cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
339
Views
0
Helpful
1
Replies

CSA detecting process name incorrectly

I have a RHEL3 WS host running Cisco Security Agent Version 5.2.0.225. From time to time I am seeing alerts that don't make sense.

For example, see these alerts:

TESTMODE: The process '/bin/echo' (as user root(0) group root(0)) attempted to accept a connection as a server on TCP port 10000 from 12.34.56.78. The operation would have been denied.

Obviously, /bin/echo didn't accept the connection. This is webmin, so /bin/perl is likely accepting the connection.

TESTMODE: The process '/bin/bash' (as user root(0) group root(0)) attempted to accept a connection as a server on TCP port 6389 from 12.34.56.78. The operation would have been denied.

In this instance I know that /opt/Navisphere/bin/naviagent is the executable that is listening on port 6389.

Why is CSA having difficulty grabbing the right process name? I dug through TAC online but didn't see anything relevant.

-MS

1 Reply 1

It may be related to this bug, the fix seems to be upgrading to version 6.0(0.77). If anybody else has experienced this and confirm this is what they had to do to resolve the issue I'd appreciate hearing about it.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk07426&from=summary

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: