[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] RE: 785425 NetworkSensor 7.0.2002.269 on Linux 2.4.20-8



But when i'd written new policy (derived from "Arracs and audits"), change
it for our needs (add filters and switch off unintersting signatures like
it was in corrupted policy) all becomes working well!
Interesting fact is that on Windows sensor corrupded policy works right
without any alerts and mistakes, the problem is only with Linux.

---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.


                                                                                                                    
              "Marko Ivanusa"                                                                                       
              <Marko.Ivanusa@xxxxxxxx>         To:       "ISS Technical Support" <Support@xxxxxxx>, "Sergey V       
                                                Soldatov" <SVSoldatov@xxxxxx>                                       
              06.01.2004 23:43                 cc:                                                                  
                                               Subject:  Re: [ISSForum] RE: 785425 NetworkSensor 7.0.2002.269 on    
                                                Linux 2.4.20-8                                                      
                                                                                                                    






Hi Sergey,

This problem here is not a problem of policy but kernel. You have install
kernel
2.4.20-8. But SP for Network Sensor they have been compiling for version
2.4.18-10.
I have had the same problem, but in spite of errors the sensor is been
working
for 1. days.

regards
Marko Ivanu?a


|---------+---------------------------->
|         |           "ISS Technical   |
|         |           Support"         |
|         |           <Support@xxxxxxx>|
|         |           Sent by:         |
|         |           issforum-admin@is|
|         |           s.net            |
|         |                            |
|         |                            |
|         |           30.12.2003 14:40 |
|         |                            |
|---------+---------------------------->
  >
---------------------------------------------------------------------------------------------------------------------------------------------|

  |
|
  |       To:       "Sergey V Soldatov" <SVSoldatov@xxxxxx>,
"issforum@xxxxxxxxxxxxxxxx" <issforum@xxxxxxx>, "ISS Technical Support"
|
  |        <Support@xxxxxxx>
|
  |       cc:
|
  |       Subject:  [ISSForum] RE: 785425 NetworkSensor 7.0.2002.269 on
Linux 2.4.20-8                                                          |
  >
---------------------------------------------------------------------------------------------------------------------------------------------|





Hello Sergey,

It appears as though the policy is corrupt. Have you tried deriving another
policy and applying it to the sensor? I would also like to know what
console you
are using? (i.e. SiteProtector or WGM). Try the following. Stop the sensor
and
rename the current.policy. Now derive a new policy from the attack and
audits
and without modifying apply it to the sensor. Does the same error occur?

=================================================

Wendel Crenshaw
Senior Technical Support Engineer

Internet Security Systems: http://www.iss.net
Phone:  (404) 236-2700 or (888) 447-4861
Technical Support email: support@xxxxxxx

PGP Public Keys
http://www.iss.net/support/howto_encrypted_email.php

Training
http://www.iss.net/education/

Internet Security Systems Product Knowledgebase
http://www.iss.net/support/knowledgebase/

***PLEASE NOTE:  With the recent availability of the True Blue Customer
Support
Center, this is now the preferred method of electronic communication for
all
North American customers.  Submitting incidents, viewing and updating
status of
incidents should be done via the True Blue Customer Support Center located
at
https://www.iss.net/issEn/MYISS/login_help.jhtml

=================================================



-----Original Message-----
From: Sergey V Soldatov [mailto:SVSoldatov@xxxxxx]
Sent: Tuesday, December 30, 2003 5:17 AM
To: issforum@xxxxxxxxxxxxxxxx; ISS Technical Support
Subject: 785425 NetworkSensor 7.0.2002.269 on Linux 2.4.20-8


I have NS (SP 4.2:XPU 22.6) installed on Linux.
When I use standard ISS's policies, such as "Attacks and Audits", etc, all
is working properly. But when I try to use custom policy (see
DMZ_Default.zip) sensor stops with the following errors in syslog
(/var/log/messages):
....
Dec 30 12:24:34 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:24:34 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:26:45 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:26:45 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:28:57 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:28:57 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:31:08 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:31:08 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:33:20 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:33:20 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
....
As programmer in the past I know that it isn't correct to perform wait()
system call when SIGCHILD set to SIG_IGN (ignored), but why standard ISS's
policy "Attacks and Audits" normally work without any "application bug"?
May be problem is in something else?
Also, here is dmesg output, may be it will be interesting...
(See attached file: dmesg.txt.gz)
Thanks a lot.

(See attached file: DMZ_Default.zip)

---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo










_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo