Someone mentioned this in another thread about issues upgrading to 6.0.3 upgrade but since I am also having an issue I thought it warranted its own thread.
I went from 6.0.2 to 6.0.3 using the upgrade package, and experienced no issues with the upgrade. However, I have been creating a number of new drop rules for false positive tuning, and they simply do not appear to be working. Older drop rules that were configured using 6.0.2 do appear to still be working fine as long as I don't touch them.
I am pretty confident it's not a logical problem with my criteria, because I can query using the exact same criteria and get results I expect. But the events are NOT being dropped, and incidents are still being generated based on them.
Has anyone else upgraded to 6.0.3 and experienced the same?
I have a TAC case open already and have experienced the same issues. Response so far has been that the devolpers are aware of the issue and are actively working on it. It seems that the problem is with multiple specific IP addresses for src or dest in the rule. The workaround I was given was to use multiple drop rules with one src each and it works. I have not tested yet, and with the amount of drop rules we have I may just wait for the fix.