Analysys engines going down like crazy

Unanswered Question
Feb 5th, 2009

I have about 30 IPS/IDS/IPSM/IDSM's that have been stable for a long time but for some reason the last few months I've seen a lot of analysys engines stopping. This sometimes happens around the time I am updating signature pushes, but it also appears to be random. Is anyone else seeing a rash of analysys engine's going down, sometimes to the point that the device needs a reboot?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paultribe Mon, 02/09/2009 - 12:06

I believe this may be a known bug (or couple of bugs), I have a customer who have suffered the same issue. See: CSCsv66660 and CSCsw14574. I am informed a fix is due very soon in a new image.

RicheeJJJ_2 Mon, 02/09/2009 - 16:50

Thanks paul. We had already found that bug and thought it may be the culprit. It's a shame there is no workaround in place for this. Daily I have to go around checking engines and restarting at least 2 of them.

paultribe Mon, 02/09/2009 - 17:13

I am informed by TAC that an image should be available this week. You can restart the analysis engine via the service account by stopping and then starting the cids app, this avoids having to reboot the sensors.

gdix Mon, 02/16/2009 - 10:01

TAC indicated that the workaround is to disable all signatures for the "MSRPC" and "SMB Advanced" engines. I haven't tried this yet.

k.abillama Thu, 03/05/2009 - 02:59

I'm having similar problems, especially when I do auto update of sigs, I faced the problem 4 times and solved it by restarting the sensor.

If we restart the main app, does the traffic go unaffected, do u have a tentative date for the new image?


This Discussion