cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
727
Views
0
Helpful
5
Replies

Drop Rules in 6.0.3

Daniel Barr
Level 1
Level 1

Hi all:

Someone mentioned this in another thread about issues upgrading to 6.0.3 upgrade but since I am also having an issue I thought it warranted its own thread.

I went from 6.0.2 to 6.0.3 using the upgrade package, and experienced no issues with the upgrade. However, I have been creating a number of new drop rules for false positive tuning, and they simply do not appear to be working. Older drop rules that were configured using 6.0.2 do appear to still be working fine as long as I don't touch them.

I am pretty confident it's not a logical problem with my criteria, because I can query using the exact same criteria and get results I expect. But the events are NOT being dropped, and incidents are still being generated based on them.

Has anyone else upgraded to 6.0.3 and experienced the same?

Thanks,

Dan

1 Accepted Solution

Accepted Solutions

I have a TAC case open already and have experienced the same issues. Response so far has been that the devolpers are aware of the issue and are actively working on it. It seems that the problem is with multiple specific IP addresses for src or dest in the rule. The workaround I was given was to use multiple drop rules with one src each and it works. I have not tested yet, and with the amount of drop rules we have I may just wait for the fix.

View solution in original post

5 Replies 5

silvertrump
Level 1
Level 1

We have not upgraded yet, but we are about to. Since we are heavily dependent on drop rules, your experience gives me pause. Have you opened a TAC case yet?

Yeah, I wanted to do some more testing first but I am going to open a case. I tried setting some of our drop rule actions to "Drop" instead of "Log to DB only", but the events (and incidents) still get created.

I'll reply with any further info.

I have a TAC case open already and have experienced the same issues. Response so far has been that the devolpers are aware of the issue and are actively working on it. It seems that the problem is with multiple specific IP addresses for src or dest in the rule. The workaround I was given was to use multiple drop rules with one src each and it works. I have not tested yet, and with the amount of drop rules we have I may just wait for the fix.

Well at least I know I'm not going crazy. I just took the MARS training course and was all primed to start some serious tuning this week, but couldn't figure out why none of my drop rules seemed to be having any effect.

I am also having the issue with rules configured with network group(s) as a source. Even a drop rule with a single network group in the src (group contains multiple subnets or hosts) is exhibiting this problem.

Thanks for the reply...I entered my own TAC case as well. Hopefully they'll get this fixed soon.

BTW, it was posted to the other thread, but Cisco did fix this bug (CSCsz14701) with a patch for 6.0.3 released last week. I installed it on our box and it did correct the problem with drop rules.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: