IBM Support

Security Network IPS 4.4 All Models Hotfix-7

Fix readme


Known non-OS related, non-driver and non-hardware related fixes for All Models Hotfix


Fixes include:

IPS not sending "Active with Error" after IPS is disabled packets gathered with logWithRaw response missing src/dst ip address on GX7


erroneous error message with LOGEVIDENCE open signature response

Fixes an issue where LMI displays License information expiring a day early in different time zones.

Allows for support of JRE7 on GX when connecting LMI for 32-bit Windows systems and Internet Explorer 8, and 9, Firefox 13 browsers and older versions of this browsers. Other versions of Windows, JREs, and browsers may work, but were not tested and are not supported.

Corrects problem of sensor statistic events not being generated on time according to the specified interval


This patch prevents multiple a signal 11 crash in the issCSF process. Correct problem of signal 6 (abort) in issCSF because of Xerces lib

Install script:

Removes an unused IPM license expired entry from crm.db. This applies to appliances that may have had an expired license at some point prior to updating to 4.4. The unused entry may appear as a red flag under Security from the main dashboard of the LMI despite having a valid non-expired license.


Adds additional retry logic when posting events to the IPSAttacks.db on the appliance under certain error conditions. Also changes the db lock messages to debug instead of error (error results in sensor error alerts, if enabled, being sent).

Resolves a false positive with the "Snort is disabled but still running" health alert. At the exact moment that the CRM stat task is running on one thread to check the snort version, SPA is requesting agent info to send to SiteProtector from the CRM which checks whether the process is running.

Also resolves a second condition, at the exact moment SPA is requesting agent info to send to SiteProtector from the CRM which checks the snort process, the CRM stat task is running on another thread to check the snort version.

Adds the network-info (link state information) sections back to the agent status document (agent properties within SiteProtector) posted to SiteProtector.


Resolves a Pam crash related to event filter matching. Additionally resolves audit_* or attack_* as the issue name being reported when a filter is matched. Both of these issues specifically relate to GX7, but the fix is implemented for all models.

Resolves an issue with coalescer statistics events not functioning.

Packet logger:

Resolves an issue with the maximum number of files for the rolling packet captures.


Prevents a signal 11 with the PPD process when the number of characters entered into a port list within an event filter is greater than 30 characters and extends the number of characters to 256.

A policy inconsistency where although a WAP category may be disabled in the policy, certain signatures (those that X-Force would block by default) are enabled regardless. To address the latter issue, the enabled/disabled status of a WAP category now controls whether or not *ALL* checks in a WAP category are disabled or enabled instead of allowing a subset of signatures to be enabled regardless of the WAP category setting.

Adds support for the below parameters.

Default: Override fix is on by default.
Valid value: true

Description: This parameter disables the previously mentioned WAP Override fix. It is recommended to leave the WAP Override fix enabled, default.

Valid values:


Description: Disables the signature. There is no On value. In order to disable the signature, the WAP category that contains the signature must be enabled.


Description: Turns blocking on for that signature. This will be useful in cases where the WAP category that contains the signature is enabled, but not set to block and you want to enable blocking for the one signature.


Description: Turns blocking off for that signature. This will be useful in cases where the WAP category that contains the signature is enabled, is set to block and you want to disable blocking for the one signature.<issueID>
Valid values: Same as ppd.wap.<issueID>
Description: This parameter overrides cases when the signature has Enable In Global set to true from the feature category.xml file, and/or for the Client Side attacks category when the Enable Client Side Protection check box is checked in the Client Side attacks tuning.


Stops tcpdump, if running prior to Driver Manager restart. Tcpdump interferes with driver restarts (stream already attached errors from the drivermgr).

Resolves an issue with driver needlessly restarting due to certain policy changes. In reference to policy changes, the driver should restart when the adapter policy is changed and when an adapter parameter is add, removed or changed in the tuning parameters policy.


FW 4.4 provinfo.txt no longer includes npm and pam statistics. This patch corrects that

Document information

More support for: IBM Security Network Intrusion Prevention System
Interim Fixes

Software version: 4.4

Operating system(s): Firmware

Reference #: 1635698

Modified date: 22 April 2014

Translate this page: