Proventia Network Intrusion Prevention System 4.4 All Models Hotfix-7

Fix readme


Abstract

Known non-OS related, non-driver and non-hardware related fixes for All Models Hotfix

Content


Fixes include:

CRM:

IPS not sending "Active with Error" after IPS is disabled
packets gathered with logWithRaw response missing src/dst ip address on GX7

Engine:

erroneous error message with LOGEVIDENCE open signature response

Fixes an issue where LMI displays License information expiring a day early
in different time zones.

Allows for support of JRE7 on GX when connecting LMI for
32-bit Windows systems and Internet Explorer 8, and 9, Firefox 13 browsers
and older versions of this browsers. Other versions of Windows, JREs,
and browsers may work, but were not tested and are not supported.

Corrects problem of sensor statistic events not being generated on time
according to the specified interval

CSF:

This patch prevents multiple a signal 11 crash in the issCSF process.
Correct problem of signal 6 (abort) in issCSF because of Xerces lib

Install script:

Removes an unused IPM license expired entry from crm.db. This applies to
appliances that may have had an expired license at some point prior to
updating to 4.4. The unused entry may appear as a red flag under Security
from the main dashboard of the LMI despite having a valid non-expired license.

CRM:

Adds additional retry logic when posting events to the IPSAttacks.db on
the appliance under certain error conditions. Also changes the db lock
messages to debug instead of error (error results in sensor error alerts,
if enabled, being sent).

Resolves a false positive with the "Snort is disabled but still running" health
alert. At the exact moment that the CRM stat task is running on one thread to
check the snort version, SPA is requesting agent info to send to SiteProtector
from the CRM which checks whether the process is running.

Also resolves a second condition, at the exact moment SPA is requesting agent
info to send to SiteProtector from the CRM which checks the snort process, the CRM
stat task is running on another thread to check the snort version.

Adds the network-info (link state information) sections back to the agent status
document (agent properties within SiteProtector) posted to SiteProtector.

Engine:

Resolves a Pam crash related to event filter matching. Additionally resolves
audit_* or attack_* as the issue name being reported when a filter is matched.
Both of these issues specifically relate to GX7, but the fix is implemented for
all models.

Resolves an issue with coalescer statistics events not functioning.

Packet logger:

Resolves an issue with the maximum number of files for the rolling packet captures.

PPD:

Prevents a signal 11 with the PPD process when the number of characters entered
into a port list within an event filter is greater than 30 characters and extends
the number of characters to 256.

A policy inconsistency where although a WAP category may be disabled
in the policy, certain signatures (those that X-Force would block by
default) are enabled regardless. To address the latter issue, the
enabled/disabled status of a WAP category now controls whether or not
*ALL* checks in a WAP category are disabled or enabled instead of
allowing a subset of signatures to be enabled regardless of the WAP
category setting.

Adds support for the below parameters.

ppd.wap.override.disable
Default: Override fix is on by default.
Valid value: true

Description: This parameter disables the previously mentioned WAP Override fix.
It is recommended to leave the WAP Override fix enabled, default.

ppd.wap.<issueID>
Valid values:

"off"

Description: Disables the signature. There is no On value. In order to disable the signature,
the WAP category that contains the signature must be enabled.

"block"

Description: Turns blocking on for that signature. This will be useful in cases where
the WAP category that contains the signature is enabled, but not set to block and you
want to enable blocking for the one signature.

"blockdisable"

Description: Turns blocking off for that signature. This will be useful in cases where
the WAP category that contains the signature is enabled, is set to block and you want to
disable blocking for the one signature.

ppd.wap.global.<issueID>
Valid values: Same as ppd.wap.<issueID>
Description: This parameter overrides cases when the signature has Enable In Global set to
true from the feature category.xml file, and/or for the Client Side attacks category when the
Enable Client Side Protection check box is checked in the Client Side attacks tuning.

SecManager:

Stops tcpdump, if running prior to Driver Manager restart. Tcpdump interferes
with driver restarts (stream already attached errors from the drivermgr).

Resolves an issue with driver needlessly restarting due to certain policy
changes. In reference to policy changes, the driver should restart when
the adapter policy is changed and when an adapter parameter is add, removed
or changed in the tuning parameters policy.

Utilities:

FW 4.4 provinfo.txt no longer includes npm and pam statistics. This patch
corrects that

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

4.4

Operating system(s):

Firmware

Software edition:

All Editions

Reference #:

1635698

Modified date:

2014-04-22

Translate my page

Machine Translation

Content navigation