04-21-2009 10:45 AM
Hi all:
Someone mentioned this in another thread about issues upgrading to 6.0.3 upgrade but since I am also having an issue I thought it warranted its own thread.
I went from 6.0.2 to 6.0.3 using the upgrade package, and experienced no issues with the upgrade. However, I have been creating a number of new drop rules for false positive tuning, and they simply do not appear to be working. Older drop rules that were configured using 6.0.2 do appear to still be working fine as long as I don't touch them.
I am pretty confident it's not a logical problem with my criteria, because I can query using the exact same criteria and get results I expect. But the events are NOT being dropped, and incidents are still being generated based on them.
Has anyone else upgraded to 6.0.3 and experienced the same?
Thanks,
Dan
Solved! Go to Solution.
04-21-2009 06:53 PM
I have a TAC case open already and have experienced the same issues. Response so far has been that the devolpers are aware of the issue and are actively working on it. It seems that the problem is with multiple specific IP addresses for src or dest in the rule. The workaround I was given was to use multiple drop rules with one src each and it works. I have not tested yet, and with the amount of drop rules we have I may just wait for the fix.
04-21-2009 01:02 PM
We have not upgraded yet, but we are about to. Since we are heavily dependent on drop rules, your experience gives me pause. Have you opened a TAC case yet?
04-21-2009 01:34 PM
Yeah, I wanted to do some more testing first but I am going to open a case. I tried setting some of our drop rule actions to "Drop" instead of "Log to DB only", but the events (and incidents) still get created.
I'll reply with any further info.
04-21-2009 06:53 PM
I have a TAC case open already and have experienced the same issues. Response so far has been that the devolpers are aware of the issue and are actively working on it. It seems that the problem is with multiple specific IP addresses for src or dest in the rule. The workaround I was given was to use multiple drop rules with one src each and it works. I have not tested yet, and with the amount of drop rules we have I may just wait for the fix.
04-22-2009 05:52 AM
Well at least I know I'm not going crazy. I just took the MARS training course and was all primed to start some serious tuning this week, but couldn't figure out why none of my drop rules seemed to be having any effect.
I am also having the issue with rules configured with network group(s) as a source. Even a drop rule with a single network group in the src (group contains multiple subnets or hosts) is exhibiting this problem.
Thanks for the reply...I entered my own TAC case as well. Hopefully they'll get this fixed soon.
05-07-2009 05:38 AM
BTW, it was posted to the other thread, but Cisco did fix this bug (CSCsz14701) with a patch for 6.0.3 released last week. I installed it on our box and it did correct the problem with drop rules.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: