IDS signature for login Failure

Similar Messages

• Design a job for Login failure alert

  HI,
       I need a query to get Login failure alert for both windows login and SQL login account. Also i need track to which database the Login user is connecting while he is getting Login failure error. I need to to schedule this as a job.

  To check what database was being used when the login failed, you will need to use default trace as mentioned in the link below:-
  http://www.eraofdata.com/the-sql-server-default-trace/
  or simply run the query below:-
  SELECT  TE.name AS [EventName] ,
          v.subclass_name ,
          T.DatabaseName ,
          t.DatabaseID ,
          t.NTDomainName ,
          t.ApplicationName ,
          t.LoginName ,
          t.SPID ,
          t.StartTime ,
          t.SessionLoginName
  FROM    sys.fn_trace_gettable(CONVERT(VARCHAR(150), ( 
                  SELECT TOP 1
                  f.[value]
                  FROM    sys.fn_trace_getinfo(NULL) f
                  WHERE   f.property = 2)), DEFAULT) T
          JOIN sys.trace_events TE 
                  ON T.EventClass = TE.trace_event_id
          JOIN sys.trace_subclass_values v 
                  ON v.trace_event_id = TE.trace_event_id
                  AND v.subclass_value = t.EventSubClass
  WHERE   te.name IN ( 'Audit Login Failed' )
  order by t.StartTime desc
  The only other way would be to use Auditing, Server Side Trace or Triggers if you want to maintain history of these. 
  Reference:
  http://sqlrows.blogspot.in/2011/10/note-to-self.html
  Please mark the answer as helpful if i have answered your query. Thanks and Regards, Kartar Rana

• Best Practise for WLC IDS Signature Thresholds

  Hi, are there any best practices for WLC IDS Signature thresholds?
  Thanks!
  KR,
  Rena

  You can configure IDS signatures, or bit-pattern matching rules used to identify various types of attacks in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller. If an attack is detected, appropriate mitigation is initiated.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_0111110.html#d162818e187a1635

• Reporting for System Center End point Protection -Antivirus Infections,Signature updates,Errors/failures

  Hi,
  We have SCEP on all servers 2008 R2 and 2012, now basically we are loking for specific information on
  infections
  Signature Updates
  Errors/Failures.
  Regards,
  gautham.K
  MCTS-Microsoft Exchange Adminstrator,2010

  The Antimalware activity report cover your 1 request.
  The Computer Endpoint Protection status covers the other two request, it is a drill through for the other reports and it is within a hidden folder.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate

• SSL VPN Login failure issue

  Hello,
  I am having an issue with some users trying to login to our SSL VPN (Anyconnect) via ASA5505 8.2(1).  Authentication is done via AD.  From the same computer, the client finds the DNS name and unlocks the login username and password.  When I enter a username and password and click connect, it is instantly rejected with login failure with the following event log:
  Function: ConnectMgr::setPromptAttributes
  File: .\ConnectMgr.cpp
  Line: 2657
  Invoked Function: setPromptAttributes
  Return Code: -33554423 (0xFE000009)
  Description: GLOBAL_ERROR_UNEXPECTED
  Error text:
  Login failed.
  If I change the user account to another user (from the same PC), login works perfectly fine - this is only happening with 3 or 4 users - I have compared the user accounts of a failing account and a successful account and they are identical in AD. 
  This has been driving me crazy - as a work around for the failing users, I just created a temporary account which works perfectly fine.  The request doesn't even seem to hit the ASA (there is nothing in the logs that show a failed attempt).  Still troubleshooting and looking at certificate's at this point.  Any help/suggestions would be greatly appreciated!!  Thanks.
  Regards.
  After a little more testing, seems somehow related to users being in to many groups in AD.      
  Message was edited by: Rich Viola

  Hello,
  If the website is unavailable or in this case, the website is missing several characters(charts, canvas, etc or some other objects), usually could be an issue with the rewrite engine.
  Solution (workaround):
  You may use smart tunnel for this website, so the rewrite engine will not override any content, and it will display the website as it should.
  You can implement it as follow:
  Add a Bookmark
  Bookmark for the service and clicking the Enable Smart Tunnel option in the Add or Edit Bookmark dialog box.
  For further information you can find it here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/webvpn.html#wp1272236
  Let me know how tit works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• How to get digital signature for Google Map geocoding V3 in PL/SQL?

  Hi, Gurus:
      Could anyone provide me an example about how to generate digital signature for Google Maps service v3 in PL/SQL? We tried to upgrade our program using Google maps service from v2 to v3. We are using PL/SQl on background to send request to Google for geocoding. We found some sample code to register with digital signature, but none of them is based on PL/SQl. Notice I used Google business client ID "gme-XXX" and wallet.
  https://developers.google.com/maps/documentation/business/webservices/auth#digital_signatures
  Google Maps API - more URL signing samples
  Here is my code for V2. I notice in order to get signature, I need to use HMAC-SHA1 algorithm.
  procedure Get_Geocoding(P_s_Address in varchar2, P_s_Geocoding out varchar2, P_n_accuracy out number, P_b_success out boolean) is
    l_address varchar2(4000);
    l_url varchar2(32000);
    l_response varchar2(3200);
    n_first_comma number;
    n_second_comma number;
    n_level_length number;
  BEGIN
    /* TODO implementation required */
    l_address:=APEX_UTIL.URL_ENCODE(P_s_Address);
    l_address := replace(l_address,' ','+');
    l_url := 'http://maps.google.com/maps/geo?q='||l_address||'&'||'output=csv'||'&'||'client=gme-XXX';
  l_response := utl_http.request(l_url, APEX_APPLICATION.G_PROXY_SERVER, '/u02/app/oracle/admin/apexsb/wallet', 'XXXXXXXX');
    n_level_length:=0;
    n_first_comma:=instr(l_response,',',1,1);
    n_second_comma:=instr(l_response,',',1,2);
    n_level_length:=n_second_comma-n_first_comma-1;
    P_n_accuracy:=0;
    if n_level_length>0 then
    P_n_accuracy:=to_number(substr(l_response,n_first_comma+1, n_level_length));
    end if;
    l_response:=substr(l_response,instr(l_response,',',1,2)+1);
    --dbms_output.put_line('In function: l_response ='||l_response);
    P_s_Geocoding:=l_response;
    if (P_s_Geocoding<>'0,0') then
    P_b_success:=true;
    --dbms_output.put_line('true');
    else
    P_b_success:=false;
    --dbms_output.put_line('false');
    end if;
  END;
  Thanks!

  Hi, guys:
      I tried to generate digital signature for Google map service
       Maps for Business: Generating Valid Signatures - YouTube
      Generating an HMAC-SHA-1 Signature Using Only PL/SQL
        OAuth and the PL/SQL | Data Warehouse in the Cloud
     but I got error message from Google:
  Unable to authenticate the request. Provided 'signature' is not valid for the provided client ID. Learn more: https://developers.google.com/maps/documentation/business/webservices/auth
     I think there is something wrong with my code to generate signature, as if I remove the part regarding client and signature, it will work, can anyone help me on this problem?
  /*Procedure Get_Geocoding is used to get geocoding with accuracy level for V3 business account, you can find Google map digital signature descrirption from
  https://developers.google.com/maps/documentation/business/webservices/auth#digital_signatures
  if geocoding is 0,0, procedure returns false to indicate failure of get geocoding*/
  procedure Get_Geocoding2(P_s_Address in varchar2, P_s_Geocoding out varchar2, P_n_accuracy out number, P_b_success out boolean) is
    --private key for Google business account, this is provided by Google with client name.
    l_private_key_src varchar2(200):='xxxxxxxxxxxxxxxxxxx';
    l_private_key_b64_alter varchar2(200):= translate(l_private_key_src,'-_','+/');
    l_private_key_bin raw(2000);
    l_client_name varchar2(100):='gme-xxx';
    l_signature_mac raw(2000);
    l_signature_b64 varchar2(200);
    l_signature_b64_alter_back varchar2(200);
    l_Google_service_domain varchar2(200):='http://maps.googleapis.com';
    l_address varchar2(4000);
    l_url varchar2(32000);
    l_path varchar2(32000);
    l_response varchar2(32000);
    l_page UTL_HTTP.HTML_PIECES;
    n_actual_length number;
    json_obj json;
    json_tempobj json;
    jl_listOfValues json_list;
    json_geom_obj json;
    json_loc json;
    l_lat  VARCHAR2(40);
    l_lng  VARCHAR2(40);
    l_status VARCHAR2(255);
    json_accuracy json;
    --temp_string varchar2(10000);
    n_first_comma number;
    n_second_comma number;
    n_level_length number;
    BEGIN
  /* TODO implementation required */
  l_private_key_bin := utl_encode.base64_decode(UTL_I18N.string_to_raw(l_private_key_b64_alter, 'AL32UTF8'));
  l_address:=APEX_UTIL.URL_ENCODE(P_s_Address);
  --dbms_output.put_line(l_address);
  l_address := replace(l_address,' ','+');
  l_path := '/maps/api/geocode/json?address='||l_address||'&'||'sensor=true';
  dbms_output.put_line(l_path);
  l_signature_mac :=DBMS_CRYPTO.mac(UTL_I18N.string_to_raw(l_path, 'AL32UTF8'), DBMS_CRYPTO.hmac_sh1,l_private_key_bin);
  l_signature_b64:= UTL_RAW.cast_to_varchar2(UTL_ENCODE.base64_encode(l_signature_mac));
  l_signature_b64_alter_back:=translate(l_signature_b64,'+/','-_');
  dbms_output.put_line(l_signature_b64_alter_back);
  --get response from Google map service
  l_url:=l_Google_service_domain||l_path||'&client='||l_client_name||'&signature='||l_signature_b64_alter_back;
  --l_url:=l_Google_service_domain||l_path;
  dbms_output.put_line(l_url);
  l_page:=utl_http.request_pieces( l_url, 99999);
  for i in 1..l_page.count loop
  l_response:=l_response||l_page(i);
  end loop;
  n_actual_length:=length(l_response);
  dbms_output.put_line(n_actual_length);
  dbms_output.put_line(l_response);
  --parse JSON result
  json_obj:=new json(l_response);
  l_status := json_ext.get_string(json_obj, 'status');
  IF l_status = 'OK' then
  jl_listOfValues := json_list(json_obj.get('results'));
  json_tempobj := json(jl_listOfValues.get(1));
  json_geom_obj := json(json_tempobj.get(3));
  json_loc := json_ext.get_json(json_geom_obj, 'location');
  l_lat := to_char(json_ext.get_number(json_loc, 'lat'));
  l_lng := to_char(json_ext.get_number(json_loc, 'lng'));
  P_s_Geocoding:=l_lat||','||l_lng;
  dbms_output.put_line('##########'||P_s_Geocoding);
  case json_ext.get_string(json_geom_obj, 'location_type')
  when 'ROOFTOP' then P_n_accuracy:=9;
  when 'RANGE_INTERPOLATED' then P_n_accuracy:=7;
  when 'GEOMETRIC_CENTER' then P_n_accuracy:=5;
  else P_n_accuracy:=3;
  end case;
  P_b_success:=true;
  else
  P_b_success:=false;
  P_n_accuracy:=0;
  P_s_Geocoding:='0,0';
  end if;
    END;

• After creating a contained database, getting a login failure error while trying to connect to it.

  After creating a contained database and a user with passowrd under the same database, I tried connecting to the contained database. I entered the server name, login credentials and went to the connection properties tab to select the contained database using
  <browse server> option under "connect to database". Here I get the login failure error.
  TITLE: Browse Server for Database
  Failed to connect to server <servername>\<login>. (Microsoft.SqlServer.ConnectionInfo)
  But when I manually enter the Database name instead of selecting from the <browse server> option the connection gets through.
  Is this a Bug ? Has anyone else faced this error?

  Hello,
  Is this a Bug ? Has anyone else faced this error?
  It's not a bug, it's working as intended. Contained users don't have instance level permissions and cannot "login" to the instance (which is what the "browse" button is attempting). In order for it to work, the database name must be in the connection string
  (which with the browse button, it will not be).
  Welcome to contained users, they aren't for everyone.
  Sean Gallardy | Blog | Microsoft Certified Master

• IDS signature tuning... interval questions.

  Just starting out trying to tune some signatures to fit our environment, and looking for clarification on some parameters of IDS signatures.
  For example: 2152 - ICMP flood
  It uses the "Flood Host" engine with the action parameters:
  Limit type: percentage (100)
  Rate: 25
  Event count: 1
  Event count key: victim address
  Specify interval: No
  Summary mode: Fire all
  Threshold: 10000
  Interval: 30
  Global threshold: 20000
  Summary key: victim address
  Can someone translate into english?
  I'm guessing 25 packets/sec of ICMP traffic to the same destination would trigger the "event". And the 100% limit means...? 25 in a row?
  And the summaries?
  At least the "flood host" has a clear interval, but many of the scans do not. For example, 3002 or 3030 - TCP SYN port sweep. This specifies a number of "unique" packets with the same key (attacker address, or attacker and victim, or other combination) but does not specify the interval. Is this also per-second? The documentation simply says "The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period."
  What is the "time period" and where is it set? For these alerts (as well as the previous) the "Specify Alert Interval" is set to "No".

  I can't claim to understand some of the "scan" signatures either...most of ours are disabled.
  The limit type and percentage would only seem applicable if you're using the "request rate limit" action in inline mode. I don't think they have anything to do with alarming.
  For this particular signature I believe the most relevant variable is rate, which you already seem to understand.
  The alert frequency settings allow you change the summary mode from "fire all" to "summarize" or "global summarize" based on the number of alerts being generated. This probably has other uses, but the one that immediately comes to mind is to prevent the monitoring system from being overloaded with spurious alarms.
  As far as 3030 - TCP SYN port sweep...I don't understand it either. Do a search for it on the forums, there have been other questions.

• SQL Server 2012 syspolicy_purge_history job causes cross-instance login failures w. EraseSystemHealthPhantomRecords

  I have unique service accounts set up for multiple instances on the same SQL Server 2012.
  When step 3 of the inbuilt syspolicy_purge_history job(Erase Phantom System Health Records) runs, it appears to attempt to run against every instance on the server despite being passed the instance path!
  The SQLServer's powershell script call:
  if ('$(ESCAPE_SQUOTE(INST))' -eq 'MSSQLSERVER') {$a = '\DEFAULT'} ELSE {$a = ''};
  (Get-Item SQLSERVER:\SQLPolicy\$(ESCAPE_NONE(SRVR))$a).EraseSystemHealthPhantomRecords()
  so with instances SERVER\X this runs as...
  (Get-Item SQLSERVER:\SQLPolicy\SERVER\X).EraseSystemHealthPhantomRecords()
  SERVER\X's job will run and I will see login failures in the error logs of SERVER\Y and SERVER\Z for the service account set up for instance X.
  It seems Microsoft's only 'accepted solution' to this problem is for me to compromise my security by escalating the access of these service accounts?
  Has anyone else run into and corrected this failure?

  Hi Atombath,
  When you install multiple instances on one Server, and  the SQL Server’s powershell scripts are the same in inbuilt syspolicy_purge_history job steps. However, when you start PowerShell by right clicking
   syspolicy_purge_history job, you will find it will point to their own instance. I do a test in my SQL Server 2012,
   it will not across instance to collect the error logs. So I recommend you use its original powershell scripts for the syspolicy_purge_history job.
  Sometimes, if you run the syspolicy_purge_history job on a clustered instance, the syspolicy_purge_history SQL Server Agent job may fail due to using the computer node name instead of the virtual server name. For more information, see:
  http://support.microsoft.com/kb/955726/en-us
  In addition, you can use different service account for your multiple SQL Server instances on the same Server. And make sure the accounts that you created get added to the sysadmin fixed server role, the accounts are also set in the three Agent roles (SqlAgentUserRole,
  SqlAgentReaderRole, and SqlAgentOperatorRole).
  Regards,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• Historical Reporting Client Login Failure - UCCX 7.0(1)

