Escolar Documentos
Profissional Documentos
Cultura Documentos
revision 10.0
COPYRIGHT
Copyright 2001 - 2009 McAfee, Inc. All Rights Reserved.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
License Attributions
This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 19952002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Contents
Preface ........................................................................................................... v
Introducing McAfee IntruShield IPS .............................................................................................. v About this Guide............................................................................................................................ v Audience ....................................................................................................................................... v Conventions used in this guide .....................................................................................................vi Related Documentation................................................................................................................vii Contacting Technical Support ......................................................................................................vii Information requested for Troubleshooting ......................................................................... viii
iii
Checking whether a signature or software update was successful............................................. 22 Checking status of a download or upload ................................................................................... 22 Conditions requiring a sensor reboot .......................................................................................... 22 Rebooting a sensor via the ISM ...........................................................................................23 Rebooting a sensor using the reboot command ..................................................................23 Sensor doesnt boot .................................................................................................................... 23 Loss of connectivity between the sensor and ISM ...................................................................... 23 How sensor handles new alerts during connectivity loss .....................................................24 ISM connectivity to the database ................................................................................................ 24 ISM database is full..............................................................................................................25 Error on accessing the Configuration page ................................................................................. 25 Sensor response if its bandwidth is exceeded ............................................................................ 25 MySQL issues ............................................................................................................................. 26 How sensors handle various types of traffic................................................................................ 26 Jumbo Ethernet frames ........................................................................................................26 ISL frames ............................................................................................................................26
Sensor capacity by model number ........................................................... 71 Utilizing the McAfee Knowledge Base ...................................................... 74 Index ............................................................................................................. 76
iv
Preface
This preface provides a brief introduction to McAfee IntruShield, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.
Audience
This guide is intended for use by network technicians responsible for maintaining the IntruShield Security Management System (ISM) and analyzing and disseminating the resulting data. It is assumed that you are familiar with IPS-related tasks, the relationship between tasks, and the commands necessary to perform particular tasks.
Convention
Example
Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial Narrow bold font. Menu or action group selections are indicated using a right angle bracket. Procedures are presented as a series of numbered steps. Names of keys on the keyboard are denoted using UPPER CASE. Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font.
The Service field on the Properties tab specifies the name of the requested service.
1. On the Configuration tab, click Backup. Press ENTER. Type: setup and then press ENTER.
Variable information that you must Type: sensor-IP-address and then press ENTER. type based on your specific situation or environment is shown in italics. Parameters that you must supply are shown enclosed in angle brackets. Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation. Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation. Notes that provide related, but non-critical, information are denoted using this notation. set sensor ip <A.B.C.D>
Caution:
Warning:
Note:
vi
Related Documentation
Related Documentation
The following documents and on-line help are companions to this guide. Refer to IntruShield System Quick Reference Card for more information on these guides. Manager Installation Guide 3.1 to 4.1 Upgrade Guide Getting Started Guide IntruShield Quick Tour Planning & Deployment Guide IntruShield Sensor 1200 Product Guide IntruShield Sensor 1400 Product Guide IntruShield Sensor 2600 Product Guide IntruShield Sensor 2700 Product Guide IntruShield Sensor 3000 Product Guide IntruShield Sensor 4000 Product Guide IntruShield Sensor 4010 Product Guide IntruShield Configuration Basics Guide Administrative Domain Configuration Guide Manager Server Configuration Guide Policies Configuration Guide Sensor Configuration Guideusing CLI Sensor Configuration Guideusing ISM Sensor Configuration Guideusing ISM Wizard Alerts & System Health Monitoring Guide Reports Guide User-Defined Signatures Developer's Guide Attack Description Guide Special Topics Guide Database Tuning Best Practices Denial-of-Service Sensor High Availability Custom Roles Creation In-line Sensor Deployment Virtualization Gigabit Optical Fail-Open Bypass Kit Guide Gigabit Copper Fail-Open Bypass Kit Guide
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
vii
Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.
General information
your GRANT ID. This was provided to you when you purchased the product. the version number of the ISM software you are using the version number of the sensor software you are using Is this a new or existing issue? any physical changes made to the environment recently Did you make any changes in your environment/setup/configuration that may have introduced the issue?
ISM-specific information
We may ask you to use our troubleshooting tool, which is called InfoCollector. This tool will collect all ISM-related log files (For example, ems.log, emsout, output.bin, config back, and the sensor trace file, if you have uploaded it to the ISM) and return them to us for analysis As of this writing, the tool is available at the following link:
http://serviceweb/mcafee/backline/escalations/MER_TOOL/IPSInfoCollector.zip
viii
Sensor issues
the sensor deployment configuration information on the GBICs you are using with sensor GE ports; this information is extremely helpful for troubleshooting link issues the volume of traffic through the sensor in some cases, a network diagram (particularly for troubleshooting asymmetric traffic issues) a sensor trace file, which you can create using the process described in Providing a sensor diagnostics trace. sensor operating mode (i.e., In-line, SPAN or TAP). This information can be obtained from: Sensor_Name > Interface > View Details peer device port settings (For example, for Cisco switches/routers, you would provide the output of the show port [mod[/port] command. Management port configuration (obtained by issuing a show mgmtport command)
ix
CHAPTER 1
Pre-installation recommendations
These IntruShield pre-installation recommendations are a compilation of the information gathered from individual interviews with some of the most seasoned IntruShield System Engineers at McAfee.
Pre-installation recommendations
Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they are directly connected to a firewall, router, or end node. Otherwise, standard patch cables are required for the Fast Ethernet ports. If applicable, identify the ports to be mirrored, and someone who has the knowledge and rights to mirror them. Allocate the proper IP addresses for the sensors. Identify hosts that may cause false positives, for example, HTTP cache servers, DNS servers, mail relays, SNMP managers, and vulnerability scanners.
Functional requirements
Following are the functional requirements to be taken care of: Install Wireshark (formerly known as Ethereal http://www.wireshark.com http://www.wireshark.org) on the client PCs. Ethereal is a network protocol analyzer for Unix and Windows servers, used to analyze the packet logs created by IntruShield sensors. Ensure the correct version of JRE is installed on the client system, as described in the Release Notes. This can save a lot of time during deployment.
Note: Note that a particular version of JRE is installed with the ISM server, as described in the release notes; be sure that the ISM server does not have a conflicting version of JRE installed. Determine a way in which ISM maintains the correct time. To keep time from drifting, for example, point the ISM server to an NTP timeserver. (If the time is changed on the ISM server, the ISM will lose connectivity with all sensors and the Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the Primary and Secondary ISMs is less than 60 seconds. (If the spread between the two exceeds more than two minutes, communication with the sensors will be lost.) We recommend that the Management port of the sensor and the ISM be on the same internal network; for security and management reasons. If you are upgrading from a previous version, we recommend that you follow the instructions in the respective versions release notes or, if one is available for your release, Upgrade Guide. We recommend that you remove old ISM software and reboot your machine before upgrading to a new version.
If a firewall will reside between the sensor, ISM, or administrative client, which includes a personal firewall on the ISM, the following ports must be opened:
Port Protocol Description Direction of communication
4167 (high ports) (source port on the Manager) and 8500 (destination port on the sensor) 8501 8502
UDP
Manager-->sensor
TCP TCP
Proprietary (install port) Proprietary (alert channel/control channel) Proprietary (packet log channel) Proprietary (file transfer channel) SSL/TCP/IP (Alert Manager) HTTPS Web-based user interface SSH
sensor-->ISM sensor-->ISM
sensor-->ISM sensor-->ISM client-->ISM client-->ISM client-->ISM (Webstart/JNLP, Console Applets) Remote console access
22
TCP
Note: If you choose to use non-default ports for the Install port, Alert port, and Log port, ensure that those ports are also open on the firewall. Note that 3306/TCP is used internally by the ISM to connect to the MySQL database. If you have Email Notification or SNMP Forwarding configured on the ISM, and there is firewall residing between the ISM and your SMTP or SNMP server, ensure the following ports are available as well.
Pre-installation recommendations
Secure communication for MDR ISM 1-->ISM 2 Secure communication for MDR ISM 2-->ISM 1 Syslog forwarding (ACL logging) LDAP Integration (with SSL) RADIUS Integration ISM-->Syslog server ISM-->LDAP server ISM-->RADIUS server
Close all open programs, including email, the Administrative Tools > Services window, and instant messaging before installation to avoid port conflicts. A port conflict may prevent the application from binding to the port in question because it will already be in use.
Caution: The ISM is a standalone system and should not have other applications installed.
anti-virus scanner. Note: If you install McAfee VirusScan 8.0i on the ISM after the installation of the ISM software, the MySQL scanning exceptions will be created automatically, but the IntruShield exceptions will not.
processes it will allow to create outbound TCP port 25 connections; all other processes are denied that access. The ISM takes advantage of the JavaMail API to send SMTP notifications. If you enable SMTP notification and also run VirusScan 8.0i, you must therefore add java.exe to the list of excluded processes. If you do not explicitly create the exclusion within VirusScan 8.0i, you will see a Mailer Unreachable error in the ISM System Health to each time the ISM attempts to connect to its configured mail server. To add the exclusion, follow these steps: 1 2 3 4 5 Launch the VirusScan Console. Right-click the task called Access Protection and choose Properties. Highlight the rule called Prevent mass mailing worms from sending mail. Click Edit. Append java.exe to the list of Excluded Processes.
Caution: It is imperative that you tune the MySQL database after each purge operation. Otherwise, the purge process will fragment the database, which can lead to significant performance degradation. Defragment the disks on the ISM on a routine basis, with the exception of the MySQL directory. The more often you run your defragmenter, the quicker the process will be. Consider defragmenting the disks at least once a month.
Warning: Do NOT attempt to defragment the MySQL directory using an O/S defrag utility. To defragment MySQL tables, use a MySQL-specific utility, myisamchk available in the <mysqlinstallation>\bin directory. Limit the quantity of alerts to view when launching the Alert Manager. This will reduce the total quantity of records the user interface must parse and therefore potentially result in a faster initial response on startup.
Pre-installation recommendations
When scheduling certain ISM actions (backups, file maintenance, archivals, database tuning), set a time for each that is unique and is a minimum of an hour after/before other scheduled actions. Do not run scheduled actions concurrently.
CHAPTER 2
Introduction
IntruShield Security Manager (ISM) implementation varies between environments. The Manager servers positioning in the network, both physically and logically, may influence specific remote access and firewall configuration requirements. The following best practices are intended to cover the configurable features that can impact the security of ISM. This information should be used in combination with the IntruShield Release Notes and the rest of the documentation set. McAfees recommendations, at a high level: Install a desktop firewall on the server and open the proper ports Harden the MySQL installation Harden the ISM host
5. Remove the test db, Keep only the mysql> drop database test; MYSQL and INTRUSHIELD (for example, lf) databases. 6. You should see only two databases (MYSQL and LF) if you are using the default Intrushield installation of MySQL. mysql> show databases;
Start MySQL. Back up the db table to user_backup before changing it. Validate that the backup table was created and row count matches that of the mysql.db table. List all users and hosts. Remove anonymous/blank accounts. Validate that rows with blank user columns have been removed.
mysql> use mysql; mysql> create table user_backup as select * from db; mysql> select count(*) from user_backup; mysql> select user,host from user; mysql> delete from user where user=""; mysql> select user,host from user;
Use another cmd window to validate; you can ONLY log in to the MySQL CLI on the ISM server by qualifying username, password and db. For example: mysql uadmin -pXXX lf
To roll back changes made to the "mysql.user" table from mysql.user_backup table: mysql> rename table user to user_1 mysql> rename table user_backup to user; mysql> flush privileges;
10
11
CHAPTER 3
Facilitating troubleshooting
When an in-line device experiences problems, most peoples instinct is to physically pull it out of the path; to disconnect the cables and let traffic flow unimpeded while the device can be examined elsewhere. McAfee recommends you first try the following techniques to troubleshoot a sensor issue: All sensors have a Layer2 Passthru feature. If you feel your sensor is causing network disruption, before you remove it from the network, issue the following command: layer2 mode assert This pushes the sensor into Layer2 Passthru (L2) mode, causing traffic to flow through the sensor while bypassing the detection engine. Check to see whether your services are still affected; if they are, then you have eliminated certain sensor hardware issues; the problem could instead be a network issue or a configuration issue. (The layer2 mode deassert command pushes the sensor back to detection mode.) McAfee recommends that you configure Layer2 Passthru Mode on each sensor. This enables you to set a threshold on the sensor that pushes the sensor into L2 bypass mode if the sensor experiences a specified number of errors within a specified timeframe. Traffic then continues to flow directly through the sensor without passing to the detection engine. Connect a fail-open kit, which consists of a bypass switch and a controller, to any GE monitoring port pairs on the sensor. If a kit is attached to the sensor, disabling the sensor ports forces traffic to flow through the bypass switch, effectively pulling the sensor out of the path. For FE monitoring ports, there is no need for the external kit. Sensors with FE ports contain an internal tap; disabling the ports will send traffic through the internal tap, providing fail-open functionality. Caution 1: Note that the sensor will need to reboot to move out of L2 mode only if the sensor entered L2 mode because of internal errors. (It does not need a reboot if the layer2 mode assert command was used to put the sensor into L2 mode). Caution 2: A sensor reboot breaks the link connecting the devices on either side of the sensor and requires the renegotiation of the network link between the two devices surrounding the sensor. Caution 3: Depending on the network equipment, this disruption should range from a couple of seconds to more than a minute with certain vendors devices. A very brief link disruption might occur while the links are renegotiated to place the sensor back in in-line mode.
12
Network connectivity
Ensure that the sensor and ISM server have power and are appropriately connected to the network. Verify the link LEDs on both devices to indicate they have an active link. Ping the sensor and ISM server to ensure that they are available on the network.
Note : Note that the sensor name is case-sensitive. Check the network addresses for the ISM, the ISMs gateway, and the sensor to ensure everything is configured correctly by typing show at the sensor CLI command prompt.
13
Note: Check the link LEDs on the devices to see if communication is established, or use the show mgmtport command to show the links status. Try each of these configuration options to see if one establishes a link: 1 2 First (if possible) set the other devices port configuration to auto-negotiate. (The sensor is set to auto-negotiate by default.) Using the set mgmtport command as described below in Setting the management port speed and duplex mode, try setting the speed and port of the sensor to speed 100 and duplex half. If no link is established, try speed 10 and duplex half. If none of the above attempts creates a link, try setting the port on the other device to a speed of 100, duplex half, and try steps 2 and 3 again. If this does not establish a link, you can then do the same, setting the other device to a speed of 10, duplex half, and try steps 2 and 3 again. If you are still experiencing difficulties, contact McAfee Technical Support.
3 4 5 6
14
Duplex mismatches
A duplex mismatch (for example, one end of the link in full-duplex and the other in half-duplex) may result in performance issues, intermittent connectivity, and loss of communication. It can also create subtle problems in applications. For example, if a Web server is talking to a database server through an Ethernet switch with a duplex mismatch, small database queries may succeed, while large ones fail due to a timeout. Manually setting the speed and duplex to full-duplex on only one link partner generally results in a mismatch. This common issue results from disabling autonegotiation on one link partner and having the other link partner default to a halfduplex configuration, creating a mismatch. This is the reason why speed and duplex cannot be hard-coded on only one link partner. If your intent is not to use autonegotiation, you must manually set both link partners' speed and duplex settings to full-duplex.
15
Comments
1000 Mbps Full-duplex 1000 Mbps Full-duplex 1000 Mbps Full-duplex 100 Mbps Full-duplex 1000 Mbps Full-duplex No Link No Link Neither side establishes link, due to speed mismatch Duplex Mismatch 1
AUTO
Correct Manual Configuration2 Link is established, but switch does not see any autonegotiation information from IntruShield and defaults to halfduplex when operating at 10/100 Mbps.
10 Mbps Half-duplex
AUTO
Link is established, but switch does not see Fast Link Pulse (FLP) and defaults to 10 Mbps half-duplex. Neither side establishes link, due to speed mismatch.
10 Mbps Half-duplex
No Link
No Link
16
17
Router(config-if)# duplex full When troubleshooting IntruShield performance issues with Cisco switches, view the output of the show port mod/port command, and note the counter information.
Alignment Errors
Alignment errors are a count of the number of frames received that do not end with an even number of octets and have a bad CRC. FCS error count is the number of frames that were transmitted or received with a bad checksum (CRC value) in the Ethernet frame. These frames are dropped and not propagated onto other ports. This is an indication that the internal transmit buffer is full.
These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames that do not end with on an octet and have a bad FCS. These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames with bad FCS.
FCS
Xmit-Err
This is an indication of excessive input rates of traffic. This is also an indication of transmit buffer being full. The counter should only increment in situations in which the switch is unable to forward out the port at a desired rate. Situations such as excessive collisions and 10 Mb ports cause the transmit buffer to become full. Increasing speed and moving the link partner to full-duplex should minimize this occurrence. This is an indication of excessive output rates of traffic. This is also an indication of the receive buffer being full. This counter should be zero unless there is excessive traffic through the switch. In some switches, the Out-Lost counter has a direct correlation to the Rcv-Err. This is an indication of a bad frame generated by the connected device.
Rcv-Err
UnderSize
These are frames that are smaller than 64 bytes (including FCS) and have a good FCS value.
18
Counter
Description
Possible Causes
Single Collisions
Single collisions are the number This is an indication of a half-duplex configuration. of times the transmitting port had one collision before successfully transmitting the frame to the media. Multiple collisions are the number of times the transmitting port had more than one collision before successfully transmitting the frame to the media. This is an indication of a half-duplex configuration.
Multiple Collisions
Late Collisions
A late collision occurs when two This is an indication of faulty hardware (NIC, cable, devices transmit at the same or switch port) or a duplex mismatch. time and neither side of the connection detects a collision. The reason for this occurrence is that the time to propagate the signal from one end of the network to another is longer than the time to put the entire packet on the network. The two devices that cause the late collision never see that the other is sending until after it puts the entire packet on the network. Late collisions are detected by the transmitter after the first time slot of the 64-byte transmit time occurs. They are only detected during transmissions of packets longer than 64 bytes. Its detection is exactly the same as it is for a normal collision; it just happens later than it does for a normal collision. Excessive collisions are the number of frames that are dropped after 16 attempts to send the packet resulted in 16 collisions. Carrier sense occurs every time an Ethernet controller wants to send data and the counter is incremented when there is an error in the process. These are frames smaller than 64 bytes with a bad FCS value. These are frames that are greater than 1518 bytes and have a bad FCS value. This is an indication of over utilization of the switch port at half-duplex or duplex mismatch.
Excessive Collisions
Carrier Sense
Runts
This is an indication of the result of collisions, duplex mismatch, IEEE 802.1Q (dot1q), or an InterSwitch Link Protocol (ISL) configuration issue. This is an indication of faulty hardware, dot1q, or an ISL configuration issue.
Giants
19
Auto-negotiation
Auto-negotiation issues typically do not result in link establishment issues. Instead, auto-negotiation issues mainly result in a loss of performance. When auto-negotiation leaves one end of the link in, for example, full-duplex mode and the other in halfduplex (also known as a duplex mismatch), errors and retransmissions can cause unpredictable behavior in the network causing performance issues, intermittent connectivity, and loss of communication. Generally these errors are not fatal-traffic still makes it through-but locating and fixing them is a time-waster.
Note: If you see system faults indicating that the ISM is down, see System Fault Messages (on page 31), to interpret the fault and, if necessary, take action to clear the fault.
20
Pinging a sensor
The sensor Management port responds only to 1 ping/sec. This prevents it from susceptibility to a ping flood. To ping a sensor Management port from multiple hosts, increase the time interval between pings.
Refresh the screen and verify the packet counts are increasing.
21
22
23
Has the time been reset on the ISM server? The connection between the sensor and ISM server is secure, and this secure communication is timesensitive, so the time on the devices should remain synchronized. You must set the time on the ISM server before you install the ISM software and never change the time on that machine. If the time changes on the ISM server, the ISM will lose its connectivity with the sensor and the Update Server. A time change could ultimately cause serious database errors. For more information, see the KnowledgeBase article KB555587 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]
Number
Alert Type
Signature based alerts Throttled alerts (with source and destination IP and port information) Compressed throttled alerts (alerts with no source and destination IP information) Statistical or anomaly DoS Throttled DoS alerts Host sweep alerts Port scan alerts
Once the connection from the sensor to the ISM has been re-established, the queued alerts are forwarded up to the manger. So the customer will retain them even in the event that connectivity is disrupted for some time. If the buffer fills up before connectivity is restored, the sensor will drop new alerts, but if blocking is enabled, the sensor will continue to block irrespective of the sensor's connectivity with the ISM.
24
25
MySQL issues
MySQL issues
The common symptoms that occur if your database tables become corrupt: .MYI or .MYD errors reported in the ems.log file Inability to acknowledge or delete faults in System Health When trying to view packet log for in the Alert Viewer, you receive an error message: You receive the message No Packet log available for this alert at this time If you think that your MySQL database tables have become corrupt, follow the instructions on verifying your tables, which is available in McAfee KnowledgeBase article KB60660 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]
ISL frames
All IntruShield sensor models (running all sensor software versions) pass ISL frames through the sensor without IPS inspection.
26
CHAPTER 4
27
Take steps to reduce false positives and noise from the start. If you allow a large number of noisy alerts to continue to sound on a very busy network, parsing and pruning the database can quickly become cumbersome tasks. It is preferable to all parties involved to put energy into preventing false positives than into working around them. One method may be is to disable all alerts that are obviously not applicable to the hosts you will protect. For example, if you use only Apache Web servers, you may wish to disable IISrelated attacks.
Incorrect identification
These alerts typically result from overly aggressive signature design, special characteristics of the user environment, or system bugs. For example, typical users will never use nested file folders with a path more than 256 characters long; however, a particular user may push the Windows' free-style naming to the extreme and create files with path names more than 1024 characters. Issues in this category are rare. They can be fixed by signature modifications or software bug fixes.
28
29
Also, please provide detailed information of the test configuration in the form of a network diagram. Create an Evidence Report (within Alert Viewer) with the packet log Be ready to tell Technical Support how often you are seeing the alerts and whether they are ongoing
30
CHAPTER 5
Critical faults
Critical faults are the highest severity faults and generally indicate a serious issue. See the Action column for potential troubleshooting tips.
Fault
Severity
Description/Cause
Action
Critical
An attempt to save alerts to the database failed, most likely due to insufficient database capacity. The firmware upgrade has failed on the sensor.
Ensure that the disk space allocated to the database is sufficient, and try the operation again.
Critical
Critical
If you have a database backup file (and think it is not corrupted) you can attempt a Restore. If this does not work, you may need to manually repair the database. Contact McAfee Technical Support. If you have a database backup file (and think it is not corrupted) you can attempt a Restore. If this does not work, you may need to manually repair the database. Contact McAfee Technical Support.
Critical
The ISMs key file is unavailable and possibly corrupted. This fault could indicate a database corruption.
31
Critical faults
Fault
Severity
Description/Cause
Action
Critical
The software versions on the cluster primary and cluster secondary are not the same. The ISM is unable to communicate with the Update Server. Any connectivity issues with the Update Server will generate this fault, including DNS name resolution failure, Update Server failure, proxy server connectivity failure, network connectivity failure, and even situations where the network cable is detached from the ISM server. The ISM is unable to communicate with the proxy server. (This fault can occur only when the ISM is configured to communicate with a proxy server.)
Critical
This fault clears when communication with the Update Server succeeds. If your ISM is connected to the Internet, ensure it has connectivity to the Internet. Contact McAfee Technical Support if you lost your Update Server authentication information.
This fault clears when communication to the Update Server through the proxy succeeds.
Critical
Sensor found a conflict with There is a problem with MDR MDR Status; ISM IP address configuration. Check your MDR / MDR status as ... settings.
Critical
Sensor found a conflict with MDR Mode; ISM IP address / MDR status as ...
Critical
Sensor found a conflict with MDR-Pair IPAddress; ISMIP address / MDR action.
Critical
Critical
This can indicate insufficient disk space for storage of the backup file. Check your disk capacity and clear enough space to accommodate the backup file, and then attempt the backup again.
32
Critical faults
Fault
Severity
Description/Cause
Action
Critical
Problems in communicating to the database A warning is displayed: Unable To Locate Index File For Table ISM is not communicating with the database; the alert and packet logs overflowing queues. As with the Approaching alert capacity threshold fault message, this message indicates the percentage of space occupied by alerts in the database. This message appears once you have exceeded the alert threshold specified in ISM > Maintenance. Indicates a failure to create a secure connection between the ISM and the sensor. Can be caused by loss of synchronisms between the system time of the ISM server and the sensor. Can also indicate that the sensor is not completely on-line after a reboot. Communication has timed out between the Fail Open Controller in the sensors Compact Flash port and the Fail Open Bypass Switch. This situation has caused the sensor to move to Bypass mode and traffic to bypass the sensor. This fault indicates whether the sensor peer is up or down.
Check if the database service is running and connectivity is present Repair the corrupt Database tables
Critical
Critical
Critical
Perform maintenance operations to clean the database. Delete unnecessary alerts, such as alerts older than a specific number of days. Failure to create additional space could cause undesirable behavior in the ISM.
Critical
Restart the ISM. Check the sensors operating status to ensure that the sensors health is good and status is good.
Critical
The fault could be the result of a cable being disconnected, or removal of the Bypass Switch. This fault clears automatically when communication resumes between the Fail Open Controller and Fail Open Bypass Switch.
Critical
33
Critical faults
Fault
Severity
Description/Cause
Action
Fan error
Critical
One or more of the fans inside the sensor have failed. For the I-4000 and 4010, the ISM indicates which fan has failed. For the I-2600, the fan number is not specified.
On the I-4000, you can also check the sensors front panel LEDs to see which fan has failed. If a fan is not operational, McAfee strongly recommends powering down the sensor and contacting Technical Support to schedule a replacement unit. In the meantime, you can use an external fan (blowing into the front of the sensor) to prevent the sensor from overheating until the replacement is completed.
Critical
The sensor is not This fault indicates that the Bypass communicating with the Fail- Switch did not receive a signal from Open Bypass Switch. the Fail-Open Controller, and could possibly indicate sensor port failure. The connectivity between the sensor and the firewall is down. This fault can occur in situations where, for example, the firewall machine is down, or the network is experiencing problems. Ping the firewall to see if the firewall is available. Kindly contact your IT department to troubleshoot connectivity issues.
Critical
Critical
Port conflict in ICC UDS Free this port for ICC synchronization synchronization. Port to succeed. already in use by UDS. Free this port for ICC synchronization to succeed. The sensor is configured to operate with an external Fail-Open Module hardware component, but cannot detect the hardware. This error applies only to sensors running in in-line mode with a gigabit port in fail-open mode (using the external Fail Open Module). When this fault is triggered, the port will be in bypass mode and will send another fault of that nature to the ISM. When appropriate configuration is sent to the sensor (either the hardware is discovered or the configuration changes), and the sensor begins to operate in in-line-fail open mode.
Critical
34
Critical faults
Fault
Severity
Description/Cause
Action
Critical
You will need to edit your existing UDS attacks to make them conform to the new signature set definitions. Bring up the UDS Editor (Policies > Policies > UDS) and manually performing the edit / validation. This fault clears when a subsequent UDS compilation succeeds.
Critical
The sensor detects that a particular SSL decryption key is no longer valid; for example, it may be failing to decrypt traffic. Unsupported configuration upgrade/downgrade, default configurations are used. Indicates that your IntruShield license is about to expire; this fault first appears 7 days prior to expiration. Indicates that your IntruShield license has expired.
Re-import the key (which is identified within the error message). The fault will clear itself when the key is determined to be valid. This is an internal error. Check the sensor status to see that the sensor is online and in good health. Contact licensing@mcafee.com for a current license. This fault clears when the license is current. Contact licensing@mcafee.com for a current license. This fault clears when the license is current. Contact your IT department to troubleshoot connectivity issues: check the cabling of the specified Monitoring port and the device connected to it; check the speed and duplex mode of the connection to the switch or router to ensure parameters such as port speed and duplex mode are set correctly; check power to the switch or router. This fault clears when communication is re-established.
Critical
Critical
Licence expired
Critical
Link failure
Critical
The link between a Monitoring port on the sensor and the device to which it is connected is down, and communication is unavailable. The fault indicates which port is affected.
Critical
The ISM is experiencing high memory usage. Available system memory is low. The ISM is experiencing high memory usage. Available system memory is low.
Critical
35
Critical faults
Fault
Severity
Description/Cause
Action
Critical
Occurs when the Manager cannot push the MPE Certificate to a sensor. This could result from a network connectivity issue For more information on using Fully Qualified Domain Name, see Foundstone Installation, Administrative Domain Configuration Guide.
On-demand scan failed because connection was refused to FoundScan engine Packet log update failed
Critical
This fault can be due to two reasons- the user has not specified the Fully Qualified Domain Name OR the FoundScan engine is shutdown. An attempt to save packet log data to the database failed, most likely due to insufficient database capacity. This fault could indicate a problem with the setup or configuration of the 10/100 Ethernet ports or devices connected to those ports. It could also indicate a compatibility issue between the sensor and the device to which it is connected. There is a mismatch in the media or connector type on the port that says "copper and uses fiber or vice versa". There is a mismatch in the McAfee Certified SFP. The configuration says 'use McAfee certified', but the SFP is not McAfee certified. This fault indicates that the indicated GBIC ports are unable to remain in In-line Mode as configured. This has caused fail-open control to initiate and the sensor is now operating in Bypass Mode. Bypass mode indicates that traffic is flowing through the Fail Open Bypass Switch, bypassing the sensor completely.
Critical
Ensure that the disk space allocated to the database is sufficient, and try the operation again.
Critical
The sensor may be detecting an issue with another device located on the same network link. Check to see if there is a problem with one of the other devices on the same link as the sensor. This situation could cause traffic to cease flowing on the sensor and may require a sensor reboot.
Critical
Critical
Critical
Check the health of the sensor and the indicated ports. Check the connectivity of the Fail Open Control Cable to ensure that the Fail Open Control Module can communicate with the Fail Open Controller in the sensors Compact Flash port.
36
Critical faults
Fault
Severity
Description/Cause
Action
This message indicates that the ports have gone from Bypass Mode back to normal. If the power supply is in place and plugged in to a power source, check power to the outlet providing power to the power supply. If the fault indicates that there is no power and a power interruption is not the cause, replace the failed power supply. Contact McAfee Technical Support to schedule a replacement unit.
Critical
(Seen only with sensors with a redundant power supply). This fault indicates a loss of power in one of the two power supplies in the sensor (primary or secondary). This fault can indicate that the power supply has failed; that supply has been inserted, but there is no power to the supply; or that the power supply has been removed. This message indicates that the vulnerability data import by the Scheduler from Foundstone database has failed.
Critical
A sensor was replaced with a different model type (for example, an I-1200 was replaced with an I-1200-FO (failover only) sensor). The alert channel will be unable to make a connection. The ISM cannot push original sensor configuration to sensor during sensor reinitialization, possibly because the trust relationship is lost between ISM and sensor. This can also occur when a failed sensor is replaced with a new unit, and the new unit is unable to discover its configuration information.
When replacing a sensor, ensure that you replace it with an identical model (for example, replace an I-1200 with an I-1200, do not attempt to replace a regular sensor with a failover-only model, and vice-versa). The link between ISM and sensor may be down, or you may need to reestablish the trust relationship between sensor and ISM by resetting the shared key values.
37
Critical faults
Fault
Severity
Description/Cause
Action
Critical
The sensor failed to discover its configuration information, and thus is not properly initialized. Typically, the ISM will be unable to display the sensor. Could indicate an old sensor image on the sensor.
If this fault is triggered because the sensor is temporarily unavailable, the ISM will clear this fault when the sensor is back on-line. If the fault persists, check to ensure that the sensor has the latest software image compatible with the ISM software image. If the images are incompatible, update the sensor image via a TFTP server. You must manually clear this fault. This error may cause a reboot of the sensor, which may resolve the issue causing the fault. If the fault persists, McAfee recommends that you perform the following steps to help assist McAfee Technical Support with troubleshooting: execute a logstat on the sensor as described in the sensor CLI command reference, perform a Diagnostic Trace as described in Uploading a diagnostics trace from a sensor to your ISM, Sensor Configuration Guideusing ISM, and submit the trace file to Technical Support for troubleshooting.
Critical
Critical
A sensor has been replaced with a different model (for example, an I-4000 sensor and I-4010 sensor has been replaced by an I-2600 sensor, or a regular sensor is replaced by a failover model). User-configured SSL decryption settings for a particular sensor changed, requiring a sensor reboot.
A sensor can be replaced only by a similar model. Check to ensure that the configuration information matches the model type. For instructions on replacing a sensor, see Replacing a Sensor, Sensor Configuration Guide using CLI. Reboot the sensor to cause the changes to take effect.
38
Critical faults
Fault
Severity
Description/Cause
Action
Critical
This fault occurs as a second part to the Sensor discovery failure fault. If the condition of the sensor changes such that the ISM can again communicate with it, the ISM again checks to see if the sensor discovery was successful. This fault is issued if discovery fails, and thus the sensor is still not properly initialized.
Check to ensure that the sensor has the latest software image compatible with the ISM software image. If the images are incompatible, update the sensor image via a TFTP server.
Critical
Indicates that an error has occurred with a signature set that has been successfully applied on a sensor.
Re-import the signature set onto the sensor. This can indicate a problem within the signature set itself that was not detected during download; if reimporting the same set does not solve the problem, providing a new signature set may clear the fault. If this does not solve the issue, reboot the sensor. If the fault persists, contact Technical Support. The fault will clear when the signature set is successfully applied on the sensor and continues to be error-free after application.
Critical
Sensor is now operating in Layer2 Bypass mode. Intrusion detection/prevention is not functioning
The sensor has experienced multiple errors, surpassing the configured Layer2 mode threshold. Check the sensor's status
Critical
The sensor has moved from The sensor will remain in Layer 2 detection mode to Layer 2 mode until Layer 2 is disabled and (Passthru) mode. This the sensor is rebooted indicates that the sensor has experienced the specified number of errors within the specified timeframe and Layer 2 mode has triggered.
39
Critical faults
Fault
Severity
Description/Cause
Action
Sensor is unreachable
Critical
Indicates that the sensor cannot communicate with the ISM, indicating that the connection between the sensor and the ISM is down, or that the sensor has been administratively disconnected.
Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor exists; check the sensors status using the status command in the sensor command line interface or ping the sensor or the sensor gateway to ensure connectivity to the sensor. This fault clears when the ISM detects the sensor again.
The attempt to update the A valid signature set must be present signature set on the ISM before any action can be taken in was not successful, and thus IntruShield. signature set is not available in the ISM. Occurs when the ISM cannot push the signature set file to a sensor. Could result from a network connectivity issue. Indicates a recoverable software error within the sensor. Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor. This error may cause a reboot of the sensor, which may resolve the issue causing the fault. If the fault persists, McAfee recommends that you perform the following steps to help assist McAfee Technical Support with troubleshooting: execute a logstat on the sensor as described in the sensor CLI command reference, perform a Diagnostic Trace as described in the Sensor Configuration Guideusing ISM, and submit the trace file to Technical Support for troubleshooting.
Critical
Software error
Critical
The attempt to update the signature set on the ISM was not successful, and thus signature set is not available on the ISM.
You must re-import a signature set before performing any action on the ISM. A valid signature set must be present before any action can be taken in IntruShield. Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor.
