I use SiteProtector.
I'd tried to do as you'd described (derive a new policy from the attack and
audits and without modifying apply it to the sensor) - no errors! OK, thank
you, I will derive new policy from "Attacks and audits" and change it as I
want, I thik all will be good.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.
tel/fax +7 095 745 89 50 (2663)
"ISS Technical Support"
<[EMAIL PROTECTED]> To: "Sergey V Soldatov" <[EMAIL
PROTECTED]>,
"[EMAIL PROTECTED]" <[EMAIL
PROTECTED]>, "ISS Technical
30.12.2003 16:40 Support" <[EMAIL PROTECTED]>
cc:
Subject: RE: 785425 NetworkSensor
7.0.2002.269 on Linux 2.4.20-8
Hello Sergey,
It appears as though the policy is corrupt. Have you tried deriving another
policy and applying it to the sensor? I would also like to know what
console you are using? (i.e. SiteProtector or WGM). Try the following. Stop
the sensor and rename the current.policy. Now derive a new policy from the
attack and audits and without modifying apply it to the sensor. Does the
same error occur?
=================================================
Wendel Crenshaw
Senior Technical Support Engineer
Internet Security Systems: http://www.iss.net
Phone: (404) 236-2700 or (888) 447-4861
Technical Support email: [EMAIL PROTECTED]
PGP Public Keys
http://www.iss.net/support/howto_encrypted_email.php
Training
http://www.iss.net/education/
Internet Security Systems Product Knowledgebase
http://www.iss.net/support/knowledgebase/
***PLEASE NOTE: With the recent availability of the True Blue Customer
Support Center, this is now the preferred method of electronic
communication for all North American customers. Submitting incidents,
viewing and updating status of incidents should be done via the True Blue
Customer Support Center located at
https://www.iss.net/issEn/MYISS/login_help.jhtml
=================================================
-----Original Message-----
From: Sergey V Soldatov [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 30, 2003 5:17 AM
To: [EMAIL PROTECTED]; ISS Technical Support
Subject: 785425 NetworkSensor 7.0.2002.269 on Linux 2.4.20-8
I have NS (SP 4.2:XPU 22.6) installed on Linux.
When I use standard ISS's policies, such as "Attacks and Audits", etc, all
is working properly. But when I try to use custom policy (see
DMZ_Default.zip) sensor stops with the following errors in syslog
(/var/log/messages):
....
Dec 30 12:24:34 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:24:34 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:26:45 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:26:45 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:28:57 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:28:57 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:31:08 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:31:08 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
Dec 30 12:33:20 RNE1 kernel: application bug: issDaemon(1558) has SIGCHLD
set to SIG_IGN but calls wait().
Dec 30 12:33:20 RNE1 kernel: (see the NOTES section of 'man 2 wait').
Workaround activated.
....
As programmer in the past I know that it isn't correct to perform wait()
system call when SIGCHILD set to SIG_IGN (ignored), but why standard ISS's
policy "Attacks and Audits" normally work without any "application bug"?
May be problem is in something else?
Also, here is dmesg output, may be it will be interesting...
(See attached file: dmesg.txt.gz)
Thanks a lot.
(See attached file: DMZ_Default.zip)
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
