CSA Rule ID 46 module '<[email protected]>'

Unanswered Question
Dec 6th, 2007

Hello,

I have been seeing this module kick of rule 46 at multiple clients (the 0x860d3008 memory address is varied). Has anyone successfully figured out a way to investigate what this is, and how to tune it? I know I could create a blanket rule, but I want to see what it is first. The problem is the logs get flooded with the 596 alert, even though it does not block anything, I know that most customers who look at this will stop paying attention. That whole cry wolf thing.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tsteger1 Thu, 12/06/2007 - 11:37

Hi Shawn

What version of CSA and what specific rule type and module is this? I'm guessing either Trojan Detection (older) or Kernel Protection rule (newer).

Remember that your Rule 46 may not match someone else's because of different versions, multiple upgrades, etc..

As I recall, it was almost impossible to make an exception for this without knowing the application that triggered it.

Tom

Actions

This Discussion