Misclassification of HTML traffic as Thunder on Security Analytics version 7.1.8 and earlier
Article ID: 169091
Updated On:
Products
Security Analytics
Issue/Introduction
Customer is seeing HTML traffic is being incorrectly classified as Thunder in Security Analytics version 7.1.8.
Cause
There is an issue with the packet inspection process in version 7.1.8 which incorrectly classifies some HTML traffic as Thunder P2P.
Resolution
It is highly recommended that you only apply the patch below if upgrading to 7.1.9 or later is not possible. If upgrading is an option, please upgrade the appliance to version 7.1.9 or later.
NOTE: The patch is for version 7.1.8 ONLY and not compatible with later versions of Security Analytics. If you upgrade the appliance, the fix will be lost and cannot be re-applied.
Contents of shaft-patch-7.1.8.tgz (attached to this article)
# tar tzvf shaft-patch-7.1.8.tgz
drwxr-xr-x root/root 0 2015-07-14 11:34 shaft-patch-7.1.8/
drwxr-xr-x root/root 0 2015-06-24 09:42 shaft-patch-7.1.8/qosmos-external-flows/
-rw-r--r-- root/root 270416 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmengine.so
-rw-r--r-- root/root 1092752 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmctl.so
-rw-r--r-- root/root 1131248 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmsecurity.so
-rw-r--r-- root/root 24256 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmdata.so
-rwxr-xr-x root/root 9215120 2015-06-23 18:03 shaft-patch-7.1.8/libqmprotocols_appsdk.so
-rwxr-xr-x root/root 3276176 2015-06-23 18:03 shaft-patch-7.1.8/shaft
Instructions for applying shaft-patch-7.1.8.tgz
NOTE: The patch is for version 7.1.8 ONLY and not compatible with later versions of Security Analytics. If you upgrade the appliance, the fix will be lost and cannot be re-applied.
Contents of shaft-patch-7.1.8.tgz (attached to this article)
# tar tzvf shaft-patch-7.1.8.tgz
drwxr-xr-x root/root 0 2015-07-14 11:34 shaft-patch-7.1.8/
drwxr-xr-x root/root 0 2015-06-24 09:42 shaft-patch-7.1.8/qosmos-external-flows/
-rw-r--r-- root/root 270416 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmengine.so
-rw-r--r-- root/root 1092752 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmctl.so
-rw-r--r-- root/root 1131248 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmsecurity.so
-rw-r--r-- root/root 24256 2015-06-23 18:01 shaft-patch-7.1.8/qosmos-external-flows/libqmdata.so
-rwxr-xr-x root/root 9215120 2015-06-23 18:03 shaft-patch-7.1.8/libqmprotocols_appsdk.so
-rwxr-xr-x root/root 3276176 2015-06-23 18:03 shaft-patch-7.1.8/shaft
Instructions for applying shaft-patch-7.1.8.tgz
- copy (SCP) shaft-patch-7.1.8.tgz to /home/ on the appliance
- ssh to the appliance as root
- cd /home
- tar xvf shaft-patch-7.1.8.tgz
- service monit stop
- service solera-shaft stop
- mkdir -p /home/shaft-patch-backup/qosmos-external-flows
- cp -v /usr/sbin/shaft /home/shaft-patch-backup/
- cp -v /usr/lib64/qosmos-external-flows/* /home/shaft-patch-backup/qosmos-external-flows/
- cp -v /usr/lib64/libqmprotocols_appsdk.so /home/shaft-patch-backup/
- cp -v /home/shaft-patch-7.1.8/shaft /usr/sbin/shaft
- chown -v 0.0 /usr/sbin/shaft
- chmod -v a+rx /usr/sbin/shaft
- cp -v /home/shaft-patch-7.1.8/qosmos-external-flows/* /usr/lib64/qosmos-external-flows/
- chown -v 0.0 /usr/lib64/qosmos-external-flows/*.so
- chmod -v a+r /usr/lib64/qosmos-external-flows/*.so
- cp -v /home/shaft-patch-7.1.8/libqmprotocols_appsdk.so /usr/lib64/libqmprotocols_appsdk.so
- chown -v 0.0 /usr/lib64/libqmprotocols_appsdk.so
- chmod -v a+r /usr/lib64/libqmprotocols_appsdk.so
- service solera-shaft start
- service monit start
Attachments
Feedback
Yes
No
Powered by
