4.5.0.0-ISS-ProvG-AllModels-Hotfix-FP0006

Technote (FAQ)


Question

What fixes are included in 4.5.0.0-ISS-ProvG-AllModels-Hotfix-FP0006?

Answer

===============================================================
DESCRIPTION
===============================================================

Fixes issue with snort CPU usage of 100%, and interface buffer low messages.

NOTE: If on GX5 appliance, reboot is necessary for some of the fixes to take effect.
Please make plans to be able to reboot system after patch applied prior to
installing patch.

CRM:

Resolves a false positive with the "Snort is disabled but still running" health
alert. At the exact moment that the CRM stat task is running on one thread to
check the snort version, SPA is requesting agent info to send to SiteProtector
from the CRM which checks whether the process is running.

Also resolves a second condition, at the exact moment SPA is requesting agent
info to send to SiteProtector from the CRM which checks the snort process, the CRM
stat task is running on another thread to check the snort version.

Adds the network-info (link state information) sections back to the agent status
document (agent properties within SiteProtector) posted to SiteProtector.

Engine:

Resolves an issue with coalescer statistics events not functioning.

Corrects a crash related to quarantine rules.

Corrects a blocking issue on MORE_UPDATE events that were only intended to update
information about an event within the coalescer.

Corrects an issue with sensor statistics timing.

Packet logger:

Resolves an issue with the maximum number of files for the rolling packet captures.

PPD:

Prevents a signal 11 with the PPD process when the number of characters entered
into a port list within an event filter is greater than 30 characters and extends
the number of characters to 256.

A policy inconsistency where although a WAP category may be disabled
in the policy, certain signatures (those that X-Force would block by
default) are enabled regardless. To address the latter issue, the
enabled/disabled status of a WAP category now controls whether or not
*ALL* checks in a WAP category are disabled or enabled instead of
allowing a subset of signatures to be enabled regardless of the WAP
category setting.

Adds support for the below parameters.

ppd.wap.override.disable
Default: Override fix is on by default.
Valid value: true

Description: This parameter disables the previously mentioned WAP Override fix.
It is recommended to leave the WAP Override fix enabled, default.

ppd.wap.<issueID>
Valid values:

"off"

Description: Disables the signature. There is no On value. In order to disable the signature,
the WAP category that contains the signature must be enabled.

"block"

Description: Turns blocking on for that signature. This will be useful in cases where
the WAP category that contains the signature is enabled, but not set to block and you
want to enable blocking for the one signature.

"blockdisable"

Description: Turns blocking off for that signature. This will be useful in cases where
the WAP category that contains the signature is enabled, is set to block and you want to
disable blocking for the one signature.

ppd.wap.global.<issueID>
Valid values: Same as ppd.wap.<issueID>
Description: This parameter overrides cases when the signature has Enable In Global set to
true from the feature category.xml file, and/or for the Client Side attacks category when the
Enable Client Side Protection check box is checked in the Client Side attacks tuning.

SecMgr:

On analysis inspection crashes bypass the NPU. The 4.5.0.0-ISS-ProvG-GX7-Hotfix-FP0003 patch
or later is required with this patch for this feature to work.

Addes support for the below parameter, which might be useful in cases where an unused segment or
interface is causing the IPS to report an unhealthy status in the SiteProtector Console agent
view:

Name: adapter.inuse.#

Where # is the inspection interface number starting with 0, for port 1A.

Valid value: false
Default value: true

Snep:

Resolves a seg v crash when snort generates a large size event.

Xerces:

Correct problem of signal 6 (abort) in issCSF because of Xerces lib.

Lum:

Fixes an issue with the LMI showing License information expiring a day
earlier in different time zones.


IBM Network IPS Documentation IBM Infrastructure Security Forums IBM Security Support Channel on YouTube IBM Fix Central Fixes and Updates IBM Security License Key and Download Center Subscribe to My Notifications for Important Product Alerts IBM Security Contact Support

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

4.5

Operating system(s):

Firmware

Software edition:

All Editions

Reference #:

1636259

Modified date:

2015-04-16

Translate my page

Content navigation