Critical
Occurs when the ISM cannot push a decryption key file to a sensor. Could result from a network connectivity issue.
40
Critical faults
Fault
Severity
Description/Cause
Action
Critical
Indicates that the IntruShield Command Center and ISM cannot communicate each other, the connection between these two may be down, or the ISM has been administratively disconnected.
1) Check that a connection route exists between the IntruShield Command Center and the ISM. 2) Access the ISM/IntruShield Command Center directly. This fault clears when the ISM detects the sensor again.
Temperature error
Critical
Indicates that the temperature of the sensor is abnormal. The sensor will raise a temperature alert when the internal temperature of the sensor crosses 50 degrees Centigrade. The fault is removed only when the temperature falls below 40 degrees Centigrade.
Check for a Fan Status fault, and also check the sensors front panel LEDs to see if the sensors fans are operational. If a fan is not operational, McAfee strongly recommends contacting Technical Support as soon as possible to schedule a replacement unit. In the meantime, you can use an external fan (blowing into the front of the sensor) to prevent the sensor from overheating until the repair is completed. If a fan is not the issue, please ensure that the room where the sensor is located cool enough for the sensor to operate without overheating.
This fault generally occurs in situations where the port in question is configured incorrectly. For example, a pair of ports is configured to be in different operating modes (1A is in-line while 1B is in SPAN). An IntruShield sensor sends this fault to ISM when it is not able to communicate with the McAfee NAC server to which it has been configured.
Check the configuration of the port pair to see if there is an inconsistency, and make the port pair run in the same operating mode.
Critical
Check the Condition Type field in the Fault Detail page to know the probable reason for this communication failure.
41
Critical faults
Fault
Severity
Description/Cause
Action
Indicates that the ICC server and ISM cannot communicate with each other. The connection between these two may be down, or ICC has been administratively disconnected. 1) Check that a connection route exists between the ICC and ISM; 2) Access the ISM directly. This fault clears when the ISM detects the sensor again.
Critical
No communication exists between ICC and ISM. ICC may not be configured. ISM failed to establish trust with ICC server. ICC could not be configured onto ISM or ICC server is not reachable.
Indicates that the ICC and ISM cannot communicate with each other. The connection between these two may be down, or ICC has been administratively disconnected.
Delete the previous configuration and establish a new trust with ICC.
Bring any ICC MDR pair into Active state. The ICC is in MDR mode and no Manager is in Active state. Check the log for details. The trust request failed due an internal error.
42
Error faults
Fault
Severity
Description/Cause
Action
The Manager <ISM Critical name> has moved to MDR mode, and this manager cannot handle the change
The ICC server is in Standby mode. The ISM server which is configured by ICC goes into secondary Standby mode after MDR creation or before data dump from primary to secondary takes place. The ISM server configured by ICC is in Active mode but is in a disconnected state and therefore cannot communicate with ICC. If ISM is reconnected and ICC is in Standby mode, then the Peer ICC does not have ISM configuration.
If the ICC server has moved to Standby ,then the ICC with latest ISM information is moved to Active mode or recreate MDR pair. If the ISM has moved to Standby, then make the ISM with ICC information as Active or make sure that active ICC or ISM has latest configuration data.
The Manager <ISM Critical name> has moved to MDR mode, and this manager cannot handle the change
The ISM server is in Standby mode(MDR action) and active peer ISM does not have ICC information
If the ISM server has moved to Stand by ,then make ICC with latest ISM information as Active or reform MDR; if the ISM has moved to Standby, then make the ISM with ICC information as Active or make sure that active ICC or ISM has latest configuration data. Dissolve and recreate an MDR pair.
Critical
The configuration between an existing MDR pair (ISM 1 and ISM 2 - both ISMs are ICC configured) is disabled and a new MDR pair configuration has been created with ISM 2 and ISM 3. ISM 2 is in Standby mode and ISM 3 does not have ICC configuration.
Critical
If two ISMs, ISM 1 and ISM The Standby ISM information is 2 are configured to ICC, and deleted from ICC. MDR pair has to be established between them, then, ICC considers the active ISM configuration. The Standby ISM information is deleted from ICC.
Error faults
The faults listed in the following table have a severity of Error.
43
Error faults
Fault
Severity
Description/Cause
Action
Error
Indicates a failure to communicate with the sensor via the channel on which the ISM listens for sensor alerts. Displays the percentage of space occupied by alerts in the database. As available space decreases, this message will continue to appearat 50%, 70%, 90% and 100%. Once youve exceeded this threshold, an Exceeding fault will appear.
Error
Please perform maintenance operations to clean the database. Delete unnecessary alerts, such as alerts older than a specific number of days.
Error, while applying firewall filter. An attempt to apply this firewall filter from the sensor to the firewall has failed.
Check your firewall configuration. If possible, increase the maximum number of available filters. Ensure connectivity between the Sensor and the firewall.
Error
The ISM was unable to obtain the requested profile from a peer sensor. This was likely due to the requested profile or a valid, saved version being unavailable The ISM is unable to accept more incidents. You have reached the maximum number of incidents that can be accepted by the ISM. Sensor is dropping packets due to extreme traffic load
See the ems.log file for details on why the error is occurring. The fault will clear when the ISM is able to obtain a valid DoS profile.
Error
Delete old incidents to provide room for incoming incidents. The fault clears when the ISM can accept incoming incidents.
Error
Mailer unreachable
Error
This fault indicates that the SMTP mailer host is unreachable, and occurs when the ISM fails to send an email notification or a scheduled report.
44
Error faults
Fault
Severity
Description/Cause
Action
Indicates a failure to communicate with the sensor via the channel on which the ISM receives packet logs.
Error
The sensor was unable to push See the ems.log file for details on a requested profile to the ISM. why the error is occurring. The fault will clear when the sensor is able to push a valid DoS profile. The ISM alert queue has reached its maximum size (default 200,000 alerts), and is unable to process alerts until there is space in the queue. Packets are being detected by your sensor(s) faster than the ISM can process them. This is evidence of extremely heavy activity. Check the packets you are receiving to see what is causing the heavy traffic on the sensor. Also see the suggested actions for the alert Unarchived, queued alert count full.
Error
Error
This fault can indicate problems This fault clears when a signature with network connectivity update is applied successfully. between the Update Server and the ISM, invalid update sets, or update sets that were not properly signed.
Error
Unable to make scheduled update of ISM signature sets. This fault can indicatefor example, problems with network connectivity between the Update Server and the ISM or between the ISM and the sensor; invalid update sets; or update sets that were not properly signed.
Error
Unable to make scheduled This fault clears when an update is update of sensor. This fault can sent to sensor successfully. indicatefor example, problems with network connectivity between the ISM and the sensor, incompatibility between the update set and the ISM software, compilation problems with the signature update set, or invalid update set.
45
Error faults
Fault
Severity
Description/Cause
Action
This fault occurs with any type of sensor software failure, and usually occurs in conjunction with a Software error fault.
If this fault persists, McAfee recommends that you execute a logstat from the sensor CLI twice (1 minute apart), then perform a Diagnostic Trace and submit the trace file to McAfee Technical Support for troubleshooting. Ensure that the sensor is online and in good health. The ISM will make another attempt to push the file to the sensor. This fault is cleared when the avdat file is successfully pushed to the sensor.
Error
Error
Sensor reports Pktlog channel between the EMS and sensor is DOWN, but the EMS detects that the link(socket) is up. This inconsistency may cause by channel heartbeat timeout.
The sensor will typically recover on its own. If you are receiving alerts and your sensor is otherwise functioning normally, you can ignore this message. Check to see if trust is established between the sensor and ISM, by issuing a show command in the sensor CLI. The sensor will typically recover on its own. If you are receiving alerts with packet logs and your sensor is otherwise behaving normally, you can ignore this message. Check to see if trust is established between the sensor and ISM by issuing a show command in the sensor CLI. If this fault persists, contact McAfee Technical Support.
This fault indicates that the sensor is reporting that the alert channel is down, but the physical channel is actually up.
Error
The ISM received a value from the sensor that is invalid. The additional text of the message contains details.
This fault does not clear automatically; it must be cleared manually. Contact McAfee Technical Support for assistance.
Error
The sensor configuration Please see ems.log file to isolate update failed to be pushed from reason for failure. the ISM Server to the sensor.
46
Error faults
Fault
Severity
Description/Cause
Action
Error
The ISM detects that a particular SSL decryption key is no longer valid. The detailed reason why the fault is occurring is shown in the fault message. These reasons can range from the sensor reinitializing itself with a different certificate to an inconsistency between the decryption key residing on a primary sensor and its failover peer sensor. Maintenance is not able to clean alerts and packet logs
Re-import the key (which is identified within the error message). The fault will clear itself when the key is determined to be valid.
Unable to clean alerts and packet logs Unarchived, queued alert count full
Error
Error
Indicates that the ISM has reached the limit (default of 100,000) of alerts that can be queued for storage in the database. Also indicates the number of dropped alerts.
