CSA detecting process name incorrectly

Unanswered Question
Dec 16th, 2008

I have a RHEL3 WS host running Cisco Security Agent Version 5.2.0.225. From time to time I am seeing alerts that don't make sense.

For example, see these alerts:

TESTMODE: The process '/bin/echo' (as user root(0) group root(0)) attempted to accept a connection as a server on TCP port 10000 from 12.34.56.78. The operation would have been denied.

Obviously, /bin/echo didn't accept the connection. This is webmin, so /bin/perl is likely accepting the connection.

TESTMODE: The process '/bin/bash' (as user root(0) group root(0)) attempted to accept a connection as a server on TCP port 6389 from 12.34.56.78. The operation would have been denied.

In this instance I know that /opt/Navisphere/bin/naviagent is the executable that is listening on port 6389.

Why is CSA having difficulty grabbing the right process name? I dug through TAC online but didn't see anything relevant.

-MS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion