Misclassification of HTML traffic as Thunder on Security Analytics version 7.1.8 and earlier

Article Id: 169091
Status: Published
Updated On: 13-05-2017 12:19
Legacy Id: TECH245907
Products:
Security Analytics
Issue/Introduction:

Customer is seeing HTML traffic is being incorrectly classified as Thunder in Security Analytics version 7.1.8.

Cause:

There is an issue with the packet inspection process in version 7.1.8 which incorrectly classifies some HTML traffic as Thunder P2P. 

Resolution:

It is highly recommended that you only apply the patch below if upgrading to 7.1.9 or later is not possible.  If upgrading is an option, please upgrade the appliance to version 7.1.9 or later.

NOTE:  The patch is for version 7.1.8 ONLY and not compatible with later versions of Security Analytics. If you upgrade the appliance, the fix will be lost and cannot be re-applied.

Contents of shaft-patch-7.1.8.tgz (attached to this article)

# tar tzvf shaft-patch-7.1.8.tgz 
drwxr-xr-x root/root         0 2015-07-14 11:34 shaft-patch-7.1.8/
drwxr-xr-x root/root         0 2015-06-24 09:42 shaft-patch-7.1.8/qosmos-external-flows/
-rw-r--r-- root/root    270416 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmengine.so
-rw-r--r-- root/root   1092752 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmctl.so
-rw-r--r-- root/root   1131248 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmsecurity.so
-rw-r--r-- root/root     24256 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmdata.so
-rwxr-xr-x root/root   9215120 2015-06-23 18:03 shaft-patch-7.1.8/libqmprotocols_appsdk.so
-rwxr-xr-x root/root   3276176 2015-06-23 18:03 shaft-patch-7.1.8/shaft


Instructions for applying shaft-patch-7.1.8.tgz

  1. copy (SCP) shaft-patch-7.1.8.tgz to /home/ on the appliance
  2. ssh to the appliance as root
  3. cd /home
  4. tar xvf shaft-patch-7.1.8.tgz
  5. service monit stop
  6. service solera-shaft stop
Back up files
  1. mkdir -p /home/shaft-patch-backup/qosmos-external-flows
  2. cp -v /usr/sbin/shaft /home/shaft-patch-backup/
  3. cp -v /usr/lib64/qosmos-external-flows/*  /home/shaft-patch-backup/qosmos-external-flows/
  4. cp -v /usr/lib64/libqmprotocols_appsdk.so /home/shaft-patch-backup/
Install patched shaft and libraries (overwrite when asked)
  1. cp -v /home/shaft-patch-7.1.8/shaft /usr/sbin/shaft
  2. chown -v 0.0 /usr/sbin/shaft
  3. chmod -v a+rx /usr/sbin/shaft
  4. cp -v /home/shaft-patch-7.1.8/qosmos-external-flows/* /usr/lib64/qosmos-external-flows/
  5. chown -v 0.0 /usr/lib64/qosmos-external-flows/*.so
  6. chmod -v a+r /usr/lib64/qosmos-external-flows/*.so
  7. cp -v /home/shaft-patch-7.1.8/libqmprotocols_appsdk.so /usr/lib64/libqmprotocols_appsdk.so
  8. chown -v 0.0 /usr/lib64/libqmprotocols_appsdk.so
  9. chmod -v a+r /usr/lib64/libqmprotocols_appsdk.so
Start services back up:
  1. service solera-shaft start
  2. service monit start

insert_drive_file shaft-patch-7.1.8.tgz
arrow_downward Download