Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
1
Replies

CSA detecting process name incorrectly

michael.saunders
Level 1
Level 1

‎12-16-2008 09:57 AM - edited ‎03-10-2019 04:25 AM

I have a RHEL3 WS host running Cisco Security Agent Version 5.2.0.225. From time to time I am seeing alerts that don't make sense.

For example, see these alerts:

TESTMODE: The process '/bin/echo' (as user root(0) group root(0)) attempted to accept a connection as a server on TCP port 10000 from 12.34.56.78. The operation would have been denied.

Obviously, /bin/echo didn't accept the connection. This is webmin, so /bin/perl is likely accepting the connection.

TESTMODE: The process '/bin/bash' (as user root(0) group root(0)) attempted to accept a connection as a server on TCP port 6389 from 12.34.56.78. The operation would have been denied.

In this instance I know that /opt/Navisphere/bin/naviagent is the executable that is listening on port 6389.

Why is CSA having difficulty grabbing the right process name? I dug through TAC online but didn't see anything relevant.

-MS

Labels:
0 Helpful
1 Reply 1

michael.saunders
Level 1
Level 1

‎12-16-2008 12:45 PM

It may be related to this bug, the fix seems to be upgrading to version 6.0(0.77). If anybody else has experienced this and confirm this is what they had to do to resolve the issue I'd appreciate hearing about it.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk07426&from=summary

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card