Manualshelf

Release Notes Threat Management Services zl Module ST.1.2.110427 06-2011

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
31323334353637383940
28
Software Fixes in Releases ST.1.0.090213 - ST.1.2.110427
Release ST.1.0.090603
PR_18204 — If you filter signatures by severity, then disable a family of signatures, the
expected result is that all displayed signatures in that family will be disabled. However, the
actual result is that only some of the signatures displayed get disabled. This can be observed
by viewing info signatures, then disabling the XSS family. When the operation completes,
refresh the page, and view info signatures. When you inspect the XSS family you will see
that not all XSS family info signatures are disabled.
PR_37450 — TMS zl Module was not saving the IPS or IDS configuration in its configuration
backup file.
PR_37834 — When IPS settings are changed for threat level actions and an IPS attack was
detected, the log entry for that attack did not display the changed rule action.
PR_37838 — The log does not display the correct message when an attack is detected by IPS
The following log is displayed during an IPS attack:
time="2009-03-19 09:57:14" severity=critical pri=1
fw=ProCurve-TMS-zl-Module id=ips_attack_family rule=3331 msg="IPS
detection: Allow: Backdoor FeRAT 1.00" src=192.168.1.20 srcport=1079
dst=192.168.3.20 dstport=1234 proto=TCP ruleaction=Allow rule-
threat=Critical connectiondirection=initiator packetdirection=2
packetlength=43 ipidentification=914 rulefam=BACKDOOR
ruledsc="Backdoor FeRAT 1.00" subfamid=ips_signature_based_logs
attackid=no-id mtype=iips_l5_l7_attack mid=3331 timetolive=3
actiontype=log
Go to IPS>Settings>Actions page and set the threat level to the default values:
Critical=Terminate session
Severe=Block traffic
Minor=Block traffic
Warning=Allow traffic
Information=Allow traffic
The following log is displayed, which does not display the correct action:
time="2009-03-19 02:01:49" severity=major pri=2
fw=ProCurve-TMS-zl-Module id=ips_attack_family rule=3101 msg="IPS
detection: Allow: Doly Backdoor for Windows detection"
src=192.168.1.20 srcport=1051 dst=192.168.3.20 dstport=1015
proto=TCP ruleaction=Allow rulethreat=Severe connectiondirec-
tion=initiator packetdirection=2 packetlength=44 ipidentifica-
tion=42240 rulefam=BACKDOOR ruledsc="Doly Backdoor for Windows
detection" subfamid=ips_signature_based_logs attackid=no-id
mtype=iips_l5_l7_attack mid=3101 timetolive=3 actiontype=block