Alerts are being detected by your sensor(s) faster than the ISM can process them. This is evidence of extremely heavy activity. Try the following: Check the alerts you are receiving to see what is causing the heavy traffic on the sensor(s). You may be under a heavy attack. Check your policies. You may have enabled a very verbose policy (for example, All-Inclusive with Audit) which is causing too many alerts/packet logs to be sent to the ISM, or packet logging is excessive (for example, packet logging is enabled for entire flow for all alerts). Your ISM server may not have sufficient disk space/processing power to accommodate the number/rate of alerts your sensors are generating. Rectify the situation in your policies and let the queue drain and write to the database.
Error
Indicates that the ISM has reached the limit (default of 100,000) of packet logs that can be queued for storage in the database. Also indicates the number of dropped packet logs.
See the suggestions for the fault Unarchived, queued alert count full.'
47
Warning faults
Warning faults
The faults listed in the following table have a severity of Warning.
Fault Severity Description/Cause Action
Warning
The ISMs attempt to disable failover on the sensor failed. This is likely due to the sensor being unavailable, or down.
Ensure that the sensor is on-line. The ISM will make another attempt to disable failover when it detects that the sensor is up. The fault will clear when the ISM is successful. Shutdown the ISM and execute the Database Tuning Utility at the earliest
DB Tuning Required
Warning
Database Tuning is needed. "..." days have passed since the last database tuning.
Warning
Report Generation has failed for Schedule Report Template due to unavailability of resource(s) in the ISM. Failed to backup Policy.
Warning
Warning
Warning
Ensure that both sensors of the failover pair are connected to the firewall and status on the failover pair is that both sensors are online and in good inconsistent. This may cause health. the firewall function to be inconsistent for the pair.
48
Warning faults
Fault
Severity
Description/Cause
Action
The Audit Log capacity of the ISM was reached, and the ISM will begin overwriting the oldest records with the newest records (i.e. first in first out). The fault indicates the number of records that have been written to the audit log; and equal number of audit log records are now being overwritten.
This fault will be raised after a configured number of records written. No action is required. The capacity is configured in the iv_emsproperties table in MySQL; this option can be turned off. If this feature is enabled, when disk capacity is reached or audit log capacity is reached, then Audit Log rotation is initiated.
Warning
Perform database tuning (dbtuning) to fix possible database inconsistencies that may have resulted. Tuning may take a while, depending on the amount of data currently in the database. Uninstall and try to update the McAfee NAC- installation-related configuration.
Warning
This warning denotes the failure to update the McAfee NAC-installation-related configuration. Pluggable interface in port.
Warning
Warning
Policy Synchronization aborted because concurrent processes are running on the ISM Server
Warning
Unable to synchronize policy due to concurrent processes are running on the ISM Server.
Policy Synchronization aborted because concurrent processes are running on the ISM Server.
49
Warning faults
Fault
Severity
Description/Cause
Action
Problems Warning Communicating to Database: Syntax error or access violation: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '<text>')' at line 1
In McAfee ISM 1.8 or 1.9 it was possible to enter an apostrophe when creating an Alert Filter. However in version 2.1 having an apostrophe in the Alert Filter became invalid. Any attempt in the McAfee ISM 2.1 to add an apostrophe will prompt the user with a popup error warning that invalid characters were entered. You may be unable to push updated policies to sensors. After a policy update, the ISM still shows a policy update is required.
You must delete the alert filter with the apostrophe and recreate it without an apostrophe. To delete an alert filter: In the ISM, click on the <Domain Name> which has the error. Click the Policies node. It is not already selected, click the Policies tab. Click Alert Filter Editor. In the Alert Filter Name section, select the alert filter with the apostrophe. Click Delete. A Confirmation dialog box displays with the question, Do you want to delete the selected item? Click Yes. The alert filter no longer displays in the list.
Warning
This warning could be caused by the physical configuration of the MFA chassis changing. This occurs when the sensor connects to the ISM with a different physical configuration.
Warning
An attempt to update the signature set on both sensors of a failover pair was unsuccessful for one of the pair, causing the signature sets to be out of sync on the two sensors.
The ISM will make another attempt to automatically push the signature file down to the sensor on which the update operation failed. Ensure that the sensor in question is online and in good health. The fault will clear when the ISM is successful. If the operation fails a second time, a Critical Signature set download failure fault will be shown as well. Both faults will clear when the signature set is successfully pushed to the sensor.
Unable to make a scheduled backup of the ISM Configuration. This fault can indicate problems such as SQL exceptions, database connectivity problems, or outof-disk space errors.
Check your Backup configuration settings. This fault clears when a successful backup is made.
50
Informational faults
Fault
Severity
Description/Cause
Action
Warning
The sensor is not properly initialized. Either it is in the process of starting up and is not ready, or the signature set is missing on the sensor.
The sensor may have just been rebooted and is not up yet. Wait a few minutes to see if this is the issue; if not, check to ensure that a signature set is present on the sensor. A resetconfig command may have been issued, and the sensor not yet been reconfigured.
Sensor power up
Warning
The sensor has just This message is informational. completed booting and is onAcknowledge or delete the fault to clear line. it. The ISM was unable to update the decryption key on one sensor in a failover pair, causing the key on one sensor to be out of sync with the one on its failover peer System startup restored alerts from the archive file. Alert Manager may not show all alerts. The ISM will make another attempt to update the key. Ensure that the sensor is online and in good health. The fault will clear when the ISM successfully pushes the key to the sensor and both keys are in sync. Alert Manager may not show all alerts.
Warning
Warning
Informational faults
`The faults listed in the following table are Informational in nature. These faults indicate system status, for example. An Action type of n/a indicates that no action is required-the message is informational.
Fault
Severity
Description/Cause
Action
Alert archival in progress Alert Archival state has changed Cluster software initialization status Conflict in MDR Pair IP address
ISM is archiving the alerts, and this is in progress The alert archival process has started. Sensor software has initialized correctly Sensor found a conflict with MDR pair IP address; ISM IP address / MDR status as ... Daily scheduled report generation process successfully completed
Informational
There is a problem with MDR configuration. Check your MDR settings. n/a
Informational
51
Informational faults
Fault
Severity
Description/Cause
Action
Daily scheduled report generation in progress Data dump retrieval from peer has been completed successfully Data dump retrieval from peer is in progress Database archival in progress
Informational
n/a
Informational
n/a
n/a Do not attempt to tune the database or perform any other database activity such as a backup or restore until the archival process successfully completes. n/a
Informational Informational
Unable to backup database This message indicates tables. that an attempt to manually back up the database backup has failed. The most likely cause of failure is insufficient disk space on the ISM server; the backup file may be too big. Check your disk capacity to ensure there is sufficient disk space, and try the operation again. A manual or scheduled Do not attempt to tune database backup process is the database or perform in progress. any other database activity such as an archive or restore until the backup process successfully completes. The database backup was successful. n/a
Informational
Informational
52
Informational faults
Fault
Severity
Description/Cause
Action
Informational
The user cannot do the following operations during tuning process (1) Viewing / Modifying alerts from alert viewer (2) Generating IDS reports on alerts (3) Backing up / Restoration of all tables OR alert and packet log tables. (4) Archiving alerts and packet logs into files Shutdown the ISM and execute the Database Tuning Utility at the earliest
Informational
Database Tuning is needed. "..." days have passed since the last database tuning.
Informational
The database tuning process successfully completed. Policy <policy name> is applied on resources. Creating clone <policy name> before delete.
n/a
Informational
Ensure the Peer ISM is not already in MDR with other Manager.
Informational
The two ISMs in an MDR Ensure the two ISMs run configuration must have the the same software same ISM software version version. installed. The Primary ISM software is more recent than that of the Secondary ISM.
53
Informational faults
Fault
Severity
Description/Cause
Action
Informational
The two ISMs in an MDR Ensure the two configuration must have the Managers run the same same ISM software version software version. installed. The Secondary ISM software is more recent than that of the Primary ISM. An IntruShield-defined UDS has been incorporated in a new signature set and has been removed from the UDS Editor. This message is informational and indicates that an emergency McAfeeprovided UDS signature has been appropriately overwritten as part of a signature set upgrade.
Informational
Manager Disaster Recovery n/a initiated via a manual switchover, is successfully completed. Secondary ISM is now in control of sensors.
MDR automatic switchover has been completed; Secondary ISM is in control of sensors
Informational
Manager Disaster Recovery switchover has been completed; the Secondary Manager is in control of sensors.
Failover has occurred; the Secondary ISM is now in control of the sensors. Troubleshoot problems with the Primary ISM and attempt to bring it online again. Once it is online again, you can switch control back to the Primary.
