10-07-2005 08:14 AM - edited 03-10-2019 01:40 AM
When creating a Signature Event Action Filter and use an "Event Variable" ($INTERNAL or $OUT) in the attacker address or victim address, the MC throws an error.
"Error - Attacker Start address is invalid"
Is this a known bug?
Thanks in advance
M
10-11-2005 02:27 PM
the address field must contain an address, range, or set of addresses.
10-12-2005 01:52 PM
In the IDM and CLI you can use variables. Why is the IPSMC different?
10-12-2005 08:19 PM
What version of MC are you using? What type/version sensor are you using?
Can you describe step by step how you're trying to create this variable?
10-17-2005 07:17 PM
Im using version 2.1 with the latest service packs and all. The sensors are 5.0.4. From the IPSMC I go to the sensor I would like to manage, then choose event action filters then choose add and in the source field type in the $variablename (i.e. IN or OUT). These are all defined in the event variables section.
If I make the variable changes using the cli it works fine. If I reimport the sensor to the mc the variable show up fine. But you cannot create add variable to the event action filters section from the MC.
Its pretty annoying to have to use the IDM or cli to make changes and then reimport each sensor. I have 20 sensors and its is a royal pain to do this to each sensor. I have a TAC case open on this as well, and no one has any idea. I need some help, anyone!!
10-18-2005 12:26 AM
I'm in the same setup of using IPS V5 on the sensors managed by CiscoWorks VMS with IPS MC 2.1. I can confirm same kind of troubles with the interaction between both softwares. Here is what I have experienced sofar :
- there is a difference in syntax for adding addresses into the default $in and $out variables. If I set more than one address range into those variables, I can generate the config, but can't deploy onto the sensor.Error = "The ip address range format is invalid at line: 1, at character: 381"
Even when I do the configuration via IDM, import the new config into IPS MC and without changing anything try to deploy the same config onto the sensor again, I get the same error.
- the is also some syntax problem on the naming of filters. By default filters are named filter[x], but again when deploying this config with that kind of names onto the sensor, IPS MC is generating errors:
"** ECD result for eventActionRules: Error validateError: / -- /_root_/filters/filter1-filter- - -0-D/ -- invalid name
/_root_/filters/filter10-filter- - -9-D/ -- invalid name
etc ...."
So I'm not surprised by the above problem description.
10-20-2005 10:16 AM
I have the exact same issue on 3 different VMS servers running the latest IPSMC software. What is the purpose of being able to define a variable if you can't use it?
10-20-2005 01:35 PM
This is an oversight in the IPS MC 2.1 that is being rectified in version 2.2 (due out next month). CSCsb66685
10-21-2005 05:12 AM
Any possibility of getting a patch for this sooner than sometime next month?
10-21-2005 10:01 AM
All dev and test resources are fully committed to the 2.2 release (3 weeks to FCS). This particular issue is currently being worked on. IMO, a patch would take at least 2 weeks if the resources were available. So I would recommend waiting for 2.2.
11-15-2005 05:25 AM
Well, I've been patient so far, but I'm still waiting for a patch for this issue. It's 21 days out, no patch, no v2.2 that I can find. I know they are getting rid of VMS soon, so are they really working on this?
11-15-2005 09:50 PM
Yes. The fix for CSCsb66685 will be in MC 2.2.
11-17-2005 06:02 AM
I can only take your word on it, but we can't afford to wait on this stuff, time for a competitive upgrade, I'm afraid.
Sorry -- The defect you have requested CSCsb66685 cannot be displayed.
This may be due to one or more of the following:
The defect number does not exist.
The defect does not have a customer-visible description available yet.
The defect has been marked Cisco Confidential.
11-17-2005 03:54 PM
Sorry, the defect was being treated like a 2.2 dev bug. The release note should now be visible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide