[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] The policy file is newer than issues.csv



This means that the policy contains rules/settings for an event that the sensor has no support for. Usually, this simply translates to the policy being of a higher (newer) XPU than the sensor. 

As a first step, apply the latest XPU's to the sensor and see if it solved the problem. Otherwise, I'd recommend a clean install, which is so simple that I've never bothered to restore a sensor backup anyway. Just install the IPSO NS7 package (get it from ISS download site), don't borrow anything from another box except for TRONS rules and user-defined files - this should take ~10 minutes. 

Manage the sensor and temporarily apply a blank policy to keep the noise down. Apply XPU's until you're current (usually three: one each of 20.x, 21.x and 22.x). Finally, edit your properties/settings and apply your production policy and response. Note: I find that doing many PAM settings through the GUI is slow and it's usually a lot easier to cut & paste PAM settings from another sensor or a template configuration file. Just make sure to stop/start the sensor when you're editing.

Cheers,
Robert

-----Original Message-----
From: issforum-bounces@xxxxxxx [mailto:issforum-bounces@xxxxxxx] 
Sent: 14 October 2004 21:13
To: issforum@xxxxxxx
Subject: [ISSForum] The policy file is newer than issues.csv


Hi everyone,

I´m having trouble with a 7.0 network sensor that runs in a IPSO Box. I had to change the box due to a hardware problem. When I restored the old files (from another sensor couse my back-up was corrupted) It stoped sending the responses (e-mail, log DB).

The only error it shows is in /var/log/messages, like this:

Oct 12 18:24:37 ids4 [LOG_WARNING] ISS[23346]: (network_sensor_1) - Policy event name (NAME_OF_EVENT) could not be found in issues.csv. The policy file is newer than issues.csv

I checked that issues.csv has the same size in the other sensors.

Anyone has any idea?
Thank´s a lot!





_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.