Misclassification of HTML traffic as Thunder on Security Analytics version 7.1.8 and earlier

book

Article ID: 169091

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Customer is seeing HTML traffic is being incorrectly classified as Thunder in Security Analytics version 7.1.8.

Cause

There is an issue with the packet inspection process in version 7.1.8 which incorrectly classifies some HTML traffic as Thunder P2P. 

Resolution

It is highly recommended that you only apply the patch below if upgrading to 7.1.9 or later is not possible.  If upgrading is an option, please upgrade the appliance to version 7.1.9 or later.

NOTE:  The patch is for version 7.1.8 ONLY and not compatible with later versions of Security Analytics. If you upgrade the appliance, the fix will be lost and cannot be re-applied.

Contents of shaft-patch-7.1.8.tgz (attached to this article)

# tar tzvf shaft-patch-7.1.8.tgz 
drwxr-xr-x root/root         0 2015-07-14 11:34 shaft-patch-7.1.8/
drwxr-xr-x root/root         0 2015-06-24 09:42 shaft-patch-7.1.8/qosmos-external-flows/
-rw-r--r-- root/root    270416 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmengine.so
-rw-r--r-- root/root   1092752 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmctl.so
-rw-r--r-- root/root   1131248 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmsecurity.so
-rw-r--r-- root/root     24256 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmdata.so
-rwxr-xr-x root/root   9215120 2015-06-23 18:03 shaft-patch-7.1.8/libqmprotocols_appsdk.so
-rwxr-xr-x root/root   3276176 2015-06-23 18:03 shaft-patch-7.1.8/shaft



Instructions for applying shaft-patch-7.1.8.tgz
  1. copy (SCP) shaft-patch-7.1.8.tgz to /home/ on the appliance
  2. ssh to the appliance as root
  3. cd /home
  4. tar xvf shaft-patch-7.1.8.tgz
  5. service monit stop
  6. service solera-shaft stop
Back up files
  1. mkdir -p /home/shaft-patch-backup/qosmos-external-flows
  2. cp -v /usr/sbin/shaft /home/shaft-patch-backup/
  3. cp -v /usr/lib64/qosmos-external-flows/*  /home/shaft-patch-backup/qosmos-external-flows/
  4. cp -v /usr/lib64/libqmprotocols_appsdk.so /home/shaft-patch-backup/
Install patched shaft and libraries (overwrite when asked)
  1. cp -v /home/shaft-patch-7.1.8/shaft /usr/sbin/shaft
  2. chown -v 0.0 /usr/sbin/shaft
  3. chmod -v a+rx /usr/sbin/shaft
  4. cp -v /home/shaft-patch-7.1.8/qosmos-external-flows/* /usr/lib64/qosmos-external-flows/
  5. chown -v 0.0 /usr/lib64/qosmos-external-flows/*.so
  6. chmod -v a+r /usr/lib64/qosmos-external-flows/*.so
  7. cp -v /home/shaft-patch-7.1.8/libqmprotocols_appsdk.so /usr/lib64/libqmprotocols_appsdk.so
  8. chown -v 0.0 /usr/lib64/libqmprotocols_appsdk.so
  9. chmod -v a+r /usr/lib64/libqmprotocols_appsdk.so
Start services back up:
  1. service solera-shaft start
  2. service monit start

Attachments

shaft-patch-7.1.8.tgz get_app