LogLogic Release Notes for Security Event Viewer and Security Event Manager, v3.5.0

Transcription

1 LogLogic Release Notes for Security Event Viewer and Security Event Manager, v3.5.0 LogLogic Security Event Viewer and Security Event Manager offer scalable and comprehensive data security assistance monitoring for organizations challenged by the complexity of modern IT infrastructures. Security Event Viewer and Security Event Manager are designed to continuously protect the most valuable business assets: core systems and the intellectual property they hold. This document lists functionality changes and bug fixes in Security Event Viewer version and Security Event Manager version Note: For changes to the Release Notes after the initial release, see New Features... 2 Bug Fixes and Enhancements... 3 Standard Content... 5 Bug Fixes and Enhancements... 5 Supported Products by SEV/SEM... 6 New Supported Products... 6 Bug Fixes and Enhancements... 6 Supported Product List... 8 SEV/SEM Appliances...10 Appliances Description...10 Software Requirements...11 Log Collector Requirements...11 Web Console Requirements...11 Upgrading to SEV/SEM v Known Limitations...11 Documentation...12 SEV/SEM Documentation...12 Devices Specific Documentations...13 Technical Support...14 LL E January

2 New Features New Web Console style In order to provide users with uniformity and visual continuity for both LMI and SEM GUIs, the SEM Web Console style has been improved: new Color palette, improved Web Console layout, new log in and loading pages, improved forms layout, new Online Help design. LL E January

3 Bug Fixes and Enhancements Log Collection ID # Summary Support # #8629 The option "add log source host as target" now works as expected with a Solaris Log Source file #8685 Collection policy on WELF log source works now as expected #9061 All log collectors configured with the communication mode "Server Log Collector" now work as expected after a restoration Engines ID # Summary Support # #8430 Correlation rules on distinct field values are correctly saved in database #8626 Correlation rules using else/or conditions now works as expected #8649 The correlation alert triggered threshold now works as expected #8974 The Incident Send communication process has been corrected according to the specified WSDL file #9134 The SOAP communication environment has been updated (use of uniform resource name and not static URL) #9304 Grouping on undefined values in scenarios now works as expected Web Console ID # Summary Support # #6446 The creation and deletion of configuration profiles now works as expected #8054 In the event list, modifying the column type does not reset filters any longer #8344 #8409 The Alerts / Events / Incidents tab refresh now works as expected #8645 The edition of a rule in the scenario creation does not change the general order of the rules anymore #8648 The filter on "creation date: last 24h" is not reset any more to "creation date: last hour" when sorted by "last updated" #8682 The online documentation for the "External Server" section is now available #8693 During the host creation/edition, the host name can begin by a numeric character #8758 The copy of a live reporting table does not generate a blank table, whose name is not supported by the database #8774 Upload license on Internet Explorer 8 now works as expected LL E January

4 #8800 Auto refresh (server time) is now correctly effective for Internet Explorer 7 and 8 #9157 A confirmation message is displayed before deleting archives file in the Web Console #9176 Incidents now include aggregated events attributes #9321 Incidents tab now refreshes as expected Security Dashboards ID # Summary Support # #9109 Reports can now be correctly ordered by detect time LL E January

5 Standard Content Bug Fixes and Enhancements Correlation Rules ID # Summary Support # #8575 Corrected ontology in the "Threshold Control User" rule #9327 The "Segregation of duties violation" scenario now works as expected Reporting Policy ID # Summary Support # #8576 Corrected taxonomy for the live reporting rule "Asset Availability" Other ID # Summary Support # #8846 GeoIP database has been updated #9147 For new installed SEM 3.5 version, default password has been changed: root shell account: pwd="logapp" Admin shell account: pwd="logapp" Web Console superadmin account: pwd="admin" In case of a SEM 3.5 upgrade, no password will be changed. LL E January

6 Supported Products by SEV/SEM New Supported Products ID # Vendor Product Support # #9100 CheckPoint All Products through LMI #9017 ASA 8.2 & 8.3 #9181 #9120 IPS (SDEE) #8999 Fortinet Fortigate v3 & v4 #8880 Juniper IDP through LMI #9112 LogLogic Database Security Manager 9111 McAfee epo through LMI #9153 Exchange 2007 #8878 Nortel Nortel Contivity through LMI #9151 Oracle Oracle DB through LMI (9, 10, 11) #8696 Palo Alto Networks Firewall #8681 Solaris BSM #9015 Trend Micro TMCM through LMI Bug Fixes and Enhancements ID # Vendor Product Support # #6367 BlueCoat BlueCoat SG #7013 CheckPoint CheckPoint OPSec #6917 #8973 CheckPoint FW1 SFDC #7963 ACS #9202 ASA #8830 #9220 FWSM #9247 IronPort #8832 VPN #8627 ClamAV ClamAV LL E January

7 #9222 #8686 #8675 #9232 Intersect alliance Windows Snare #8534 Juniper Juniper Secure Access #8580 #8643 Juniper NetScreen OS v6 #9171 LogLogic LMI #8584 LogLogic SEM (SMP Monitoring) #6209 #6582 #6607 #7009 #7054 #8659 #8695 Windows (All workstation versions) Windows 2003 Server #8504 #6734 #8638 #7236 #9262 Windows 2008 Server #8691 Oracle DB Oracle convertor #8642 Oracle Oracle audit trail 9, 10, 11 #8687 Solaris Solaris 8910 LL E January

8 Supported Product List Vendor Product Vendor Product Anti virus/spyware/spam Apache Spamassassin Blue Coat Blue Coat ProxyAV Ironport Mail Security ClamAV ClamAV Clearswift Mimesweeper For SMTP DB Clearswift Mimesweeper For SMTP Log Clearswift Mimesweeper For WEB FSecure Policy Manager Sophos Puremessage Norton Antivirus Antivirus TrendMicro Interscan Viruswall TrendMicro Trend Micro SPS sytem Authentication server ActivIdentity Activpack v4 ActivIdentity Activpack v6.3 ActivIdentity Activpack v6.5 ACS Csv ACS Syslog Cistron Radius EMC Rsa Ace server EMC Rsa Ace WMI EMC Rsa Securid linux Internet Authentication Service Novell Novell edirectory Utimaco Safeguard Business application Centralized management Ntsyslog Arkoon Arkoon DB Arkoon Arkoon DB v3 Arkoon Arkoon DB v4 Arkoon Arkoon Syslog Intrusion.com Securenet Provider ISS SiteProtector SP4 ISS SiteProtector SP5 ISS SiteProtector SP6 ISS SiteProtector SP7 Juniper Netscreen Security Manager v2004 LogLogic Security Change Manager McAfee Epolicy Orchestrator Operation Management Nagios Nagios TrendMicro Trend Micro Control Manager Webmin Webmin Database services Ms sql Ms sql Operational Loglogic Database Security Manager (DSM) Oracle Oracle DB Sourcefire Sourcefire3D isc.org Domain Name System (DNS) File server Bind Vsftpd NetApp Netapp ProFTPD ProFTPD Wuftpd Wuftpd honeyd.org 3Com Enterasys Enterasys Enterasys ForeScout Intrusion.com ISS Juniper McAfee McAfee Niksun Samhain Sentry Tools Snort Snort Snort Tripwire Tripwire LogLogic LogLogic LogLogic Honeypot Honeyd Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) Log management TippingPoint CSA v45 CSA v52 CSA v60 IPS (SDEE) Dragon IDS v7_0 Dragon IDS v7_1 Dragon IDS v7_2 Activescout Securenet Sensor Realsecure wgm Netscreen IDP Entercept Intrushield Netdetector Samhain Portsentry Snort Snort DB Winsnort Client Security Endpoint Protection Network Security Tripwire Tripwire Entreprise LMI SMP SMP Relay Messaging services Imapd Ciphertrust IronMail couriermta.org Courier MTA Eudora Qpopper GNU Exim Inter7 Vpopmail Lotus Lotus Domino Exchange Postfix Postfix sendmail.org Sendmail TrendMicro Interscan Messaging Security Suite Directory services LL E January

9 Vendor Product Vendor Product Network device Aruba Aruba Wireless Access Point Check Point Check Point Internal Log CSS FWSM Router Switch VPN VPN IOS compat Cyberguard Cyberguard Draytek Vigor F5 Bigip Juniper Juniper Secure Access Juniper Netscreen Juniper Netscreen v6 Linksys Wap11 Lucent Brick Nortel Alteon Web Switch Nortel Contivity Nortel Nortel Alteon Nortel Nortel switch Nortel Nortel VPN gateway StoneSoft Stonegate Zyxel Zywall Zyxel Zyxel Operating System Ipchains Breach Security Modsecurity FreeBSD FreeBSD Grsecurity Grsecurity HP HP UX HP Tru64 IBM Aix IBM Tivoli Directory Server Intersect alliance Windows 2000 server snare Intersect alliance Windows 2000 workstation snare Intersect alliance Windows 2003 server snare Intersect alliance Windows 2008 server snare Intersect alliance Windows all snare Intersect alliance Windows Vista workstation snare Intersect alliance Windows XP workstation snare Linux Linux Internet Connection Firewall Windows 2000 server Windows 2000 workstation Windows 2003 server English Windows 2003 server French Windows 2008 server English Windows 2008 server French Windows Vista English Windows Vista French Windows XP English Windows XP French Netfilter Netfilter Nokia IPSO Sun Solaris Sun Solaris BSM Squid Squid Sun TrendMicro TrendMicro WebSense WebSense Astaro Astaro Barracuda Check Point Check Point Fortinet PaloAlto Networks NetASQ NetASQ NetASQ NetASQ Sonicwall Remote desktop Internet Security Acceleration v2004 Squid Squidguard Iplanet Interscan Web Security Suite Linux v2 Interscan Web Security Suite Windows v2 Websense v5 Websense v6 PCanywhere Unified Threat Management (UTM) Virtualization Criston ISS ISS McAfee Qualys Tenable Security Apache APC APC Astaro v4 Astaro v5 Barracuda Check Point Pointsec Protector ASA PIX Fortigate Firewall Netasq Alarm v6 Netasq Connection v6 Netasq Filter v6 Netasq v5 Sonicwall Gateway Security v2 Gateway Security v3 Vulnerability scanner Web server Other Criston VM Internet Security Scanner v6 Internet Security Scanner v7 Foundstone QualysGuard Nessus Apache Internet Information Services NCSA Internet Information Services W3C Internet Information Services W3C v3 APC EMU APC UPS Products also supported through LogLogic LMI are underlined in green Proxy / Reverse proxy Beeware Blue Coat Deny ALL F5 Ingrian McAfee I Sentry Blue Coat ProxySG Rweb Appshield Ingrian WebShield Internet Security Acceleration v2000 FW LL E January

10 SEV/SEM Appliances Appliances Description 3 rd Gen Appliances SEM 1060 SEM 3060 SEM 4060 Rack Format 1U 2U 2U Processor(s) Type E5520 E5520 X5570 Total Core # RAM (GB) Max. EPS (remote Log Collector) Max. Instances Archive Storage (GB) Online Storage (GB) LL E January

11 Software Requirements Log Collector Requirements The Log Collector can be installed on the following platforms, with at least 100 MB of disk space available: Windows 2000 (SP4, Windows installer 3.1 or later) x86 (32bit). Windows 2003/2008/XP/Vista x86 (32bit) or x86_64 (64bit). Linux with kernel 2.4 or later (e.g. Red Hat EL 3 or later) x86 (32bit) or x86_64 (64bit). Solaris 8 or later. Aix 5.2 or later. Web Console Requirements The Web Console can be used with the following web browsers: Internet Explorer 7.0 or higher. Mozilla Firefox or higher. Hosts running the Web Console must have at least: 1 GB of RAM. 1024x768 resolutions. 1 GHz 32bit (x86) or 64bit (x64) processor. Upgrading to SEV/SEM v3.5.0 To upgrade to LogLogic Security Event Viewer and Security Event Manager 3.5.0, please refer to the User Guide section 9, Updating the SMP Server. SEV/SEM User Guide and all other documentations are available on our Support Center web site: Known Limitations After an upgrade to SEV/SEM v3.5.0, please clear your web browser cache to avoid a display issue. LL E January

12 Documentation You can find the complete set of user documentation gathering all product guides on: LogLogic SEM installation DVD SEV/SEM Documentation File Name Status AdministrationGuide SEMen.pdf Updated ConceptsGuide SEMen.pdf Updated LogCollectorInstallationGuideSEMen.pdf ReferenceGuide SEMen.pdf SMPInstallationGuideSEMen.pdf Updated UserGuide SEMen.pdf Updated Online Help Updated LL E January

13 Devices Specific Documentations File Name Status workingwithactivpack.pdf workingwithbluecoatsg.pdf workingwithcheckpoint.pdf workingwithciscoids.pdf Updated workingwithciscoioscatos.pdf workingwithciscopixasa.pdf workingwithenterasysdragon.pdf workingwithexchange.pdf New workingwithfortinetfortigate.pdf workingwithinternetinfoservices.pdf workingwithironport.pdf New workingwithissrealsecure.pdf workingwithisssecurityscanner.pdf workingwithisssiteprotector.pdf workingwithlotusnotes.pdf workingwithmcafeeentercept.pdf workingwithmcafeeepo.pdf workingwithmcafeeintrushield.pdf workingwithmicrosoftisa.pdf workingwithmicrosoftom.pdf workingwithmimesweeper.pdf workingwithnokia.pdf workingwithoracle.pdf New workingwithrsa.pdf workingwithsnarewindows.pdf workingwithsnort.pdf workingwithtrendiwsswindows.pdf workingwithtrendmcm.pdf workingwithwebsense.pdf workingwithwindows.pdf LL E January

14 Technical Support Customers may reach the LogLogic support team by: Telephone: Toll Free: LOGS US Local: EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com Support Website: LL E January