ManHunt 2.2 Release Notes 1/7/2003

For periodic updates to release notes, please go to:
http://www.symantec.com/techsupp/enterprise/.

Upgrading
You can upgrade ManHunt 1.2 or later to 2.2.

Upgrade from ManHunt 1.1 or Earlier
If you plan to upgrade from an existing ManHunt 1.0 or 1.1 to ManHunt 2.2, you must uninstall the existing installation and perform a completely new installation of 2.2. See Installation section of the ManHunt 2.2 Installation Guide.

Upgrade from ManHunt 1.2 or Later
If you plan to upgrade from an existing ManHunt 1.2 or later to ManHunt 2.2, perform the upgrade steps described under the Upgrade section of the ManHunt 2.2 Installation Guide.

Upgrade from ManHunt 2.0 to 2.2
An upgrade from 2.0 to 2.2 does not require a new certificate and iButton, nor does it require an update to the topology and policy databases.
Due to changes in the topology and policy databases, some editing tasks must be performed after the upgrade is complete. Carefully follow the upgrade instructions provided in the Upgrade section of the ManHunt 2.2 Installation Guide to ensure that the upgrade is performed properly.


Limitations
Consider the following issues if you are using any of the following switches:

Lucent Switch:
The Lucent switch allows ManHunt to configure more than one copy port on the switch, but the switch will not allow any traffic to be copied via any but the first copy port configured.

Avaya Cajun Switch:
Some Avaya Cajun switches (formerly a subsidiary of Lucent) do not support the Copy Transmitted traffic setting. Use either the Copy Received or Copy Both Directions setting when adding network interfaces to your ManHunt topology for a Lucent/Avaya switch.

Cisco Switch:
For Cisco switches using Cisco IOS, full-duplex traffic (Copy Both Directions) will be seen regardless of the copy direction type selected in the administration console because this is the only option that Cisco supports. The copy ports from Cisco IOS switches are limited to half-duplex fast Ethernet speeds going out to the ManHunt node. Therefore, if the port you are monitoring on the switch has full-duplex aggregate traffic exceeding half-duplex speeds, traffic will be dropped by the switch.

Foundry Big Iron Switch:
If you are using a Foundry Big Iron multi-layer switch, you must manually remove all interface configurations each time you create or edit the copy port information in your ManHunt topology. For example, if you want to remove copy port e 1/5 from your ManHunt topology, enter the following:

BigIron(config)# interface e 1/5
BigIron(config-if-1/5)# no monitor


Product Compatibility and Integration
ManHunt 2.2 supports MSAs, Cisco IDS integration, and other deception device integration on the platforms listed in this section.

Supported MSAs
ManHunt 2.2 supports the following MSAs:

• Dragon MSA 2.0 for integration with Enterasys Networks Dragon IDS 4.2.1
• FireWall-1 MSA 2.0 for integration with Check Point FireWall-1 NG with Feature Pack 1
• NetScreen MSA 2.0 for integration with NetScreen appliances running ScreenOS 3.0.2 or later
• RealSecure MSA 2.0 for integration with Internet Security Systems RealSecure 6.0
• Snort MSA 2.11 for integration with Snort 1.8.6
• Tripwire MSA 2.11 for integration with Tripwire Manager 2.4

---

Note: You may experience difficulties when using MSAs other than the Snort MSA 2.11 or the Tripwire MSA 2.11 with the Solaris 8 2/01 patch set.

---

Cisco IDS Integration
ManHunt Cisco IDS integration has been tested on the following platforms:

• Cisco 4210 Secure IDS Sensor plus Cisco Internet & Security CSPM 2.2
• Cisco Secure IDS 2.5 and 3.0

Device Integration
Deception device integration has been tested on the following platforms:

• ManTrap 2.1 or later

ManHunt can also export event and incident data to Oracle8i? and later over the Oracle JDBC (Java Database Connectivity) driver

Supported Platforms
ManHunt supports TACACS+ server technology (Terminal Access Controller Access Control System Plus). ManHunt also supports the network devices, NICs, switches, routers, and protocols listed in this section. See the Symantec website at http://www.symantec.com/techsupp/enterprise/ for the most up-to-date information.

ManHunt Node System Requirements
ManHunt node system requirements are:

• Dedicated SPARC? or Intel® hardware (see the Symantec website at http://www.symantec.com/techsupp/enterprise/ for the most up-to-date list of supported platforms)
• SPARC-64-bit Solaris? 8 (2/02 with 8/29 patch set, kernel patch level 108528-15) with full distribution and OEM support
• Intel-Solaris 8 Intel Edition (2/02 with 8/29 patch set, kernel patch level 108529-15) with full distribution and OEM support
• 1 NIC for each monitored device-up to 12 Fast Ethernet or 4 Gigabit Ethernet
• 1 NIC for host-to-host and host-to-administration console communication
• 1 GB RAM for Fast Ethernet configurations, 2 GB RAM for single Gigabit configurations, 4 GB RAM for multi-Gigabit configurations
• Java? 2 Runtime Environment (JRE?), standard edition 1.2.2

See the Symantec website at http://www.symantec.com/techsupp/enterprise/ for the most up-to-date information about supported platforms.

Supported Network Devices
ManHunt supports the following network devices:

• Cisco®, Avaya, and Foundry® Networks switches

---

Note: If you are using Cisco Catalyst® switches, make sure that the switch operating system is version 5.5 or greater. Earlier versions do not support SMON.

---

• Cisco and Juniper® Networks routers
• Any non-steerable switch or hub

Supported NICs
ManHunt supports the following NICs (see the Symantec website at http://www.symantec.com/techsupp/enterprise/ for the most up-to-date list of supported NICs):

• 3Com 3C905B
• Intel Pro/100+
• Intel Pro/100 Dual FE
• Intel Pro/100 TX (single or dual)
• Intel Pro/1000F Fiber (w 82543GC chipset)
• Intel Pro/1000XF Fiber (w 82544EI chipset)
• Intel Pro/1000XT Copper (w 82544EI chipset)
• Intel Pro/1000MF Dual Port Fiber (w 82546EB chipset)
• Compaq Quad 10/100 Fast Ethernet NC3134 (base)/NC3135 (daughter card)
• SPARC 1032A Fastethernet with SCSI PCI
• SPARC 1033A Fastethernet with MII PCI
• SPARC 1034A Quad Fastethernet PCI
• SPARC X1141A Gigabit Fiber Ethernet PCI
• SPARC X1151A Gigabit Fiber Ethernet PCI

Supported Switches
ManHunt switch steering has been tested with the following switches:

• Foundry BigIron Non-SMON
• Foundry ServerIron Non-SMON
• Foundry ServerIron TCL Switch O/S rev 07.1.00T12 Non-SMON
• Cisco 5505 O/S rev 5.5(3) SMON and Non-SMON
• Cisco 2948G O/S rev 6.1(1) SMON and Non-SMON
• Cisco 2924XL O/S rev 12.0(5) Non-SMON
• Cisco 3524XL O/S rev 12.0(5.2) Non-SMON
• Avaya (formerly Lucent) P333R Switch O/S rev 2.4.4

---

Note: SMON is only supported by Avaya with SNMP license purchase.

---

Supported Routers
This section lists certified routers, and tested routers.

Certified Routers
ManHunt 2.2 has been certified to work with the following routers:
• Cisco 1720 O/S rev 12.1(5)
• Cisco 2611 O/S rev 12.1(5)
• Cisco 2621 O/S rev 12.1(5)
• Cisco 2948G-L3 O/S rev 12.0(10)

Supported Routers
In addition, ManHunt 2.2 has had limited testing with the following:
• Cisco 7204_VXR O/S rev. 12.0(4)XE
• Cisco 5505_RSM O/S rev. 12.0(9)W5 (17)
• Cisco 6006_MSFC O/S rev. 12.0(7)XE1
• Cisco 2501 O/S rev. 12.0 (13)
• Cisco 3620 O/S rev. 12.0 (13)
• Juniper J-M20 O/S rev. JUNOS 4.0R3.1

Supported Protocols
ManHunt 2.2 supports the following protocols:

• HTTP
• SMTP
• SNMP
• IMAP
• POP3
• Finger
• Telnet
• FTP
• NNTP
• Rlogin
• RSH
• RPC
• IRC
• DNS
• HSRP
• BGP
• Ident
• SMB
• SOCKS

Known Issues

Responses During Failover
Response actions which augment the incident, such as TrackBack, may not be visible during a fail over scenario. This is a result of storing the response events in the local event database of a given node.

ManTrap Events
To send ManTrap 2.11 events to ManHunt 2.2, you must set the vendor tag to "RCRS" in the ManTrap administration console. ManTrap 3.0 automatically sets the "RCRS" vendor tag.

Flow Data on Single Processor Machines
On single processor machines, such as a Netra, the administration console may be slow in displaying flow data even for 100-500 flows. The flow data collection system performs best on multi-processor systems.

Recommended ManHunt Swap Space
We recommend that the ManHunt server have 1.5 to 2 times the physical RAM size in swap space.

Transient Warning for Multiple alertd Processes
It is possible that a user may get a transient warning of duplicate alertd processes running from "checkstatus". As long as this is a transient condition it does not indicate any problem with the server; alertd will fork a process when sending an email alert under normal operation.

Administration Console on RedHat Linux
If you are using RedHat Linux versions other than 6.1, the following warning messages appear when you bring up the ManHunt administration console:
Font specified in font.properties not found
[--symbol-medium-r-normal--*-%d-*-*-p-*-adobe-fontspecific]
To get rid of this warning, go to http://java.sun.com/j2se/1.3/font.properties, download the font.properties file, and place it in the /jre/lib directory.

Switch Interface Names
If a switch interface name is not entered correctly in the topology, the copy port can not steer to the interface, and no error message is displayed to indicate that the interface does not exist or that the copy port can not steer to the interface.

Gigabit NICs
For some gigabit NICs and drivers on the SPARC platform running under saturated conditions, the driver may get into an unstable state. This is characterized by the Solaris O/S showing very low CPU utilization even though the gigabit switch port (that the ManHunt gigabit NIC is connected to) will continue to be able to send saturation amounts of data. In order to restore nominal operation, please check your NIC manufacturer's directions for handling driver issues. It may require modularly unloading/loading the driver or rebooting the server.

Topology Single Connection Limitation
If you attach an interface to one which already has an attachment, the first attachment will be overwritten because ManHunt limits the number of connections to a one-to-one correlation. This means port channeled switch connections, for example any bundled ethernet ports used as a single trunk, between switches and routers will not track back correctly. In ManHunt, the percentage chance for TrackBack will be 100/(# of ports in the channel bundle).

iButton Signatures Under High Load
It is possible, especially under high load, that iButton signatures will fail or be incorrect (fail verify check). These bad signatures will not be logged and ManHunt will simply try again at the next signing interval. ManHunt keeps a running hash of data records and only re-initializes this hash if a signature is properly generated and written to the logs.

Tunneling Events
Usage of SOCKS servers without authentication will cause ManHunt to generate an event/incident because the protocol has been violated. Although this is not application-specific, events are generally created if you tunnel Yahoo IM, ICQ or AIM through a SOCKS4 proxy server. The event is generated once at authentication, so unless there is a very high volume of this type of traffic, ManHunt will not flag this as a flood attack. If there is a high volume, a filter can be set up on the ManHunt node, however, this would also filter out all other alerts for unauthorized SOCKS.

Handoff During Failover
If failover occurs on a node configured for handoff, handoff in either direction will fail until the original ManHunt node is back up. Foreign peer ManHunt nodes will continue to send handoffs to the original ManHunt IP and with the original serial number, so the handoffs will never reach the failover ManHunt node. The fail over ManHunt node may be configured to send handoffs to the appropriate peer ManHunt nodes, but because it has a different IP and serial number than the original node, it will fail to be authenticated by the remote peer ManHunt nodes.

ManHunt Versions in Clusters
Do not attempt to run ManHunt 2.11 or 2.2 in the same cluster with previous ManHunt versions. Versions of ManHunt prior to 2.11 use 3DES (FIPS 140) encryption and will not communicate with the stronger AES (FIPS 197) encryption systems of ManHunt 2.11 or 2.2. In addition, ManHunt versions prior to 2.0 use a database format that is not compatible with newer releases. Mixing ManHunt versions within a cluster may damage the ManHunt databases. Update all ManHunt nodes in the cluster to ManHunt 2.2 by performing the following steps:

1. Shut down all ManHunt nodes in the cluster.
2. Upgrade all nodes to ManHunt 2.2.
3. Re-start all nodes in the cluster.

At no time should there be different ManHunt versions running concurrently in the cluster.

Sensor TCP Flow Check Threshold
The default value for Sensor TCP Flow Check Threshold enables ManHunt to detect some portscans. However, when the Sensor Flow Check Threshold is changed to 30, ManHunt can detect significantly higher number of portscans. See "Sensor TCP Flow Check Threshold and Sensor TCP Flood Modifier" on page 5-3 of the ManHunt 2.2 Administration Guide.
Incidents from Backup Nodes in Incident Filter Options
If you select `Include Backup Nodes' and cancel out of Incident Filter options, the incident table will show incidents from backup nodes. You must deselect `Include Backup Nodes' in the Incident Filter Dialog and click Apply.

Enabling ManTrap via ManHunt
If you create a ManTrap external sensor node in the topology tree, you can launch the ManTrap administration console from within the ManHunt administration console.
To enable this feature, you must copy the entire contents of the ManTrap directory to the ManHunt directory. This is because ManHunt searches for the mtadmin.jar file in the same directory where the mhadmin.jar file is located.

Solaris Kernel Module pcplusmp for SMP Systems
If you use more than three heavily loaded sensor NICs configured on a Dell Poweredge 1650, 2550, 2650 with dual-processors, you may experience interrupt handling errors IO-APIC on stdout. This can cause the sensor NICs to stop sending traffic to the operating system. If you get IO-APIC errors while running more than three interfaces, disable pcplusmp.
To disable pcplusmp:

1. In /etc/system, add the following line in the exclude section:
   exclude: mach/pcplusmp
2. Reboot for this to take effect.

Restarting ManHunt from a Mounted CD Volume
When you restart ManHunt from a mounted CD-ROM volume, you may experience difficulty unmounting the volume to eject the CD-ROM. To resolve this issue, add a line to the start script.
To add a line to the start script:

1. Add the following at line 57 of the ManHunt 2.2 start script:
   cd ${MHPATH}
2. Save the file.

Contact recoursesupport@symantec.com if you have further problems.