Configuration Example, IDS / IPS

Upgrade CS MARS

René Jorissen on October 28, 2009 1 Comment • Tags: #436 #601 #605 #analysis #cisco #csmars #ips #monitoring #nfs #pnadmin #pnexp #pnimp #response #security #system #upgrade

A customer was running CS MARS with version 4.3.6. Lately the Cisco IPS sensor was upgraded to version 7.x. This version wasn’t supported anymore by CS MARS version 4.3.6. That is why the CS MARS needed to be upgraded to 6.x. I don’t have a lot of experience with CS MARS and I couldn’t find a way to upgrade from 4.3.6 to 6.x.

The only way to upgrade from 4.3.6 to 6.x is by re-imaging the server. At first I started with securing the current configuration. The current configuration can be saved to a NFS server. I secured the current configuration and event data with the following commands:

[pnadmin]$ pnexp
pnexp > export config
pnexp > export data

The next question I had was: which CS MARS version to download? Searching the documentation I only found a upgrade procedure for upgrade 4.3.6 to 6.0.1. The latest version is version 6.0.5, but I couldn’t find any documentation about upgrading directly from 4.3.6 to version 6.0.5. I decided to upgrade from 4.3.6 to 6.0.1 and then directly to 6.0.5.

Re-imaging the server took about an hour. The installation process didn’t take a lot of time, most of the time was spend on the process of creating an oracle database. After re-imaging I had to import the configuration from the NFS server.

Hmmm…. the server has a fresh installation, so no IP address or whatsoever. First I had to find the default username and password to login to CS MARS. The default username and password is pnadmin. I configured an IP address using the following command:

[pnadmin]$ ifconfig eth0

Next I was able to access CS MARS through SSH. I imported the configuration and the event data using the following commands:

[pnadmin]$ pnimp
pnimp > import config
pnimp > import data

The complete configuration, including hostname, dns servers and license, and the event data was nicely restored. Next I wanted to upgrade from version 6.0.1 to directly version 6.0.5. Stunned I was at that moment, I discovered that the different upgrades need to be installed sequentially. The different upgrades have multiple dependencies amongst each other. It is possible to install the upgrade packages through the web interface, but I got some dependency failures during this process.

The only way for me, and I think the best way, was installing the upgrades packages through a SSH session. I let the CS MARS download the required packages directly from the Cisco website by using valid CCO credentials. The first step involved checking which upgrade packages were available using the following command:

[pnadmin]$ pnupgrade
CSMARS Upgrade………..[25541]
Package Name Type Version URL
——————————————————————————– BD BD B BD BD

The above upgrade packages are available. The packages need to be installed sequentially, so I started with version using the following command:

[pnadmin]$ pnupgrade -d -u <CCO username>:<CCO password> <upgrade package URL>

CS MARS starts downloading the specific upgrade package. The –d parameter tell CS MARS to ask first before installing the upgrade package, because a reboot is required after the installation. I repeated this step for all subsequent upgrade packages.

Now CS MARS is running version 6.0.5 (3358) 34 and the IPS can be added to CS MARS. It took some time, but I am still curious if I could re-image the server directly to version 6.0.5.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. randy says:

    whoever posted this article – thank you. going thru the upgrade here now from 4.3.6 to 6.06 and (as usual) the MARS documentation is pretty much useless, and in this experience, incorrect. The 6.06 install guide says the “only” way to import an upgrade package direct from Cisco CCO is via the GUI. After a day of screwing around (and googling) it seems that the exact opposite was true (here anyway). The GUI option repeatedly fails, hangs – the CLI method (using the URL info in your post) succeeded first crack.

    Managing MARS is a perpetual exercise in frustration. Your post was helpful – just wanted to say thanks….

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.