RSA EnVision 3.5.2 Release Notes

RSA enVision
Release Notes
enVision 3.5.2
Copyright 1996 - 2008 RSA Security Inc.

enVision, Enterprise Dashboard, and Internet Protocol Database (IPDB) are trademarks of RSA Security Inc.
LogSmart is a registered trademark of RSA Security Inc.
All other trademarks, service marks, registered trademarks, registered service marks mentioned in this document are
the property of their respective owners.
Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including
photocopying and recording for any purpose other than the purchasers personal use without the written permission
of RSA Security Inc.
RSA Security Inc.
200 Lowder Brook Drive, Suite 2000
Westwood, MA 02090
U.S.A.
781.375.9000
Contents
Chapter 1.
Whats New in This Release............................................................ 1-1
Migration Path........................................................................................................................................... 1-1

Changes to Correlation Rules .................................................................................................................. 1-1
Renamed Correlation Rules .................................................................................................................... 1-2
New Correlation Rules............................................................................................................................ 1-2
New ISO 27002 Compliance Reports....................................................................................................... 1-3
Certification of New Versions of Currently Supported Devices............................................................ 1-4
Chapter 2.
Known Unresolved Issues .............................................................. 2-1
enVision...................................................................................................................................................... 2-1
User Interface ...................................................................................................................................... 2-1
Device, Report, and Rule Content....................................................................................................... 2-3
Enhanced Availability ......................................................................................................................... 2-3
Task Triage.......................................................................................................................................... 2-4
Installation........................................................................................................................................... 2-4
Services ............................................................................................................................................... 2-5
Event Explorer........................................................................................................................................... 2-7
Chapter 3.
Resolved Issues............................................................................... 3-1
User Interface ...................................................................................................................................... 3-1

Installation........................................................................................................................................... 3-1
Services ............................................................................................................................................... 3-2
Utilities................................................................................................................................................ 3-2
Documentation .................................................................................................................................... 3-2
Version 3.5.1 Patches (EBFs) Included in this Release .......................................................................... 3-3
enVision .................................................................................................................................................. 3-3
User Interface ...................................................................................................................................... 3-3
Installation........................................................................................................................................... 3-6
Services ............................................................................................................................................... 3-7
Chapter 4.
Technical Notes ............................................................................... 4-1
VAM Users Must Run Most-Recent Content Update ............................................................................ 4-1

enVision and Event Explorer Client Software........................................................................................ 4-1
RSA enVision 3.5.2 Release Notes
iii
Contents
Chapter 5.
Documentation Errata ..................................................................... 5-1
enVision Online Help Revised Topics...................................................................................................... 5-1

Added Compliance ISO 27002 Reports .................................................................................................. 5-1
Correction to topic: Supported Devices .................................................................................................. 5-4
Correction to topic: Support for Syslog Relays....................................................................................... 5-4
New topic: Location of \nic\csd\ Directory on Your enVision Installation............................................. 5-5
Correction to topic: NIC SFTP Agent..................................................................................................... 5-5
Correction to topic: Manage Storage Locations Window ....................................................................... 5-5
Correction to 4 topics: Event Storage Locations, Drive Rotation, Add Storage Locations and Modify
Storage Locations.................................................................................................................................... 5-5
Correction to 3 topics: Send Report Results via Email, Schedule Reports Window and Email Delivery
Options Popup Window .......................................................................................................................... 5-5
Correction to topic: Delete Storage Locations ........................................................................................ 5-6
Correction to topic: Schedule Report Window ....................................................................................... 5-6
Correction to Link to Customer Support Website................................................................................... 5-6
Revised the Three Replication Topics after 3.5.2 ................................................................................... 5-7
Replicate the Configuration Database ................................................................................................. 5-7
NIC DB Replication Client Service .................................................................................................... 5-9
NIC DB Replication Server Service.................................................................................................... 5-9
Event Explorer Online Help Revised Topics ........................................................................................ 5-10
Correction to topic: Installation ............................................................................................................ 5-10
iv
Preface
This document contains information on the 3.5.2 release of enVision and Event Explorer.
Audience
The Release Notes document is for anyone who wants to know what has changed in enVision and Event
Explorer since the prior release.
Documentation Set
The enVision documentation set consists of the following:
Documentation
Description
Getting Started Guide (60 Series

Only)
Instructions on:
Setting up your RSA enVision appliances. Intended

audience is the system administrator.
Configuring your RSA enVision site. Intended audience

is the system administrator.
Hardware Guide (50 Series Only)
Instructions on setting up your RSA enVision appliances.

Intended audience is the system administrator.
Configuration Guide (50 Series

Only)
Instructions on configuring your RSA enVision site. Intended

audience is the system administrator.
Migration Guide
Instructions on migrating your data from a previous version

of RSA enVision to the current version. Intended audience is
the system administrator.
Online Help
Comprehensive guide to planning, setting up and using RSA

enVision. Intended audience is all enVision users (end-users
and system administrator).
Go to https://knowledge.rsasecurity.com and log into RSA SecurCare Online to download all product
documentation.
Preface
This guide uses the following conventions:

Item
Formatting
Literals (exact values that the user

must type)
Bold font.
Variables (adjustable values that the

user must type)
Bold, italicized font.
Fields, buttons, menu items, and so

forth
Bold font. (Note: Screen names are not bold.)
Keys (on the keyboard)
Bold font.
Example: Type New Report.
Example: Type user-name.
Example: Type New Report in the Description field on the Report

Setup window.
Example: Press Enter.
Contact RSA
Contact RSA at:
200 Lowder Brook Drive
Suite 2000
Westwood, MA 02090
U.S.A.
Telephone: 781.375.9000
Fax: 781.375.9100
World Wide Web: http://www.rsa.com/node.aspx?id=3170
Sales
You can purchase enVision directly from our dedicated team of sales professionals or through our North
American and international resellers. Call us at 781.375.9000 or send us an email at nic-sales@rsa.com.
Technical Support
Technical support is available during business hours via telephone at 800.995.5095 (Option #4 from the
menu).
You can also send email to the support team at nic-support@rsa.com.
Go to https://knowledge.rsasecurity.com and log into RSA SecurCare Online to:
review the Support Knowledge Base for troubleshooting, tips, FAQs, and so forth.
download all product documentation.
vi
Chapter 1. Whats New in This Release