  We're experiencing intermittent login failures with the Historical Reporting Client, extract from the log file below:
  1: 28/04/2010 11:58:25 %CHC-LOG_SUBFAC-3-UNK: Error # 35761 ,Description= Request timed out ,LastDllError= 0
  2: 28/04/2010 11:58:25 %CHC-LOG_SUBFAC-3-UNK:Authentication response was NOT received from (http://<ip address>/histRepWebSrvrComp/histRepClientsServlet)
  3: 28/04/2010 11:58:25 %CHC-LOG_SUBFAC-3-UNK:Login Error | Invalid server name or IP address. Check the server name or IP address and login again.
  4: 28/04/2010 11:58:30 %CHC-LOG_SUBFAC-3-UNK:Authentication response was NOT received from (http://ip address/histRepWebSrvrComp/histRepClientsServlet)
  5: 28/04/2010 11:58:30 %CHC-LOG_SUBFAC-3-UNK:Login Error | Invalid server name or IP address. Check the server name or IP address and login again.
  6: 28/04/2010 11:58:30 %CHC-LOG_SUBFAC-3-UNK:Connection to web server failed due to: 12017 : Operation cancelled
  7: 28/04/2010 11:59:05 %CHC-LOG_SUBFAC-3-UNK:Connection to web server failed due to: 12017 : Operation cancelled
  8: 28/04/2010 11:59:05 %CHC-LOG_SUBFAC-3-UNK:Failed to load authentication response due to empty XML buffer from authentication servlet)
  9: 28/04/2010 11:59:05 %CHC-LOG_SUBFAC-3-UNK:Login Error | Invalid server name or IP address. Check the server name or IP address and login again.
  Does anyone know why this may be happening as it's driving the customer mad. User can usually login after a few attempts.
  The authentication timeout is set to 15 seconds, surely this is more than enough time or should we increase the timer?
  Any advice much appreciated.

  Hi Robert
  Thanks for the response and all very good suggestions which should help Chris narrow down his particular issue.
  It's been about a year since we last looked at this so I'd quite forgotten most of the diagnostics we'd done however we did go through most of the same diagnostics ourselves but the resolution was hampered due to the fact we support the telephony/WAN and another third party supports the desktops and LAN infrastructure so after months of to and fro with the customer and their third party (and many, many man hours) we eventually left the risk with the customer and investigations never progressed any further.
  1.) Upgrade to UCCX 7.0SR5.  This is a very stable release of code with few open bugs or caveats against it.
              - Agreed. We also ran into other bugs which required an upgrade.
  2.) Verify that the active NIC is indeed at the top of the bindings order.  Just having it active isn't enough, there needs to be the further test of moving to the top of the bindings order.
              - We did check this.
  3.) Verify that the hosts file on the UCCX server(s) has the external IP and hostname of the server in it.
              - Did this too.
  4.) Check the remote locations to verify that the network is correctly configured, there are no line errors on the WAN circuits, no misconfiguration on the switch/router ports and that QOS is in place across the network.
              - This part of the investigation stalled due to another 3rd party supporting the onsite network however no WAN issues were found.
  5.) Try to take a test system that is on the same network as the one having HRC errors.  See if it's seeing the issues.  If not, progressively move out to other offices/locations until you replicate the issue and then see what has changed.  Something there should hopefully point to the cause of the error.
              - We did this also, using my laptop I connected from various locations and even when using the same network connection as the end user had no problems, we did note the successful connection attempts used a slightly different network route/DNS/WINS however again got nowhere with the third party supporting this aspect of the network.
  6.) Finally, you may want to consider creating external data warehouse servers so that your UCCX servers aren't serving up the HRC data.
              - Not an option for this customer, again this aspect of the service is a different third party on their own network and customer not willing to pay for additional servers for the telephony estate to provide this functionality when they only have a few CCX users.
  Regards
  June

• How to see / limit consecutive login failures?

  Hi, our server is running 10.4.7 server.
  In terms of hardening the machine against attacks, is there be default a limit to the number of failed logins that occur before an account is locked in some way?
  If not, is there a way to turn ON that security feaure?
  Where are login failures logged?
  Thanks!

  Yes, you can set a limit to login failures. The following assumes that you are using Open Directory and that your users are authenticating against the server's Open Directory database.
  For global policies =
  Open Server Admin > for the proper server select Open Directory > select Policy > select Passwords > adjust settings
  For a single user = this will override global policies listed above
  Open Workgroup Manager > browse users > select the account you wish to manage > Select the Advanced user settings > select Options > dialog box gives ability to limit access in a variety of ways.
  Authentication is logged =
  Server Admin > Open Directory > Logs > Password service server log

• Add on XL reporter : Wrong executable digital signature for Add on

  Hi Experts,
  I have a client who gets this error 'Add on XL reporter : Wrong executable digital signature for Add on' when they try to login. They are on 2007A PL45. This happens on the server as well as on clients. Uninstalll and reinstall of client didn't work.  We had a look at the AddonLocalRegistration folder to see if XL reporter is registered but can't see any.
  I have found a similar link in the forum but that says about 2005b.
  Any help will be appreciated.
  regards
  Johnson

  Sir,
  Please do the following steps :
  1. Please go to the SBO-COMMON database, find table SARI, you will get
  the data entry for your Addon. Please check the value of field
  "AddOnChk". This is the digital signature of Addon executable file.
  2. Then go to installer package of the Addon, open the ard file
  (XLReporter.ard) with notepad then check the value of "addonsig".
  3. Compare these two values, if they are different, please overwrite
  "AddOnChk" field in database with the value of "addonsig" in ard file.
  and then try to start the addon again.
  4. If there are the same, the ard file or the executable file has been
  corrupted. I would like to suggest you remove the installer package
  from your machine, and download a fresh installer of Addon from SAP
  Service Marketplace. After that, please follow the steps as per the
  attached note ( Note no. 819501 ) to make your machine clean and
  then install the addon again.
  Regards,
  AVTAR SINGH

• IDS Signature Attacks - OVERLOAD

  Guys,
  I know that this has been talked about many timres, but wanted to ask a couple of points.
  Question 1. On the WCS, on some days we are receiving up to 70+ critical alarms for signature attacks. These are all Deauth, Auth Flood attacks. (There are a couple of Assoc floods).
  Pls see similar post on open forum
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0798a
  Now, in the signature file we have the following profiles set. (Pls note Deauth flood and Assoc Flood, BUT NO AUTH FLOOD)
  Name = "Deauth flood", Ver = 0, Preced= 8, FrmType = mgmt, Pattern = 0:0:0x00C0:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Deauthentication flood", Track=signature_n_mac, MacFreq=30
  Name = "Assoc flood", Ver = 0, Preced= 4, FrmType = mgmt, Pattern = 0:0:0x0000:0x00FF, Freq=50, Quiet = 600, Action = report, Desc="Association Request flood", Track=signature_n_mac, MacFreq=30
  Can you guys or Cisco TAC advise us on if we need to change these values and are there any rules? and where is the signature pattern for an "Auth flood"? Dont see it in the file?
  Question 2. The WCS only appears to report these critical signature alarms (and other alarms) for the last 7 days. I have tried to read through the WCS documentation and cannot find what happens to the alarms after 7 days and if this 7 day period is configurable?
  Once again, Many thx guys for all the help,
  Ken ( all IDS'd out )

  I hadn't noticed before that the AUTH FLOOD has no corresponding IDS signature file entry - bizarre!
  Attempts to get TAC to come up with any recommended changes for the signature file (at least in my experience going all the way to 3rd level TAC) resulted in an akward silence the other end of the line. I hope that your experience is better.
  Each version of WLC software appears to fix some false alarms, but sometimes generates new ones. It is unclear if this is due to differing values in the signature file or (more likely) due to new code anomalies.
  If you do run across better documentation on the Wireless IDS signature file, please feed it back into the forum.
  As regular forum readers can attest, the Wireless IDS system false alarms, lack of explanation of the threat posture of these alarms, as well as the lack of documentaiton for tuning the signature file values without completely disabling the alarms, have been a sore spot with me.
  I would even submit that it would be more helpful if Cisco would add a mechanism that would automatically forward these WIDS alarms (on a voluntary basis) back to Cisco. This would help Cisco developers to get a better idea of the numerous false positives we are seeing out here in the field enable them to provide a better-tuned signature file in the first place!
  You may find the following post of interest:
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc08c87
  As far as question 2 goes, when I tested this on our WCS 5.0, I am showing critical level security "WPA MIC" errors that go back to 5/19/08 (almost a month old).
  Please remember to rate helpful posts.
  John

• SP15 in Java engine failed, "Login Failure: all modules ignored"

  Hi
  During the installation of sp15 (with JSPM) failed, the sdm log shows:
  ERROR: Cannot connect to Host: [hostname] with user name: [J2EE_ADMIN]
  My instance was down so I started but now there is an error, when I try to log on to User management it give me the error: "Login Failure: all modules ignored".
  I checked the logs for the server and found the following:
  #1.5^H#0000000000000067000000250000596D00045A79FA4B224F#1225379843613#com.sap.engine.services.security.resource.ResourceHandl
  eImpl#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.resource.ResourceHandleImpl#J2EE_GUEST#0##n/a##da7
  065c0a69511ddb438000000000000#SAPEngine_Application_Thread[impl:3]_15##0#0#Error#1#/System/Security/Audit/J2EE#Java###ACCESS.
  ERROR: Authorization check for caller assignment to J2EE resource [ : : : ].#4#SAP-J2EE-Engine#session-pool#ge
  t_session_pool#ALL#
  #1.5^H#0000000000000067000000260000596D00045A79FA4B32AC#1225379843613#com.sap.engine.services.security.authentication.loginco
  ntext#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0##n/a##da7
  065c0a69511ddb438000000000000#SAPEngine_Application_Thread[impl:3]_15##0#0#Error##Java###Caller not authorized.
  [EXCEPTION]
  #1#com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
          at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:627)
          at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:513)
          at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
          at com.sap.engine.services.security.restriction.Restrictions.checkPermission(Restrictions.java:119)
          at com.sap.engine.services.security.server.AuthenticationContextImpl.getSessionPool(AuthenticationContextImpl.java:39
  5)
          at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContextFactory(AuthenticationContextImpl
  .java:740)
          at com.sap.engine.services.security.server.AuthenticationContextImpl.getLoginContext(AuthenticationContextImpl.java:2
  54)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
          at com.sap.engine.system.SystemLoginModule.initialize(SystemLoginModule.java:72)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
          at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
          at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
          at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.forceLoggedInUser(SAPJ2EEAuthenticator.java:231)
          at com.sap.security.core.admin.ServletAccessToLogic.getActiveUser(ServletAccessToLogic.java:141)
          at com.sap.security.core.admin.UserAdminLogic.executeRequest(UserAdminLogic.java:438)
          at com.sap.security.core.admin.UserAdminServlet.doPost(UserAdminServlet.java:26)
          at com.sap.security.core.admin.UserAdminServlet.doGet(UserAdminServlet.java:19)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
          at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
          at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
          at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
          at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
          at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessio
  nMessageListener.java:33)
          at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
          at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
          at java.security.AccessController.doPrivileged(Native Method)
          at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
          at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  I found the SAP Note 971249 but Iu2019m not sure it applies and even I can log on into Visual administrator.
  Log for the Visual Administrator
  <!LOGHEADER[START]/>
  <!HELP[Manual modification of the header may cause parsing problem!]/>
  <!LOGGINGVERSION[1.5.3.7185 - 630]/>
  <!NAME[/usr/sap/SID/DVEBMGS00/j2ee/admin/log/./traces/visual_administration.trc]/>
  <!PATTERN[visual_administration.trc]/>
  <!FORMATTER[com.sap.tc.logging.ListFormatter]/>
  <!ENCODING[UTF8]/>
  <!FILESET[0, 5, 10000000]/>
  <!PREVIOUSFILE[visual_administration.4.trc]/>
  <!NEXTFILE[visual_administration.1.trc]/>
  <!LOGHEADER[END]/>
  #1.5^H#C000AC11873E00000000000100CEC78D00045A541BE7A040#1225217198758#com.sap.engine.services.adminadapter.gui.tasks.LoginTas
  k##com.sap.engine.services.adminadapter.gui.tasks.LoginTask#######Thread[Thread-1,5,main]##0#0#Error#1#/System/Server/VisualA
  dministrationTool#Java###Error while trying to login to host: null
  [EXCEPTION]
  #1#java.lang.NullPointerException
          at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImpl.login(RemoteLoginContextHelperImpl.
  java:72)
          at com.sap.engine.services.security.remoteimpl.login.RemoteLoginContextHelperImplp4_Skel.dispatch(RemoteLoginContextH
  elperImplp4_Skel.java:64)
          at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:319)
          at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:200)
          at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:136)
          at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessio
  nMessageListener.java:33)
          at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
          at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
          at java.security.AccessController.doPrivileged(Native Method)
          at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
          at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Thank you very much for your help.
  Best Regards

  hi
  we had the same issue some time back when we upgraded to SP15, we opened a OSS message and SAP had to come and fix the issue.
  It was some inconsistencies in -Config DB settings and they made quite a few changes in security/configurations/ticket(config tool)
  also
  one Java parameter was wrong(config tool - server config) :
  -Djava.security.policy=/java.policy  it should be -
  > Djava.security.policy=./java.policy (The DOT was missing)
  thank you
  Jonu Joy