Malicious SSL traffic does not generate alerts after you have edited the httpd.conf file.
If the system administrator changes the User and/or Group name of the Apache owner to a non-default value in the httpd.conf file, the agent will not be able to scan the SSL traffic.
The agent uses the /tmp/.issx_key object which is owned by the previous Apache user/group. Because the owner user/group has changed, the SSL monitoring component will lose access control rights over this object and monitoring for this traffic will fail.
Resolving the problem
The system administrator needs to ensure that the ownership of /tmp/.issx_key and the Apache processes are the same. This can be done using the following steps:
- Access the command line on the server on which the agent is installed.
- Enter the following to stop the agent service:
- Change the owner and/or group for the file with the following command:
GroupNamematch the name and group that you set for the Apache owner.
- Enter the following to start the agent service:
- Restart the Apache service. The command for this will vary depending on what version of Apache you are using.