The major features and significant changes in enVision 3.5.2 release include:
Migration Path
Changes to Correlation Rules
Migration Path
To migrate to enVision version 3.5.2, you must be running enVision version 3.3.6, 3.3.7, 3.5.0 or 3.5.1.
With enVision version 3.5.2, you can safely continue to run older versions (3.3.6, 3.3.7, 3.5.0, or 3.5.1)
within your multiple-site deployment, as long as:
you migrate the master site first, and
the same version of enVision runs on all appliances within each site.
This frees you to migrate sites on a timeline that suits your schedule. Slave sites can stay in production,
running the older version, until you have time to migrate them.
Changes to Correlation Rules

The following table shows the changes and corrections made in enVision 3.5.2 to existing correlation rules.
Important! If these rules are in use in your installation, test the rules to make sure they are still effective in
your environment.
Changed Correlation Rules
Description of Changes
NIC001
NIC002
NIC003
NIC008
NIC012
NIC015
NIC016
NIC017
NIC018
NIC019
NIC020
NIC021
NIC022
NIC034
NIC039_PIXFW
NIC040_PIXFW
NIC043
NIC_WEB_SITE_PROBE_IIS
NIC_WINDOWS_LOCKOUTS_1HR
NIC_WINDOWS_LOCKOUTS24HR
NIC_MSSQL_WORM
NIC_BLASTER_WORM
Updated these correlation rules to correct issues related to multithreading.
The multithreading variable did not exist in all message IDs referred to in
the correlation rule.
Removed message IDs that didnt contain the multithreading variable.
1-1
1. Whats New in This Release
Changed Correlation Rules
Description of Changes
NIC017
NIC018
Updated these correlation rules to improve their detection capability.

Corrected IDS signature/message ID selections and port filter criteria in
NIC017.
Corrected IDS signature/message ID selections, Cisco IOS message ID
selections and port filter criteria in NIC018.
Renamed Correlation Rules

enVision renamed the following correlation rules to make them consistent with the current naming
conventions.
Note: The original, numbered rule will be deprecated in a future release of enVision.
RSA preserved all functionality from the previously numbered rules in the renamed rules.
NIC017 is now NIC_BLASTER_WORM
NIC018 is now NIC_MSSQL_WORM
NIC028 is now NIC_WINDOWS_LOGIN_FAILURES
NIC034 is now NIC_WINDOWS_LOCKOUTS_1HR
NIC043 is now NIC_WINDOWS_LOCKOUTS_24HR
New Correlation Rules

The new correlation rules help you identify threats to resources in the context of the SANS Top-20 list of
vulnerabilities:
1.
NIC_ROOT_LOGIN_FAILURES triggers an alert on three failed attempts in two minutes to

login as root or to escalate privilege using su.
2.
NIC_WEB_SITE_PROBE_IIS triggers an alert when an IIS web server returns twenty 400series error messages to the same client IP address in a two-minute period as this could indicate an
attempt to scan for vulnerable pages or CGI scripts.
3.
NIC_WEB_SITE_PROBE_APACHE triggers an alert when an Apache web server returns

twenty 400-series error messages to the same client IP address in a two-minute period as this
could indicate an attempt to scan for vulnerable pages or CGI scripts.
1-2
New ISO 27002 Compliance Reports

In 3.5.2, RSA added the ISO 27002 Compliance reports to enVision.
ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining and
improving information security management in an organization. ISO 27002 is used as the foundation and
technical guidelines for many international and industry compliance standards and are generally good
practices for all organizations.
You access these reports in enVision, as follows:
Click ReportstAd Hoc ReportstCompliancetISO 27002.
ISO-27002 Computer Account Logon Activity
ISO-27002 Computer Account Logon Activity - Windows Detail
ISO-27002 Computer Account Status by Account Windows
ISO-27002 Control of Collected Evidence
ISO-27002 Control of Collected Evidence - Windows Detail
ISO-27002 Control of Human Resources Data
ISO-27002 Control of Human Resources Data - Windows Detail
ISO-27002 Control of Operational Software
ISO-27002 Control of Operational Software - Windows Detail
ISO-27002 Control of System Audit Data
ISO-27000 Control of System Audit Data - Windows Detail
ISO-27002 Control of System Test Data
ISO-27002 Control of System Test Data - Windows Detail
ISO-27002 External Contractors Report
ISO-27002 External Contractors Report - Windows Detail
ISO-27002 Malicious Software Activity
ISO-27002 Operation Change Control Report
ISO-27002 Operation Change Control Report - Windows Detail
ISO-27002 Password Changes and Expirations
ISO-27002 Source Code Access
ISO-27002 Source Code Access - Windows Detail
ISO-27002 User Activity from External Domains Windows
1-3
Certification of New Versions of Currently Supported Devices

The following table lists the new versions of currently supported devices tested and certified in enVision
3.5.2.
Device
New Version(s) Certified
Lancope StealthWatch.
5.5 and 5.6
Extreme Networks ExtremeWare Switch.
7.2 and 7.7
EMC Celerra
5.5.20.1
Cisco Router IOS
12.4
Secure Computing Sidewinder G2 Security

Appliance
1-4
Chapter 2. Known Unresolved Issues

This section describes known issues that were not resolved as of enVision 3.5.2 and Event Explorer 3.5.2.
enVision
Issue
Workaround
If you run a bind of reports with the Reuse check

box ON, the results returned in the reports may
not be correct. This problem has been observed in
the following compliance reports:
Do not use the Reuse checkbox with these reports.
User Interface
FISMA-Configuration Change Control
FISMA-Network Disconnects
FISMA-Session Termination
NISPOM-Configuration Management
The Event Viewer graphing capability does not

display data across a hard failure.
The Packager refreshes the IPDB appropriately at

the top of the hour and the data will again be
displayed. Before that time, you can view the data
as discrete events in the Event Viewer (nongraphing) GUI.
The number of devices enVision displayed in the

System Performance window viewed from a
version 3.5.2 A-SRV does not include any version
3.3.x and 3.5.x nodes.
The system functions as designed.
For example, if you have a version 3.5.2 Multiple

Appliance site with a 3.3.6 RC (Remote
Collector) attached, enVision does not include
that 3.3.6 RC in the number of devices it displays
in the System Performance window.
enVision does not maintain Correlated Rule
settings when you drill down to modify
circuit/statement information.
Re-specify the parameter settings before clicking

the final Apply for the rule.
The user interface may disconnect after a few

minutes when trying to get a dashboard report
from a user-created UDS device
When you create a UDS device, you must copy the

devices folder with the device .ini and .xml to all
nodes otherwise the NIC Web Server service may
crash causing the user interface to disconnect.
2-1
2. Known Unresolved Issues
Issue
Workaround
Extreme failure cases, such as power failures, may

cause the EPS statistics to display incorrectly.
When there is a power failure, the EPS gauge
displays the last known value. The system may
require manual intervention or recovery to bring
up all roles. Until all roles are up, EPS statistics
may not be current.
None
In an LS configuration, when you create a syslog

output action, the IP Interface field is prepopulated with the IP address of the D-SRV,
which is incorrect.
When you create a view and attempt to start it,
you may receive a message simply stating there
was an error starting the view.
You must replace the IP address of the D-SRV

with the IP address of the LAN to which you want
to forward the syslog.
The Alerter sends error messages to the NIC
events. Use the Event Viewer or Event Explorer to
troubleshoot the error.
To find alerter messages in the Event Viewer:
1.
Select the Display advanced filter options

checkbox.
2.
Type alerter in the String matching field.
3.
Deselect the Match Case checkbox.
4.
Click Update Now.
To find messages for a specific view:

1.
Complete steps 1 - 3 above.
2.
Type the view name in a second String

matching field.
3.
Deselect the Match Case checkbox.
4.
Click Update Now.
When you modify the size of the System

Performance window, the gauge boxes may
occasionally overlay text.
Refresh the screen.
If you create a view and before it has completely

started, edit it, the Manage View window shows
the status as View restarting. Under real-time
details the view is up and running but the status
never changes to View running.
Complete the following steps:
As the result of a license key issue, certain

features may not display in the enVision UI after
you upgrade from 3.3.x to 3.5.2.
Request a new key from key@networkintelligence.com.
1.
Disable the view.
2.
Enable the view.
3.
Start the view.
2-2
Issue
Workaround
Device, Report, and Rule Content

IDS XML stopped collecting after 3-5 days.
None
enVision did not support Qualys QualysGuard by

way of a proxy connection.
A few messages for firewall devices were missing
DIRCHK
None
None
Enhanced Availability
After a power failure (or failover) the Packager
occasionally stops processing nuggets (they
accumulate in the D:\tmp\nuggets directory on
the active CAs). A possible symptom is the
observed EPS is low or at zero and device data is
not seen.
If a power or network failure occurs during
installation of an Enhanced Availability cluster,
the enVision configuration wizard may stop (at
step 8 of the configuration wizard process) before
the cluster is fully installed.
Recover the unprocessed data by stopping and restarting the NIC Packager service from the
Microsoft Services GUI. Allow the Packager a
chance to process the data.
To avoid the configuration wizard from
stopping:
1.
Start the Microsoft Cluster Administrator.
2.
Log in to the cluster.
3.
Take all the roles (DS1, LC1, LC2, LC3)

offline. DO NOT stop the Cluster Group!
4.
To run the LS Cluster Fix utility, double-click

the lsclusterfix.exe file in the
c:\windows\installations directory.
The D-SRV restarts. The enVision
Configuration Wizard
(lsconfigurationwizard.exe) automatically
starts and continues to run at the point at
which it was interrupted.
An EA (Enhanced Availability) site maintains the

cluster state on an iSCSI partition on the NAS.
Unreliable network connectivity to the NAS and
by extension the iSCSI partitions on the NAS will
cause cluster state to be unreliable. As a result, the
behavior of an EA site with an unreliable network
connection to the NAS is unpredictable.
None
2-3
Issue
Workaround
If you are installing a slave site, and if the site it is

connected to is an Enhanced Availability site, the
IP address for the master site must be the Virtual
IP of the D-SRV role.
The value of the Virtual IP of the D-SRV can be

acquired from the Cluster Administrator by
connecting to the cluster (NICCLSTR) and
examining the D-SRV role. Select the D-SRV role
from the Groups folder in the left-hand panel, then
right-click on and select the Properties of the
DS1-EXT-VIP resource. Select the Parameters
tab and note the address field which is an IP
address. Use this value in the configuration of the
slave site.
Task Triage
If you move the NIC App Server service from one
A-SRV to another and the A-SRVs are in
different time zones, enVision fails to update the
timestamps in the Task Triage database to reflect
the new time zone.
None
Installation
Occasionally, during installation of a multipleappliance site (or LS) deployment, the
configuration wizard may report a failure adding
the A-SRV to the domain, even though the ASRV did join the domain.
To confirm the A-SRV joined the group:

1.
Right-click My Computer and open

Properties to confirm that the A-SRV is part
of the domain.
2.
Select Start > Run and type the following

command string:
netdom.exe remove sitename -AS1
/domain:sitename.nic /userd:master
/passwordd:themaster01/usero:master
/passwordo:themaster01 /Reboot:5
3.
Right-click My Computer and open

Properties to confirm that the A-SRV is no
longer part of the domain.
4.
Run the configuration wizard again.
2-4
Issue
Workaround
Services
On 60 Series, you may encounter an anonymous
FTP failure.
IMPORTANT! For Multiple Appliance Sites, you

must perform steps 1 - 16 on the D-SRV then
perform steps 8 - 16 on the LC (local collector).
1.
In Windows, select Start > Control Panel >

Administrative Tools > Domain Controller
Security Policy.
2.
Select Local Policies > User Rights

Management.
3.
Double-click Allow log on locally policy.
4.
Make sure that the user

domain/IUSR_computername exists for this
policy.
If it does not exist, add it as follows:
a. Click Add User of Group.
b. Click Browse.
c. Type IUSR in response to Enter the
object names to select.
d. Click Check Names and click OK
twice.
e. Click OK to close the policy window.
5.
Double-click the Deny access to this

computer from the network Properties
policy.
If the Anonymous User account and the
Guest account exist in this policy, remove
them as follows:
a.
Click the user.
b.
Click Remove.
6.
Click OK to close the policy window.
7.
Close the Default Domain Controller Security

Settings window.
8.
Select Start > Run and enter the gpedit.msc

command.
9.
Select Computer Configuration > Windows

Settings > Security Settings > Local Policies
> User Rights Assignment.
(continued on next page)
2-5
Issue
On 60 Series, you may encounter an anonymous
FTP failure.
(continued)
Workaround
10. Double-click Allow log on locally and make
sure that the user IUSR_computername exists
for this policy.
If it does not exist, add it as follows:
a.
Click Add User of Group and click

Browse.
b.
Type IUSR in response to Enter the

object names to select.
c.
Click Check Names and click OK twice.
d.
Click OK to close the policy window.
11. Double-click the Deny access to this

computer from the network Properties
policy.
If the Anonymous User account and the
Guest account exist in this policy, remove
them as follows:
NOTE: If the Remove option is not available
or the Remove radio button is highlighted,
this indicates that your installation is at
Windows 2003-SP1 or lower. You can safely
ignore this step and go to step 14.
a. Click the user.
b. Click Remove.
12. Click OK to close the policy window.
13. Close the Default Group Policy Object Editor
window.
14. Open a command prompt window and enter
gpupdate /force.
15. Manually start the FTP Service to test the
anonymous FTP process, as follows:
a. Right-click My Computer.
b. Click Manage.
c. Go to IIS FTP Sites and right-click
Default FTP Site.
d. Click Start.
16. Test the anonymous FTP process (as
described in step 15) and if this fails, please
contact technical support.
2-6
Issue
Workaround
The enVision Alerting Service incorrectly

considers an IP Address for the top IP destination
and source values when you filter by IP Address
with a NOT condition.
None
enVision allows you to add an authentication

server by entering the IP address or hostname.
Adding an authentication server by the IP address
may result in duplicates.
Users received an out-of-memory error after
running the purge command to purge files
generated by the NIC App Server.
enVision did not capture logouts when collecting
for Oracle from ODBC.
The NIC Forwarder service copies data from the
RCs to the D-SRVs. Currently, the NIC Forwarder
does not stop until win_SSHD session on the DSRV times out.
Only use the hostname when adding an

authentication server.
If the WinSSHD Session timeout(s) parameter is

set to a longer time period than the NIC Forwarder
services recurrence, the NIC Forwarder will not
run for some of its scheduled recurrences.
Contact Customer Support.

None
The default value for the Session timeout(s)
parameter in WinSSHD Settings is 500 seconds (a
little over eight minutes).
If you have modified this parameter and use the
NIC Forwarder to copy data, make sure the time
between NIC Forward recurrences is greater than
the WinSSHD Session timeout(s) value.
enVision will copy the data at the next recurrence

of the NIC Forwarder after the WinSSHD Session
times out.
Event Explorer
Issue
Workaround
Event Explorer does not always recognize the NIC

Domain's App Server after you create a new
connection and select devices associated with the
NIC Domain.
Click a radio button associated with another

connection and re-select the radio button for the
newly created connection to recognize the App
Server. See the Task Triage Panel topic in the
Event Explorer online help for more information.
When you create a new enVision user, the Allow

Escalation and Allow Deletion checkboxes are
enabled.
Complete the following steps:
1.
Create the user.
2.
Re-edit the user.
3.
Check the Event Explorer override checkbox.
4.
Check the Allow Escalation and Allow

Deletion checkboxes.
2-7
Chapter 3. Resolved Issues

This chapter includes issues that existed in prior releases of enVision and are resolved in enVision 3.5.2.
Issue
Resolution
Users thought enVision was not processing Solaris

BSM messages correctly because enVision does
not completely parse these messages to the Unix
system table.
In this case, enVision stores all variables in

question in the Global table, not in the Unix tables
that messages are being parsed to. If you query the
Global table for solarisbsm data (using the device
IP address) you will find the data there. If you
want additional fields filled on a specific message,
you must request the message specifically.
Corrected this problem in enVision 3.5.2.
User Interface
The Event Viewer displayed incorrect timestamps

on events because it was rounding time zones
incorrectly.
enVision did not capture login failures for Cisco
switches.
Fields for the Security_567_Security:01
Windows message were missing from the
Windows Accounting table.
enVision failed to recognize some messages from
the IBM AIX device.
the Microsoft Exchange device.
NIC device.
Cisco Router device.
enVision put six UNIX AIX messages for failed
logins under the wrong event category.
enVision detected messages that it did not
recognize for devices that enVision supports.
For Solaris, a reported failed none event was
not actually a failure.
Missing dll required for IBM iSeries device.
the Blue Coat Systems SGOS device.
the Check Point Provider-1 device.
the Oracle device.

Added the missing fields.
Added previously-unknown messages to make
enVision current with updates for all supported
devices.
The failed none event is not a real failure; it is
now in a different event category.
Installation
The SFTP Agent did not install on Windows 2003
servers.
Corrected this problem in enVision 3.5.2
3-1
3. Resolved Issues
Issue
Resolution
Services
Users encountered a recurring ASA -214: Table in
use Sybase error.
There was a security issue when HTTP was
enabled with redirection.
The alerter crashed because of a buffer overflow
caused by a large event.
The NIC Server service crashed shortly after
starting.
Collection from Oracle was failing.

Utilities
A large number of items in the content of a
message description caused a uds.exe memory
limit error.
Documentation
Help text incorrectly described alert categories.
Updated the help to state that you can determine

which alert category a correlated rule is related to
by the event category you choose.
3-2
3. Resolved Issues
Version 3.5.1 Patches (EBFs) Included in this Release

enVision
Issue
Resolution
User Interface
Status information that enVision and Event
Explorer displayed to indicate rejected
vulnerabilities was not clear.
Modified the fingerprint assessment text in

enVision and Event Explorer. There are four
possible status settings for an asset vulnerability
scan: CONFIRMED, INFERED, REJECTED,
UNKNOWN.
Old Display:
Here is how the application displayed these status
prior to 3.5.2:
VULNERABILITY ASSESSMENT
Vulnerability: CONFIRMED, CVE-2000-0883, 4000
Vulnerability: INFERED, CVE-2000-0883, 4000
Vulnerability: REJECTED, CVE-2000-0883, 4000
Vulnerability: UNKNOWN, CVE-2000-0883, 4000
New Display:
RSA made two changes to the status output text:
1.
Replaced the scan status with descriptions
2.
Made only the VID number (not the entire

line) a hyperlink.
Here is how the application displays these statuses

in 3.5.2 forward:
VULNERABILITY ASSESSMENT
Vulnerability: Confirmed vulnerability to CVE2000-0883, VID 4000
Vulnerability: Likely vulnerable to CVE-1999-0289,
VID 289
Vulnerability: Not vulnerable to CVE-1999-0289,
VID 289
Vulnerability: Could not verify if vulnerable to CVE2000-0883, VID 4000
All services under Manage Services from any DSRV showed in blue because the configuration
wizard was adding a site to the host file.
The enVision GUI contained cross-site scripting
vulnerabilities.
The Manage Services window did not display the
current site when it first opened.
Enterprise Dashboard was disconnected from the
A-SRV.

3-3
3. Resolved Issues
Issue
Resolution

enVision did not parse Solaris messages correctly.
enVision failed to recognize a message in an updated

version of the CyberGuard.
enVision did not support timestamps with a year in

them for Cisco Router.
enVision log files used Netscreen Managers IP
address instead of the IP address of the actual
device that the message was coming from, making
it appear that all the messages were coming from
the Netscreen Manager.
The NIC018 correlation rule was not firing on
Cisco Router ACL (access control list) hits.
enVision did not parse some fields from the IBM

Mainframe RACF device.
enVision did not recognize the new message
structure of the TopLayer Attack Mitigator IPS
device, causing all of the devices messages to be
unknown.
enVision erroneously discovered Check Point
devices as having an IP address of 0.0.0.0.
enVision did not support McAfee VirusScan
Enterprise 8.5i.
enVision did not populate an error messages
variable correctly in NIC_View.
enVision failed to populate the Action field for
some Sun Solaris BSM (Basic Security
Monitoring) messages.
After users installed the patch in
ASA_902_3480.zip, enVision generated excessive
broadcast messages.
Some enVision reports that included Check Point
audit messages stopped working at enVision 3.5.0.
The NIC043 correlation rule said Windows
account locked out multiple times in a 24 hour
period when the account was locked out once.
enVision erroneously parsed Cisco ACS Username
data to a Hostname field.
The source and destination IP addresses were
correct in reports, but reversed in alerts. The Cisco
PIX and ASA message IDs that needed correction
were: 315011, 315011:01, 710003, and 710005.
Trend reports for Windows hosts based on the
Category Count table displayed no data.

Note: You must configure NSM as
MULTIDEVICE so that enVision can discover the
IDP device as IDP and not NSM.
Note: This rule now has a new name:
NIC_MSSQL_Worm.
In the Mainframe Accounting, Mainframe System
and Mainframe Security tables, enVision now
stores the entire event in the Message field.

enVision now populates the messages Action
fields with text strings.
NIC_Windows_Lockouts_24HR.
3-4
3. Resolved Issues
Issue
Resolution
A correlated rule failed to fire an alert because

enVision was not correctly evaluating conditions
inside the timer loop.
The scheme, group, and username columns were
not populated in some reports for the Nortel
Contivity VPN Switch device
Could not save a query to any folder other than the
default folder because the Save As option was not
available in the enVision GUI.
Some field types in enVision were inconsistent,
making it difficult for users to swap between tables
for UDS querying/reporting.
The NIC017 (MS-Blaster) correlation rule had
incorrect message IDs, causing enVision to miss
events and detect false positives.
Anti virus events from the Symantic Antivirus
Firewall device did not trigger an output action.
The AccountID column was not available in the
Firewall Accounting table.
enVision was not populating the username in some
Windows messages.
enVision was incorrectly parsing the IBM
Mainframe DB2 event called DB2-102-143:01 in
messages.
enVision erroneously assigned a denied event
category to the 106100 Cisco PIX message 106100
when it should have assigned permitted because
the permitted case was not recognized.
enVision did not parse some fields correctly for
some Juniper Networks Steel-Belted Radius
messages.
Parameters were misspelled in three IBM
Mainframe DB2 events.
enVision stopped collecting Check Point events.
Some messages have threading variable problems.
enVision misclassified three messages as system

configuration changes rather than network
configuration changes. This caused the messages
to appear incorrectly in the PCI Firewall
Configuration Changes report.
enVision did not store the session ID for the Nortel
VPN Switch in the VPN Security Table.
Cisco IPS messages were not in the Cisco Router
message set.
Some HP-UX authentication messages were
populating the wrong table.
Categorization and parsing of some AIX messages
was incorrect.

NIC_Blaster_Worm.
Added the category of permitted for the
message.

3-5
3. Resolved Issues
Issue
The NIC013 rule erroneously selected a
nonexistent Netscreen message.
For the Security_534_security message ID, the
process_id Windows parameter was missing from
the NIC database.
Two default correlation rules contained errors for
multi-threading.
For the SQL Server 2005 device, collection using
a non-administrative user did not work.
enVision parsed fields incorrectly for the Novell
eDirectory device.
In UNIX AIX events, enVision did not parse user
names to the correct fields.
On AIX, enVision parsed the queue ID incorrectly.
enVision misclassified SNORT messages as Linux
messages.
enVision needed a few corrections to the scripts
for SQL Server 2005 and 2000.
enVision did not capture the LOGOFF$TIME in
Oracle 9i and 10g.
enVision did not have messages for the
User.Activity.Privileged Use.Successful event
category for Linux.
A threshold issue caused a rule to fire when it
shouldnt have.
enVision generated RC forwarding checksum
errors when no problem existed.
enVision parsed Snare 529 message incorrectly.
enVision did not correctly parse any message from
Blue Coat ELFF that had a space in it.
enVision did not summarize bytes correctly for
Cisco Router.
Resolution
Removed the Netscreen message from the rule.
Added the parameter to the NIC database.
Corrected the PIXFW version of NIC039 and
NIC040 so that it now picks up the correct
threading variables.
Corrected this problem in enVision 3.5.2; you can
download them from RSA SecurCare Online.
Installation
The initial installation of enVision did not generate
a valid HTTPS certificate.
enVision was missing an updated .dll for IBM
Mainframe for iSeries.
For the initial_multinode_install command, the
systemip argument was missing from the
command line help.
In a crossover configuration involving an LC3 or
an A-SRV3, the configuration wizard was unable
to verify the hardware configuration.
When certain enVision executables ran users could
not rename folders in the \nic\ folder.

3-6
3. Resolved Issues
Issue
File lookup in the configuration wizard was casesensitive, which was causing problems.
Resolution
Services
Solaris BSM logs caused the File Reader service to
stop.
The VA Collector crashed when the D-SRV was
not available.
After an upgrade to 3.5.1, none of the NIC services
started.
When discovering Windows devices marked as
multidevice, enVision erroneously discovered
other clients such as SQL Server.
Text in log files caused the File Reader service to
hang, causing files to accumulate in the \ftp_files\
directory and preventing the files from being
processed.
Collection from SQL 2005 did not always work
because enVision did not support Microsofts
maximum path length in the collection.
The Packager crashed when it encountered a
message.
After users installed v3.5.1-24587.zip, enVision
discovered Windows devices twice.
The NIC File Reader service stopped if it had to
read more than 50 messages.
The remote collector was not forwarding data to
D-SRV.
enVision stopped sending alerts after a few hours
or days.
After an upgrade to 3.5.1, the alerter crashed every
few hours.
Large cookies caused errors in IIS collection.
The Locator would not generate a .dir file if a

storage location was unavailable.
Performance of syslog over TCP was less than 250
EPS (events per second).
The collector crashed and lost events.
The Locator now produces a .dir file one hour

after a location becomes unavailable.
This issue was addressed successfully.


3-7
Chapter 4. Technical Notes

This chapter lists the significant changes from enVision version 3.5.1 to 3.5.2 in areas such as the operating
environment, supporting software, supporting hardware, and so forth. It also describes important technical
information you must know when using this release.
VAM Users Must Run Most-Recent Content Update

If users use the VAM (Vulnerabilities Asset Management) feature, download the most recent Content
Update (https://knowledge.rsasecurity.com/tDownloadstAll DownloadstRSA enVisiontContent
Updates) and install it.
enVision and Event Explorer Client Software

As of 3.5.2, if you use Mozilla Firefox for your Internet browser, enVision and Event Explorer only
support Mozilla Firefox version 2.0 or later.
Windows
Browser Microsoft Internet Explorer v6.x
Macintosh
Mozilla Firefox 2.0 or later
Mozilla Firefox 2.0 or later
4-1
Chapter 5. Documentation Errata

This chapter describes contains the topics corrected in the enVision and Event Explorer Online Help.
enVision Online Help Revised Topics

The following corrections will be made in the online help in a future release of enVision.
Added Compliance ISO 27002 Reports

The 3.5.2 online help is missing the following descriptions of ISO 27002 compliance reports.
ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining, and
improving information security management in an organization. ISO 27002 is used as the foundation and
technical guidelines for many international and industry compliance standards and are generally good
practices for all organizations
ISO-27002 Computer Account Logon Activity
ISO 27002 Section 11.5.B
Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX Unix, Sun Solaris,
Red Hat Linux and Apple Mac OS X systems.
ISO-27002 Computer Account Logon Activity - Windows Detail
ISO 27002 Section 11.5.B
Lists all logon activity for all monitored Windows domains and systems. This report is specific to
monitored Windows systems, but provides a greater level of detail than the Computer Account
Logon Activity report.
ISO-27002 Computer Account Status by Account Windows
ISO 27002 Section 11.5.1
Lists all logon activity for specific user accounts. The user accounts in question should be listed as
run time parameters.
ISO-27002 Control of Collected Evidence
ISO 27002 Section 13.2
Lists all changes and object level access events to all collected evidence. This report requires that all
evidence be contained within directories included in a device group called Rules for Evidence, and
that object level auditing be enabled on these directories.
ISO-27002 Control of Collected Evidence - Windows Detail
Lists all changes and object level access events to all collected evidence. This report requires that all
evidence be contained within directories included in a device group called Rules for Evidence, and
that object level auditing be enabled on these directories. This report is specific to monitored
Windows systems, but provides a greater level of detail than the standard Control of Collected
Evidence report.
5-1
5. Documentation Errata
ISO-27002 Control of Human Resources Data

Lists all changes and object level access Events to the HR device group. This report requires that all
software and Human Relations data be contained within a device group, and object level auditing be
enabled on the directories containing the Human Relations data.
ISO-27002 Control of Human Resources Data - Windows Detail
Lists all changes and object level access Events to the HR device group. This report requires that all
software and Human Relations data be contained within a device group, and object level auditing be
enabled on the directories containing the Human Relations data. This report is specific to monitored
Windows systems, but provides a greater level of detail than the standard Control of Human
Resources Data report.
ISO-27002 Control of Operational Software
Lists all changes and object level access Events to the Operational Software device group. This
report requires that all operational software be contained within a device group, and object level
auditing be enabled on the directories containing the operational software and data.
ISO-27002 Control of Operational Software - Windows Detail
Lists all changes and object level access events to the Operational Software device group. This
report requires that all operational software be contained within a device group, and object level
auditing be enabled on the directories containing the operational software and data. This report is
specific to Windows devices but provides more detail than the standard Control of Operational
Software report.
ISO-27002 Control of System Audit Data
Lists all changes and object level access events to the software and data used to perform system
audits. This report requires that the software, source data and result data be contained within a
device group, and object level auditing be enabled on the containing directories.
ISO-27000 Control of System Audit Data - Windows Detail
Lists all changes and object level access events to the software and data used to perform system
audits. This report requires that the software, source data and result data be contained within a
device group, and object level auditing be enabled on the containing directories. This report is specific
to Windows devices but provides more detail that the standard Control of System Audit Data report.
ISO-27002 Control of System Test Data
Lists all changes and object level access Events to the systems and data used in the testing of
Operational Software security. This report requires that all system test data be contained within a
device group, and object level auditing be enabled on the directories containing the system test
software, source data and test results.
ISO-27002 Control of System Test Data - Windows Detail
Lists all changes and object level access Events to the systems and data used in the testing of
Operational Software security. This report requires that all system test data be contained within a
device group, and object level auditing be enabled on the directories containing the system test
software, source data and test results.
5-2
ISO-27002 External Contractors Report