Informational
Manager Disaster Recovery n/a Secondary ISM has successfully retrieved configuration information from the Primary ISM. Manager Disaster Recovery n/a is completed via a manual switchover. Secondary ISM is now in control of sensors. Manager Disaster Recovery n/a has been cancelled Manager Disaster Recovery n/a has been successfully configured
MDR force switch has been completed; Secondary ISM is in control of sensors MDR has been cancelled MDR has been configured
Informational
Informational
Informational
54
Informational faults
Fault
Severity
Description/Cause
Action
Informational
Manager Disaster Recovery n/a functionality has been resumed. Failover functionality is again available. Manager Disaster Recovery n/a functionality has been suspended. No failover will take place while MDR is suspended. Manager Disaster Recovery n/a switchback has been completed; the Primary ISM has regained control of sensors. No Syslog server has been configured to accept ACL logs for the Admin Domain <Admin Domain Name>. Configure a Syslog server This message will appear until a Syslog server has been configured for use in forwarding ACL logs. n/a
Informational
Informational
Informational
Informational
Informational
Informational
The data import process is aborted as there was a problem while retrieving the dump from peer. This fault is generated for MDR pairs.
Check whether the peer ISM machine is reachable from this machine
A real-time signature file update to sensor(s) is in progress. This action is attempted after a scheduled signature set update to the ISM, and if real-time signature file updates are enabled.
n/a
55
Informational faults
Fault
Severity
Description/Cause
Action
Informational
A real-time signature file update to sensor(s) is successful. This action is attempted after a scheduled signature set update to the ISM, and if real-time signature file updates are enabled. Report creation successfully complete Report generation process in progress
n/a
Informational Informational
n/a n/a
Reset to standalone has Informational been invoked; Primary ISM is in control of sensors Reset to standalone has Informational been invoked; Secondary ISM is in control of sensors Reset to standalone has Informational been invoked; This Manager is in control of sensors Reset to standalone has Informational been invoked; Peer ISM is in control of sensors
A Reset to Standalone has been invoked; the Primary ISM is standalone and is in control of sensors
n/a
A Reset to Standalone n/a has been invoked; the Secondary ISM is standalone and is in control of sensors A "Reset to Standalone" has been invoked; the current ISM is standalone and in control of sensors. n/a
A "Reset to Standalone" n/a has been invoked; the Peer ISM is standalone and in control of sensors. Unable to create backup for This fault indicates scheduled database problems such as SQL exceptions, database connectivity problems, or out-of-disk space errors. Check your backup configuration settings. This fault clears when a successful backup is made.
Informational
Scheduled signature set Informational download from Update Server to ISM in progress
A scheduled signature set update is in the process of downloading from the McAfee Update Server to the ISM server
n/a
56
Informational faults
Fault
Severity
Description/Cause
Action
Scheduled signature set Informational download from Update Server to ISM is successful Scheduled signature file Informational update from ISM to sensor(s) is in progress
A scheduled signature set download from the McAfee Update Server to the ISM server is Successful. A scheduled signature file update from the ISM to sensor(s) is in progress.
n/a
n/a
Scheduled signature file Informational update from ISM to Sensor(s) successful Scheduler - Signature download from ISM to Sensor failed Informational
A scheduled signature file update from the ISM to sensor(s) is successful. Scheduler - Signature download from ISM to Sensor has failed
n/a
n/a
Informational
Sensor configuration update failed while transferring from the ISM server to the sensor. A sensor configuration update is in the process of being pushed from the ISM server to the sensor.
n/a
Informational
n/a
Informational
Sensor configuration n/a update successfully pushed from the ISM server to the sensor. The ISM is attempting to discover the sensor. Sensor software image failed to download from the McAfee Update Server to the ISM server. n/a n/a
Informational Informational
Informational
Sensor software image is in n/a the process of downloading from the McAfee Update Server to the ISM server. Sensor software image successfully downloaded from the McAfee Update Server to the ISM server. n/a
Informational
57
Informational faults
Fault
Severity
Description/Cause
Action
Informational
A sensor software image or n/a signature set file is in the process of being imported from the McAfee Update Server to the ISM server. A sensor software update is n/a in the process of being pushed from the ISM Server to the sensor. Sensor software update is successfully pushed from the ISM Server to sensor. n/a
Informational
Signature set successfully downloaded from the McAfee Update Server to the ISM server.
n/a
Informational
Signature set update failed while transferring from the ISM server to the sensor. A signature set is in the process of being pushed from the ISM server to the sensor. The attempt to update the signature set on the ISM was not successful, and thus no signature set is available on the ISM.
n/a
Informational
n/a
Informational
You must re-import a signature set before performing any action on the ISM. A valid signature set must be present before any action can be taken in IntruShield. n/a
Switchback has been completed, the primary ISM has got the control of sensors now System startup in process; alerts being restored
Informational
Informational
You need to restart ISM, to view the restored alerts in Alert Manager.
58
Informational faults
Fault
Severity
Description/Cause
Action
Syslog Forwarder is not Informational configured for the Admin Domain: <Admin Domain Name> to accept the ACL logs. The Sensor to ISM communication IP do not match with the peer ISM's peer IP configured in the MDR set up. Informational
ACL logging is enabled, but Configure a Syslog no Syslog server has been server to receive configured to accept the log forwarded ACL logs. messages. The Sensor to ISM communication IP does not match with the peer ISM's peer IP. The peer IP configured in the peer ISM is the IP of this ISM, and this IP should match with the Sensor- ISM Communication IP set in this ISM during installation. Ensure that the sensorISM communication IP matches with the peer ISM's peer IP in MDR configuration.
Informational
ICC has a MDR pair Dissolve and recreate an created and the ISM is in MDR pair. disconnected mode.If ICC MDR pair is dissolved, and recreated,making the existing primary manager as secondary manager and existing secondary manager as primary manager,the fault is raised . One or more UDS is in the process of being exported from the UDS Editor to the ISM server. n/a
Informational
Informational This message indicates that the vulnerability data import from Foundstone database is successful. For more information on importing vulnerability data reports in ISM, see Importing Vulnerability Scanner Reports, Policies Configuration Guide.
n/a
Weekly scheduled report generation complete Weekly scheduled report generation in progress
Informational
Weekly scheduled report generation process successfully completed Weekly scheduled report generation process in progress
n/a
Informational
n/a
59
<Port name> configured media type is <Optical / Copper / Unknown>, inserted media type is <Optical /Copper /Unknown>. <Port name> McAfee Certified pluggable interface status is <Matched /Mismatched>.
Critical
This fault occurs when there is a mismatch between the configured port media type and the inserted port media type.
Critical
This fault occurs when Configure the correct port. there is a mismatch while using a McAfee certified pluggable interface status port with a non McAfee certified pluggable interface status port. This fault occurs when the scheduled report template is disabled. Enable and save the template to generate the report.
Report Generation Warning failed for Schedule Report Template <template name> due to unavailability of resource(s) in ISM. Sensor <sensor Informational name> discovered with license that will expire on <expiry date>. Sensor <sensor Critical name> discovered without license, sensor may not detect attacks. Sensor <sensor name> device license expired, sensor may not detect attacks. Sensor <sensor name>support license expired, sensor may not detect attacks Critical
This is an informational fault occurs when the sensor discovers that it has a license. This fault occurs when a sensor does not have a license.
Critical
This fault occurs when the support term license has expired.
60
Other faults
Fault
Severity
Description/Cause
Action
Sensor discovered with cluster secondary license, and must not be connected to ISM directly. This fault occurs when temperature of XLR chip/module in the sensor is abnormal.
To obtain a standard license now, kindly contact Technical Support or your local reseller.
< XLR A die / XLR Critical B die /XLR C die> temperature is <Normal / Abnormal / Critical / Unknown>. Critical This fault occurs when temperature of XLR chip/module in the sensor is abnormal. Check the Fan LEDs on the front of the sensor to ensure all internal sensor fans are functioning.
Check the Fan LEDs on the front of the sensor to ensure all internal sensor fans are functioning.
Other faults
Host Quarantine and Remediation
In the case of Host Quarantine and Remediation, an error message is raised when the number of quarantine rules exceed the permitted limit. The sensor raises a fault message to the ISM when the number of quarantine rules exceeds the maximum permitted limit. The fault is displayed as IP: host quarantine block nodes exhausted. This can be viewed as an alert in the Alert Manager. For more information, see Fault messages for Host Quarantine, Alerts & System Health Monitoring Guide. Note 1: You can have up to 1000 host quarantine rules for an IPv4 addresses, and up to 500 host quarantine rules for IPv6 addresses. For more information on using quarantine from Alert Manager, see Using Host Quarantine, Alerts & System Health Monitoring Guide. Note 2: For more information on quarantine and remediation functionality, see Host Quarantine and Remediation, Sensor Configuration Guideusing ISM.
61
CHAPTER 6
Error Messages
This section lists the error messages displayed in ISM.
Error Name
Description/Cause
Action
RADIUS server is up and running RADIUS server is up and running Network failure, congestion at servers or RADIUS server not available No server available Try after sometime, check IP address and Shared Secret key Configure at least one RADIUS server Use a different IP address and port number Enter a valid host name /IP address Enter a valid host name /IP address Enter a valid host name /IP address
Server with IP address IP address and port connection and port already exists not unique for RADIUS server RADIUS server host IP Field cannot be blank address/host name is required Shared Secret key is unique in case of RADIUS server Field cannot be blank
RADIUS server host IP Invalid host name /IP address address/host name cannot be resolved as entered
The table lists the error messages displayed in the User Activity Audit report.
62
Error Messages
Error Name
Description/Cause
Error Type
RADIUS Authentication
User <user name> with login Id <login Id> failed to authenticate to RADIUS server <RADIUS server host name /IP address> on port <port number> due to server timeout/ network failure
User
Added RADIUS server IP Manager Address/Host <IP address or host name> , port <port number> enable <Yes/No> IP Address/Host <IP address or Manager host name> set port <port number> ,set Enabled <Yes/No> Deleted RADIUS Server IP Manager Address/Host <IP address or host name> , port <port number>
Server with IP address IP address and port connection and port already exists not unique for LDAP server LDAP server host IP address/host name is required LDAP server host IP address/host name cannot be resolved as entered LDAP Connection Successful LDAP Connection Failed No LDAP server configured Field cannot be blank
Use a different IP address and port number Enter a valid host name /IP address Enter a valid host name /IP address
LDAP server is up and running Network failure, congestion at servers or LDAP server not available No server available
LDAP server is up and running Try after sometime, check IP address Configure at least one LDAP server
The table lists the error messages displayed in the User Activity Audit report.
63
Error Messages
Error Name
Description/Cause
Error Type
LDAP Authentication
User <user name> with login Id <login Id> failed to authenticate to LDAP server <LDAP server host name /IP address> on port <port number> due to server timeout/ network failure. Added LDAP server IP Address/Host <IP address or host name> , port <port number>, enable <Yes/No>
User
Manager
IP Address/Host <IP address or Manager host name> set port <port number> ,set Enabled <Yes/No> Deleted LDAP Server IP Address/Host <IP address or host name" , port<port number> Manager
64
CHAPTER 7
Ems.log Files
Configurable logs containing information from various components of the ISM. The current ems.log file is renamed when its size reaches 1MB, using the current timestamp. Another ems.log is created to collect the latest log information. A collection of database information containing all IntruShield configuration information. XML and property files within the IntruShield config directory. A table in the IntruShield database that contains generated fault log messages. A file containing various sensor-related log files. A file containing signature information and policy configuration for a given sensor.
Configuration backup Configuration files Fault log Sensor Trace Compiled Signature
InfoCollector is a tool that can be used both by you and by McAfee. McAfee systems engineers can use the InfoCollector tool to provide you with a definition (.def) file via email. This file is configured by McAfee to automatically choose information that McAfee needs from your installation of IntruShield. You simply open the definition file within the InfoCollector and it will automatically select the information that McAfee needs from your installation of the ISM. Alternatively, a manual approach can also be used with InfoCollector, and you can select information yourself to provide to McAfee. For example, McAfee may ask you to select checkboxes that correspond to different sets of information available within IntruShield.
65
Files related to InfoCollector, such as infocollector.bat should be in the following location: C:\[INTRUSHIELD_INSTALL_DIR]\diag\InfoCollector
Using InfoCollector
To use InfoCollector, follow these steps: 1 After you run InfoCollector, do one of the following:
i.
If McAfee provides you with a definition file: After you run InfoCollector, open the File menu and click Open Definition.
ii.
Select the definition file that McAfee sent you via email and click Select. If McAfee instructs you to select InfoCollector checkboxes:
66
Using InfoCollector
After you run InfoCollector, select the checkboxes as instructed by McAfee. iv. Select a Duration. Select Date to specify a start and end date, or select Last X Days and v. Select the number of days from which InfoCollector should gather information. vi. Click Browse and select the path and filename of the output ZIP file. Click Run.
iii.
Provide the output ZIP file to McAfee as recommended by McAfee Technical Support. You can send the file via email or through FTP.
Caution: The output ZIP file contains the toolconfig.txt file, which lists the information that you have chosen to provide McAfee.
67
CHAPTER 8
68
---------------------------------------------------------------------------------------------------------------------------------Restarting server at Mon Jun 09 14:48:53 GMT+05:30 2006 SERVER STDOUT: The IntruShield Manager Service is starting. SERVER STDOUT: The IntruShield Manager Service was started successfully. SERVER STDOUT: SERVER STDOUT: ----------------------------------------------------------------------------------------------------------------------------------
69
If the ISM Watchdog fails after five attempts to restart ISM, the following line will appear in the log file: SERVER STDOUT: Failed to restart Manager after five attempts. Exiting. [kl]
70
CHAPTER 9
Maximum Type
I-1200
I-1400
I-2600
I-2700
I-3000
I-4000
I-4010
Concurrent connections Connections established per sec. Concurrent SSL Flows (2.1.x and later) Number of SSL keys that can be stored on the sensor Virtual Interfaces (VIDS) VLANS / CIDR Blocks VLANS / CIDR Blocks per Physical Port Customized attacks Alert filters Default number of supported UDP Flows Supported UDP Flows DoS Profiles SYN rate (64-byte packets per second) ACL Rules (refer to note below)
40,000 80,000 250,000 250,000 500,000 1,000,000 1,000,000 1,000 NA NA 16 32 32 2,000 NA NA 32 64 64 6,250 25,000 64 100 300 254 6,250 25,000 64 100 300 254 10,000 50,000 64 1000 3000 254 25,000 100,000 64 1000 3000 254 25,000 100,000 64 1000 3000 254 100,000 128,000 100,000 750,000 5000
20,000 40,000 100,000 100,000 100,000 100,000 16,000 32,000 64,000 5,000 6,000 25,000 64,000 25,000 128,000 128,000 100,000 100,000
30,000 60,000 187,500 187,500 750,000 750,000 100 120 300 300 5000 5000
83,000 64,000 250,000 250,000 500,000 1,000,000 1,000,000 50 100 400 400 1000 1000 1000
71
Concurrent connections 2,000,000 Connections established per sec. Concurrent SSL Flows (2.1.x and later) Number of SSL keys that can be stored on the sensor 60,000 Not Supported Not Supported
4,000,000 120,000 Not Supported Not Supported 1000 3000 254 100,000 128,000 400,000 3,000,000 5000 3,900,000 1000
Virtual Interfaces (VIDS) 1000 VLANS / CIDR Blocks VLANS / CIDR Blocks per Physical Port Customized attacks Alert filters Default number of supported UDP Flows Supported UDP Flows DoS Profiles SYN rate (64-byte packets per second) 3000 254 100,000 128,000 400,000 1,500,000 5000 2,000,000
For more information on computing ACL, see Viewing ACL descriptions using Effective ACL rules, Sensor Configuration guideusing ISM.
72
a. b. c.
Create a new policy. Set the Inbound rule set to "File Server rule set". Set the Outbound rule set to "All-inclusive with Audit rule set".
You will see that: The File Server rule set has 166 exploit attacks. The All-inclusive with Audit rule set has 2204 exploit attacks. The total number of customized attacks for this policy is 2204 116 = 2038 customized attacks.
73
CHAPTER 10
KB38000 KB38001 KB38002 KB38003 KB38004 KB38005 KB37553 KB37773 KB38041 KB38365 KB38487 KB39232 KB39353 KB39888
KB55446 KB55447 KB55448 KB55449 KB55450 KB55451 KB55318 KB60660 KB55470 KB55549 KB55568 KB55723 KB55743 KB55908
All signature set releases with links to signature set release notes All UDS releases and release notes of the UDSs (this is a restricted article and requires the user to log into service portal or be internal) Table displaying the current versions for IntruShield Listing of IntruShields response to high profile public vulnerabilities How to request coverage for a threat that isn't already covered List of all McAfee Recommended for Blocking (RFB) attacks Sensor heat dissipation rates (BTUs per hour) Verify MySQL Database Tables IntruShield maximum number of CIDR blocks using VIDS Collecting a diagnostics trace from the IntruShield sensor VLAN limitations for IntruShield Maximum number of SSL keys for an ISM or sensor Submitting IntruShield incorrect identifications (false positive/incorrect detection) to support Support for legacy versions
KB40570 KB40571
KB55364 KB56069
Asymmetric traffic and TCP flow violation options. "Login failed: Unable to get the IntruShield Security Manager license information"
74
Old Number
New Number
Topic
KB40582
KB56071
KB41752 NAI32011
KB56364 KB59347
3rd Party Recommended Hardware for IntruShield Sensors Sensor is reporting false DOS attacks / New network device is added and sensor is now reporting DOS attacks Recover the password for the ISM
NAI32008
KB59344
75
S
Sensor capacity by model number......................... 77
Index
A
auto-negotiation and speed configurations ...... 15, 20
W
warning faults......................................................... 51
C
connectivity issues ................................................. 15 critical faults ........................................................... 32
D
duplex mismatches ................................................ 15
F
false positives......................................................... 28
H
hardening the ISM server......................................... 7 hardening the MySQL installation ............................ 7
I
InfoCollector tool .................................................... 71 informational faults ................................................. 55 ISM Watchdog........................................................ 74
M
management port configuration ............................. 14 MySQL issues ........................................................ 27
O
other faults ............................................................. 67
P
problems with sensor reboot ............................ 23, 24
R
rolling back changes .............................................. 10