02-05-2009 03:46 PM - edited 03-10-2019 04:29 AM
I have about 30 IPS/IDS/IPSM/IDSM's that have been stable for a long time but for some reason the last few months I've seen a lot of analysys engines stopping. This sometimes happens around the time I am updating signature pushes, but it also appears to be random. Is anyone else seeing a rash of analysys engine's going down, sometimes to the point that the device needs a reboot?
02-09-2009 12:06 PM
I believe this may be a known bug (or couple of bugs), I have a customer who have suffered the same issue. See: CSCsv66660 and CSCsw14574. I am informed a fix is due very soon in a new image.
02-09-2009 04:50 PM
Thanks paul. We had already found that bug and thought it may be the culprit. It's a shame there is no workaround in place for this. Daily I have to go around checking engines and restarting at least 2 of them.
02-09-2009 05:13 PM
I am informed by TAC that an image should be available this week. You can restart the analysis engine via the service account by stopping and then starting the cids app, this avoids having to reboot the sensors.
02-16-2009 10:01 AM
TAC indicated that the workaround is to disable all signatures for the "MSRPC" and "SMB Advanced" engines. I haven't tried this yet.
03-05-2009 02:59 AM
I'm having similar problems, especially when I do auto update of sigs, I faced the problem 4 times and solved it by restarting the sensor.
If we restart the main app, does the traffic go unaffected, do u have a tentative date for the new image?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide