Proventia Network Intrusion Prevention System 4.4.0.0-ISS-ProvG-AllModels-Hotfix-FP0004

Technote (FAQ)


Question

What fixes are included in 4.4.0.0-ISS-ProvG-AllModels-Hotfix-FP0004?

Answer

===============================================================
DESCRIPTION
===============================================================

Corrects problem of sensor statistic events not being generated on time according to the specified interval

===============================================================
PREVIOUS PROBLEMS FIXED
===============================================================

CSF:

This patch prevents multiple a signal 11 crash in the issCSF process. Correct problem of signal 6 (abort) in issCSF because of Xerces lib

Install script:

Removes an unused IPM license expired entry from crm.db. This applies to appliances that may have had an expired license at some point prior to updating to 4.4. The unused entry may appear as a red flag under Security from the main dashboard of the LMI despite having a valid non-expired license.

CRM:

Adds additional retry logic when posting events to the IPSAttacks.db on the appliance under certain error conditions. Also changes the db lock messages to debug instead of error (error results in sensor error alerts, if enabled, being sent).

Resolves a false positive with the "Snort is disabled but still running" health alert. At the exact moment that the CRM stat task is running on one thread to check the snort version, SPA is requesting agent info to send to SiteProtector from the CRM which checks whether the process is running.

Also resolves a second condition, at the exact moment SPA is requesting agent info to send to SiteProtector from the CRM which checks the snort process, the CRM stat task is running on another thread to check the snort version.

Adds the network-info (link state information) sections back to the agent status document (agent properties within SiteProtector) posted to SiteProtector.

Engine:

Resolves a Pam crash related to event filter matching. Additionally resolves audit_* or attack_* as the issue name being reported when a filter is matched. Both of these issues specifically relate to GX7, but the fix is implemented for
all models.

Resolves an issue with coalescer statistics events not functioning.

Packet logger:

Resolves an issue with the maximum number of files for the rolling packet captures.

PPD:

Prevents a signal 11 with the PPD process when the number of characets entered into a port list within an event filter is greater than 30 characters and extends the number of characters to 256.

A policy inconsistency where although a WAP category may be disabled in the policy, certain signatures (those that X-Force would block by default) are enabled regardless. To address the latter issue, the enabled/disabled status of a WAP category now controls whether or not *ALL* checks in a WAP category are disabled or enabled instead of allowing a subset of signatures to be enabled regardless of the WAP category setting.

Adds support for the below parameters.

ppd.wap.override.disable
Default: Override fix is on by default.
Valid value: true

Description: This parameter disables the previously mentioned WAP Override fix.
It is recommended to leave the WAP Override fix enabled, default.

ppd.wap.
Valid values:

"off"

Description: Disables the signature. There is no On value. In order to disable the signature, the WAP category that contains the signature must be enabled.

"block"

Description: Turns blocking on for that signature. This will be useful in cases where the WAP category that contains the signature is enabled, but not set to block and you want to enable blocking for the one signature.

"blockdisable"

Description: Turns blocking off for that signature. This will be useful in cases where the WAP category that contains the signature is enabled, is set to block and you want to disable blocking for the one signature.

ppd.wap.global.
Valid values: Same as ppd.wap.
Description: This parameter overrides cases when the signature has Enable In Global set to true from the feature category.xml file, and/or for the Client Side attacks category when the
Enable Client Side Protection check box is checked in the Client Side attacks tuning.

SecManager:

Stops tcpdump, if running prior to Driver Manager restart. Tcpdump interferes with driver restarts (stream already attached errors from the drivermgr).

Resolves an issue with driver needlessly restarting due to certain policy changes. In reference to policy changes, the driver should restart when the adapter policy is changed and when an adapter parameter is add, removed or changed in the tuning parameters policy.

Utilities:

FW 4.4 provinfo.txt no longer includes npm and pam statistics. This patch corrects that.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

4.4

Operating system(s):

Firmware

Software edition:

All Editions

Reference #:

1623263

Modified date:

2014-01-23

Translate my page

Machine Translation

Content navigation