I have had this exact issue! Server Sensors which say "STOPPED' or " ". Sometimes the last contact date/time is current and sometimes not. In all cases they are no longer sending in event info to the server. I stumbled upon the same thing which Mr. Alraie outlined. If I delete current.policy it USUALLY fixes it. In the cases where that fixes it I always notice the current.policy file is fairly old...older than the last policy push. So for whatever reason policies are not updating.
Then I have had some Serer Sensors which just "tank". All the symptoms are the same but I cannot fix them. Out of about 40 Server Sensors I have had to reinstall about 7-8 of them and a couple of those more than once. I really wish I knew why those installs would stop working; it's disconcerting to have a product that just decides to break like this. There are not many mainline apps I have to totally reinstall on a regular basis because they stop functioning. HEY ISS! IF YOU ARE READING!!! A huge feature which would be great to build into Server Sensor would be some sort of (easier to understand) log that would tell you what was wrong. (A log on the Server Sensor and the same diag. info in the Console.) A central place that would say: policy did not update, issCSF.exe ran with high processor util. for 30 min., events are queuing at Sensor because they are not making it to RSSP Server, etc. Another HUGE update would be some sort of packet analyzer (i.e. IRIS, Ethereal) built in so you could truly examine the data collected.) The current info Server Sensor logs for different signatures is sometimes great and sometimes vague. So more complete signature/event info and a packet analyzer are my requests. As for how to fix the ailing Server Sensor installs without reinstalling... if the current.policy trick doesn't fix it then I have no clue. David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Plato Sent: Monday, October 10, 2005 10:16 AM To: Abdulkareem M. Alraie; [email protected] Subject: Re: [ISSForum] Server Sensors that just die Hey, that seemed to work. I tried it on a few dead server sensors at a client site this weekend and they came back to life. Thanks for the tip!! ----------------------------------------------- Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security ----------------------------------------------- -----Original Message----- From: Abdulkareem M. Alraie [mailto:[EMAIL PROTECTED] Sent: Saturday, October 08, 2005 3:57 AM To: Andrew Plato; [email protected] Subject: Re: [ISSForum] Server Sensors that just die Hello MR. Andrew, Please try the following where I have experienced the same problem On the Server Sensor machine: 1. Stop the issDaemon service. 2. Rename the current.policy file to current.old in the \Program Files\ISS\issSensors\ directory. 3. Start the issDaemon service. In SiteProtector Console: 1. Wait for the Sensor to become ACTIVE. 2. Apply the policy you desire. Regards, Abdulkareem M. Al-Raie SSCP,ISS-CE Information Security Consultant Elite Computer Solutions P.O. Box: 58915 Riyadh, 11515 Kingdom of Saudi Arabia http://www.elite.com.sa <http://www.elite.com.sa/> Tel.: + (966 1) 4086504 Mobile: +966 (50) 4496521 ________________________________ From: [EMAIL PROTECTED] on behalf of Andrew Plato Sent: Thu 10/6/2005 12:09 PM To: [email protected] Subject: [ISSForum] Server Sensors that just die This is a daunting little problem I have had lately. Server sensors that just croak. They stop working. When you try to restart them, you get an error that the OS cannot find the file specified. Nothing will restart them - rebooting, nothing. The issdeamon is running. Just not the Buffer Overflow / IPS engine. The only fix I have been able to discover is to reinstall SS and start over. Anybody have any info on this? I checked the Knowledge Base on this, but nothing. Also, when is ISS going to put out a new Server Sensor build. I am tired of installing it and then having to go through the whole service pack update. Can't we get a repackage? Oh, and while I am complaining - where the heck is "Proventia Server??!?!?" _____________________________________ Andrew Plato, CISSP President / Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
