Connecting the world…

monitoring

Upgrade CS MARS

A customer was running CS MARS with version 4.3.6. Lately the Cisco IPS sensor was upgraded to version 7.x. This version wasn’t supported anymore by CS MARS version 4.3.6. That is why the CS MARS needed to be upgraded to 6.x. I don’t have a lot of experience with CS MARS and I couldn’t find a way to upgrade from 4.3.6 to 6.x.

The only way to upgrade from 4.3.6 to 6.x is by re-imaging the server. At first I started with securing the current configuration. The current configuration can be saved to a NFS server. I secured the current configuration and event data with the following commands:

[pnadmin]$ pnexp
pnexp > export config 10.1.1.1:/home/NFS
pnexp > export data 10.1.1.1:/home/NFS

The next question I had was: which CS MARS version to download? Searching the documentation I only found a upgrade procedure for upgrade 4.3.6 to 6.0.1. The latest version is version 6.0.5, but I couldn’t find any documentation about upgrading directly from 4.3.6 to version 6.0.5. I decided to upgrade from 4.3.6 to 6.0.1 and then directly to 6.0.5.

Re-imaging the server took about an hour. The installation process didn’t take a lot of time, most of the time was spend on the process of creating an oracle database. After re-imaging I had to import the configuration from the NFS server.

Hmmm…. the server has a fresh installation, so no IP address or whatsoever. First I had to find the default username and password to login to CS MARS. The default username and password is pnadmin. I configured an IP address using the following command:

[pnadmin]$ ifconfig eth0 10.1.1.2 255.255.255.0

Next I was able to access CS MARS through SSH. I imported the configuration and the event data using the following commands:

[pnadmin]$ pnimp
pnimp > import config 10.1.1.1:/home/NFS
pnimp > import data 10.1.1.1:/home/NFS

The complete configuration, including hostname, dns servers and license, and the event data was nicely restored. Next I wanted to upgrade from version 6.0.1 to directly version 6.0.5. Stunned I was at that moment, I discovered that the different upgrades need to be installed sequentially. The different upgrades have multiple dependencies amongst each other. It is possible to install the upgrade packages through the web interface, but I got some dependency failures during this process.

The only way for me, and I think the best way, was installing the upgrades packages through a SSH session. I let the CS MARS download the required packages directly from the Cisco website by using valid CCO credentials. The first step involved checking which upgrade packages were available using the following command:

[pnadmin]$ pnupgrade
CSMARS Upgrade………..[25541]
——————————————————————————–
Package Name Type Version URL
——————————————————————————–
csmars-6.0.5.3358.zip BD 6.0.5.3358.34 http://software-sj.cisco.com/cisco/crypto/3DES/ciscosecure/cs-mars/csmars-6.0.5.3358.zip
csmars-6.0.4.3229.zip BD 6.0.4.3229.33 http://software-sj.cisco.com/cisco/crypto/3DES/ciscosecure/cs-mars/csmars-6.0.4.3229.zip
csmars-6.0.3.3190-customer-patch.zip B 6.0.3.3190 http://software-sj.cisco.com/cisco/crypto/3DES/ciscosecure/cs-mars/csmars-6.0.3.3190-customer-patch.zip
csmars-6.0.3.3188.zip BD 6.0.3.3188.32 http://software-sj.cisco.com/cisco/crypto/3DES/ciscosecure/cs-mars/csmars-6.0.3.3188.zip
csmars-6.0.2.3102.zip BD 6.0.2.3102.31 http://software-sj.cisco.com/cisco/crypto/3DES/ciscosecure/cs-mars/csmars-6.0.2.3102.zip

The above upgrade packages are available. The packages need to be installed sequentially, so I started with version 6.0.2.3102.31 using the following command:

[pnadmin]$ pnupgrade -d -u <CCO username>:<CCO password> <upgrade package URL>

CS MARS starts downloading the specific upgrade package. The –d parameter tell CS MARS to ask first before installing the upgrade package, because a reboot is required after the installation. I repeated this step for all subsequent upgrade packages.

Now CS MARS is running version 6.0.5 (3358) 34 and the IPS can be added to CS MARS. It took some time, but I am still curious if I could re-image the server directly to version 6.0.5.