When creating a Signature Event Action Filter and use an "Event Variable" ($INTERNAL or $OUT) in the attacker address or victim address, the MC throws an error.
"Error - Attacker Start address is invalid"
Is this a known bug?
Thanks in advance
What version of MC are you using? What type/version sensor are you using?
Can you describe step by step how you're trying to create this variable?
Im using version 2.1 with the latest service packs and all. The sensors are 5.0.4. From the IPSMC I go to the sensor I would like to manage, then choose event action filters then choose add and in the source field type in the $variablename (i.e. IN or OUT). These are all defined in the event variables section.
If I make the variable changes using the cli it works fine. If I reimport the sensor to the mc the variable show up fine. But you cannot create add variable to the event action filters section from the MC.
Its pretty annoying to have to use the IDM or cli to make changes and then reimport each sensor. I have 20 sensors and its is a royal pain to do this to each sensor. I have a TAC case open on this as well, and no one has any idea. I need some help, anyone!!
I'm in the same setup of using IPS V5 on the sensors managed by CiscoWorks VMS with IPS MC 2.1. I can confirm same kind of troubles with the interaction between both softwares. Here is what I have experienced sofar :
- there is a difference in syntax for adding addresses into the default $in and $out variables. If I set more than one address range into those variables, I can generate the config, but can't deploy onto the sensor.Error = "The ip address range format is invalid at line: 1, at character: 381"
Even when I do the configuration via IDM, import the new config into IPS MC and without changing anything try to deploy the same config onto the sensor again, I get the same error.
- the is also some syntax problem on the naming of filters. By default filters are named filter[x], but again when deploying this config with that kind of names onto the sensor, IPS MC is generating errors:
"** ECD result for eventActionRules: Error validateError: / -- /_root_/filters/filter1-filter- - -0-D/ -- invalid name
/_root_/filters/filter10-filter- - -9-D/ -- invalid name
So I'm not surprised by the above problem description.
I have the exact same issue on 3 different VMS servers running the latest IPSMC software. What is the purpose of being able to define a variable if you can't use it?
This is an oversight in the IPS MC 2.1 that is being rectified in version 2.2 (due out next month). CSCsb66685
All dev and test resources are fully committed to the 2.2 release (3 weeks to FCS). This particular issue is currently being worked on. IMO, a patch would take at least 2 weeks if the resources were available. So I would recommend waiting for 2.2.
Well, I've been patient so far, but I'm still waiting for a patch for this issue. It's 21 days out, no patch, no v2.2 that I can find. I know they are getting rid of VMS soon, so are they really working on this?
I can only take your word on it, but we can't afford to wait on this stuff, time for a competitive upgrade, I'm afraid.
Sorry -- The defect you have requested CSCsb66685 cannot be displayed.
This may be due to one or more of the following:
The defect number does not exist.
The defect does not have a customer-visible description available yet.
The defect has been marked Cisco Confidential.