ISO 27002 Section 8.1.3, 10.7.3
Lists all changes and object level access events to the External Contractor Access device group.
This report requires that all computers, software, source data and result findings be contained within
a device group, and object level auditing be enabled on the directories containing this data.
ISO-27002 External Contractors Report - Windows Detail
ISO 27002 Section 8.1.3, 10.7.3
Lists all changes and object level access events to the External Contractor Access device group.
This report requires that all computers, software, source data and result findings be contained within
a device group, and object level auditing be enabled on the directories containing this data.
ISO-27002 Malicious Software Activity
Lists all malicious software activity for all monitored devices.
ISO-27002 Operation Change Control Report
Lists all configuration and policy changes for the Application System infrastructure.
ISO-27002 Operation Change Control Report - Windows Detail
Lists all configuration and policy changes for the Application System infrastructure. This report is
restricted to only Windows devices, but delivers a greater level of detail than the standard Operation
Change Control Report.
ISO-27002 Password Changes and Expirations
Lists all manual and automatic password change and expiration events. This includes Windows, Sun
Solaris, Red Hat Linux, HP-UX, AIX and Apple Mac OS X operating systems.
ISO-27002 Source Code Access
ISO 27002 sec. 12.4.3
Lists all changes and object level access events to the Source Code device group.
This report requires that the source code for all custom software and commercial software
customization be contained within a device group, and object level auditing be enabled on the
directories containing the source code.
ISO-27002 Source Code Access - Windows Detail
ISO 27002 sec. 12.4.3
Lists all changes and object level access Events to the device group "Source Code".
This report requires that the source code for all custom software and commercial software
customization be contained within a device group, and object level auditing be enabled on the
directories containing the source code.
ISO-27002 User Activity from External Domains Windows
Provides the details all activities of non-domain authenticated users. All authenticated domains are
identified in run time parameters
5-3
Correction to topic: Supported Devices

Version 12.4 of the Cisco Router is now supported.
Trend Micro Control Manager 3.5 is now supported. Configuration instructions for this device are available
at RSA SecurCare Online.
Important: The list of supported devices changes frequently. For a list of devices that are currently
supported for use with enVision, go to RSA SecurCare Online (https://knowledge.rsasecurity.com),
log in, then select DocumentationGuides & ManualsRSAenVisionDevice Configuration. From
this page, you can download any supported devices configuration instructions, which include supported
version numbers and other information.
Correction to topic: Support for Syslog Relays

The following table entry is incorrect in the 3.5.2 online documentation:
If the syslog message is
well-formed but its header
contains a hostname rather
than an IP address
Then, enVision...
attempts to resolve the hostname to an IP address via the
\etc\hostnames.ini file, and if successful, uses this IP
address to identify the sender.
Note: Configuration is required for hostname resolution.
It should read, as follows:

If the syslog message is
well-formed but its header
contains a hostname rather
than an IP address
Then, enVision...
attempts to resolve the hostname to an IP address via the
nic\csd\config\collectors\hostnames.ini on the A-SRV
or the NAS, and if successful, uses this IP address to
identify the sender.
Note: Configuration is required for hostname resolution.
5-4
New topic: Location of \nic\csd\ Directory on Your enVision

Installation
This new topic tells you how to locate your nic\csd directory.
All enVision installations (single appliance site, multiple appliance site and multiple site domain)
on 50 or 60 Series hardware have a \nic\csd\ directory. csd stands for common shared directory.
Here is how you determine the location of the \nic\csd\ directory for your enVision installation:
If you have NAS (Network Attached Storage), the \nic\csd\ directory is on vol0 of the
NAS (that is the \vol0\nic\csd\ directory).
If your site has a D-SRV node, the \nic\csd\ directory is on the D-SRV node in the E:\
drive (that is the E:\nic\csd\ directory). enVision shares this D-SRV directory to other
nodes in the site.
If you do not have NAS or a D-SRV node, the \nic\csd\ directory is on the local nodes in
the E:\nic\csd\ directory.
Correction to topic: NIC SFTP Agent

Added the following to the Set Up NIC SFTP Agent section, step 6, in the NIC SFTP Agent:
Note: Configure either the file or the directory specifications, but do not configure both.
Correction to topic: Manage Storage Locations Window

The Active State field description for the pending state now reads as follows:
(pending - the system will rotate to use this drive when the next drive rotation occurs, and at
least at the beginning of the next GMT day [not at the beginning of the next day, as was previously
stated])
Correction to 4 topics: Event Storage Locations, Drive Rotation, Add

Storage Locations and Modify Storage Locations
Changed the tip at the end of these four topics so it now reads as follows:
Tip: To make a location the active drive, uncheck the Allow Write Access check box on each of
the other locations. This forces that location to become the active drive at the top of the next GMT
day [not at the top of the hour, as was previously stated].
Correction to 3 topics: Send Report Results via Email, Schedule

Reports Window and Email Delivery Options Popup Window
Added the following warning to these three topics:
Warning: The Email link only works if the location of the report is under the webapps directory
(that is, if the report does not show up in the calendar, the link to it will not work).
5-5
Correction to topic: Delete Storage Locations

Step three erroneously states:
3. Click Delete.
The correct step is:
3. Click Apply.
Correction to topic: Schedule Report Window

Clarified the field description for the Schedule Immediate button:
Schedule Immediate
Click to schedule the task for immediate processing.

enVision runs the report once with no recurrence. Here are the advantages
of scheduling a report to run immediately as opposed to running it as an adhoc report:
enVision sends the report's results to a calendar.
If you run this report as an ad-hoc, enVision deletes it as soon as
you log out.
You can schedule the report to run as part of a bind.
You can only run ad-hoc reports individually.
Correction to Link to Customer Support Website

The enVision 3.5.2 online documentation incorrectly tells you to go to
http://www.rsa.com/node.aspx?id=3170 to access the RSA enVision Customer Support
Website.
The correct referral is:
Go to https://knowledge.rsasecurity.com log onto RSA SecurCare Online.
This is the site from which you gain access to RSA enVision Customer Support information
including documentation.
5-6
Revised the Three Replication Topics after 3.5.2

The following three topics were revised in the online documentation after 3.5.2 to better describe how
replication works in enVision.
Replicate the Configuration Database
NIC DB Replication Client Service
NIC DB Replication Server Service
Replicate the Configuration Database

For multiple appliance sites only!
To provide global access of information throughout the NIC Domain, enVision replicates the Configuration
database (nic.db) for each site and sends the replicated database to each of the other sites. Replication
occurs once every minute.
Two services perform the replication:
NIC DB Replication Client service
NIC DB Replication Server service
The NIC DB Replication Client service replicates the configuration information (user information,
permissions, views, and so forth) in the Configuration database and passes it to the site's NIC DB
Replication Server service. The NIC DB Replication Client service then passes this information to the NIC
DB Replication Server Service on the D-SRV (Data Server) appliance in the NIC Domain's master site.
Replicated information from the other sites in the NIC Domain are passed to each site's NIC DB
Replication Server service from the NIC DB Replication Server service on the D-SRV appliance in the
NIC Domain's master site.
5-7
Troubleshooting - If you are experiencing issues with your multiple appliance site, verify the following
before calling technical support:
The NIC DB Replication Client Service is running on each A-SRV, LC, and D-SRV appliance with
the exception of the D-SRV at the NIC Domain's master site.
The NIC DB Replication Server Service is running on each D-SRV appliance. It uses port 2439.
This port must be open between the D-SRV and D-SRV connections between sites.
The timestamp of the enVision\logs\dbmlsync_succeeded file is within one minute of the current
time on each node. (Skip this step on the master sites D-SRV node.)
5-8
NIC DB Replication Client Service

Note: No configuration is needed for the NIC DB Replication Client Service.
This service runs on each A-SRV, LC and D-SRV appliance with the exception of the D-SRV at the NIC
Domain's master site.
Replication Server service. The NIC DB Replication Client service then passes this information to the NIC
DB Replication Server Service on the D-SRV (Data Server) appliance in the NIC Domain's master site.
The NIC DB Replication Server service on the D-SRV appliance in the NIC Domain's master site passes
replicated information from the other sites in the NIC Domain to each site's NIC DB Replication Server
service.
NIC DB Replication Server Service
The NIC DB Replication Server service runs on each D-SRV appliance. It uses port 2439. This port must
be open between the D-SRV and D-SRV connections between sites.
Here is how the NIC DB Replication Server service and the NIC DB Replication Client service replicate
data on all D-SRVs in your NIC Domain:
1.
Replication Server service.
2.
The NIC DB Replication Client service passes the replicated data to the NIC DB Replication Server
service on the D-SRV appliance in the NIC Domain's master site.
3.
The NIC DB Replication Server service on the D-SRV appliance in the NIC Domain's master site
passes replicated information from the other sites in the NIC Domain to each site's NIC DB
Replication Server service.
Note: No configuration is needed for the NIC DB Replication Client Service.
5-9
Event Explorer Online Help Revised Topics

The following corrections will be made to the online help in a future release of Event Explorer.
Correction to topic: Installation

The Event Explorer 3.7.0 online documentation erroneously states that Event Explorer 3.7.0 is only
compatible with enVision appliance sites running enVision 3.5.1 or later.
The correct statement is as follows:
Event Explorer 3.7.0 is compatible only with enVision appliance sites running enVision 3.5.0 or
later.
5-10

RSA EnVision 3.5.2 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSA EnVision 3.5.2 Release Notes

Uploaded by

Copyright:

Available Formats

RSA enVision

Copyright 1996 - 2008 RSA Security Inc.

Whats New in This Release............................................................ 1-1

Migration Path........................................................................................................................................... 1-1

Known Unresolved Issues .............................................................. 2-1

Resolved Issues............................................................................... 3-1

User Interface ...................................................................................................................................... 3-1

Technical Notes ............................................................................... 4-1

VAM Users Must Run Most-Recent Content Update ............................................................................ 4-1

RSA enVision 3.5.2 Release Notes

Documentation Errata ..................................................................... 5-1

enVision Online Help Revised Topics...................................................................................................... 5-1

RSA enVision 3.5.2 Release Notes

Getting Started Guide (60 Series

Setting up your RSA enVision appliances. Intended

Configuring your RSA enVision site. Intended audience

Hardware Guide (50 Series Only)

Instructions on setting up your RSA enVision appliances.

Configuration Guide (50 Series

Instructions on configuring your RSA enVision site. Intended

Instructions on migrating your data from a previous version

Comprehensive guide to planning, setting up and using RSA

RSA enVision 3.5.2 Release Notes

This guide uses the following conventions:

Literals (exact values that the user

Variables (adjustable values that the

Bold, italicized font.

Fields, buttons, menu items, and so

Bold font. (Note: Screen names are not bold.)

Keys (on the keyboard)

Example: Type New Report.

Example: Type user-name.

Example: Type New Report in the Description field on the Report

Example: Press Enter.

download all product documentation.

RSA enVision 3.5.2 Release Notes

Chapter 1. Whats New in This Release

Changes to Correlation Rules

you migrate the master site first, and

Changes to Correlation Rules

Updated these correlation rules to correct issues related to multithreading.

RSA enVision 3.5.2 Release Notes

1. Whats New in This Release

Changed Correlation Rules

Updated these correlation rules to improve their detection capability.

Renamed Correlation Rules

NIC017 is now NIC_BLASTER_WORM

NIC018 is now NIC_MSSQL_WORM

NIC028 is now NIC_WINDOWS_LOGIN_FAILURES

NIC034 is now NIC_WINDOWS_LOCKOUTS_1HR

NIC043 is now NIC_WINDOWS_LOCKOUTS_24HR

New Correlation Rules

NIC_ROOT_LOGIN_FAILURES triggers an alert on three failed attempts in two minutes to

NIC_WEB_SITE_PROBE_APACHE triggers an alert when an Apache web server returns

RSA enVision 3.5.2 Release Notes

1. Whats New in This Release

New ISO 27002 Compliance Reports

RSA enVision 3.5.2 Release Notes

1. Whats New in This Release

Certification of New Versions of Currently Supported Devices

New Version(s) Certified

5.5 and 5.6

Extreme Networks ExtremeWare Switch.

7.2 and 7.7