host_rsa_key.pub

4. To regenerate a new RSA host key pair, run the following command: /lancope/admin/bin/GenerateSSHKeys

5. Do one of the following to restart the SSHD ser-vice:

o If the appliance software version is 6.9 and later, run the following command: systemctl restart ssh.ser-vice

o If the appliance version is earlier than 6.9, run the following command: /etc/init.d/ssh restart

6. Repeat these steps on every appliance in the Stealthwatch System.

If you have installed custom certificates using RSA-1024 or RSA-2048 bit keys on your Stealthwatch appliances, you must regenerate new X509 certificates.

1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > SSL Certificate. 3. Click the ? icon to open the Help page.

o Use the SSL Certificate instructions to generate a new X509 certificate.

o If the certificate is X509 certificate is RSA, create it with a size of 4096 bits.

4. Delete the old (vulnerable) X509 certificate from the appliance.

5. Click Configuration> Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, regenerate new certificates.

o Click the? icon to open the Help page. o Use the Certificate Authority Cer-

tificates instructions to add a new X509




certificate. o If the certificate is X509 certificate is

RSA, create it with a size of 4096 bits.

SWD-7627 If you reboot your Flow Collector, it deletes all alarm history; how-ever, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a spe-cific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm val-ues in the Hosts table on the Host List View.

None currently available; the feature will be available in a future release.

SWD-7655 The generation of a diagnostics pack may fail in large systems as a result of timing out.

To overcome this, open the SSH console for the appli-ance and run this command: doDiagPack. This will allow the generation of the diagnostic pack without tim-ing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP.

SWD-8197 The Flow Sensor was not detect-ing enough applications.

To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library.

SWD-8673 SystemConfig special character fonts look bad when using the SecureCRT client in ANSI mode.

To overcome this, disable ANSI Color when con-necting or use a different client to view the Sys-temConfig script.

SWD-9052 Offline license activation failing This error may occur if you moved a virtual machine,




or "Storage Binding Break" error uploaded a license more than once, or if the license is corrupted. Please contact Stealthwatch Customer Community for assistance.

SWD-9300 The Selected Cipher Suite does not appear in the Flow Search Results when using a non-stand-ard port.

None currently available; this will be fixed in a future release.

SWD-9563 When you log in to the Stealthwatch Web App using Internet Explorer v11 and at any point you refresh the Home page, the Desktop Client drop-down arrow and the three navigation icons to the left of this list (top right corner of page) disappear. These three icons include the following:

• Search (magnifying glass icon)• Help (person icon)• Global Settings (geer icon)

Additionally, the fonts look different from how they appear when displayed using other browsers.

Close the browser and log in again.

NA On the Flow Sensor VE, “Export Application Identification” is off by default.

To enable application identification, this advanced set-ting will need to be manually selected.





© 2018 Cisco Systems, Inc. All Rights Reserved. SW_6_10_1_Release_Notes_DV_2_0


Documents

TEALTHWATCH SYSTEM VERSION ELEASE OTES · l Top Host Groups by Traffic component on the Host Groups Report l Security Events l New Flow Search features l Flow Search Results expansion