Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). Refer to
End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
This article describes the issue of the
Reason code (6) - This attack is not supported by the current detector on the device. A detector update may be required warning message being generated, when a policy is updated on ISG-IDP and stand-alone IDP devices.
NSM displays a warning that specific attacks/groups cannot be updated to the device, when a policy is pushed to device.
This issue occurs as none of the IDP or ISG-IDP detectors support all the attack objects.
When a policy is pushed from NSM to ISG with IDP modules or to a stand-alone IDP device, a warning is issued by NSM, which states that some attacks/groups cannot be updated to the device. The policy is successfully updated to the device; but the warning message is misleading. The warning is message is similar to the following message:
The following attacks/groups can not be updated (see "Reason Code" column below):
IDP Attack/Group Name Attack Type In Rules Reason Code
(I=Idp,E=Exempt)
------------------------------------------------------------------------------------------------------------------------------------------
SIP: Ethereal SIP Decoder Exploit predef signature I-1 6
DNS: Non-RFC1035 Type Used predef signature I-1 6
WORM: Microsoft ASN.1 Worm (KillBill) predef signature I-1 6
Reason Codes:
(6) This attack is not supported by the current detector on the device. A detector update may be required.
None of the IDP or ISG-IDP detectors support all of the attack objects. Typically, when a new detector with new capabilities (new context, new protocol, and so on) is released, new attack objects are created; which replace the old ones. NSM has both the old attack signatures, which are applicable only for older versions of the detector, and the new attack objects. If the signature is obsolete and not applicable for the current version of detector, the signature will not be pushed. Similarly, if the signature is applicable only to a higher version of the detector, it will not be pushed to devices that are running lower versions of the detector.
For example, the SIP: Ethereal SIP Decoder Exploit signature in the above message is applicable only for older 3.0 detector versions. Edit the signature to find the supported platforms (detector version) for a signature. As this is applicable to only 3.0 detector versions, it will not be pushed to devices that are running higher versions. Similarly, if the signature is applicable to only higher versions of the detector (signatures applicable for IDP 5.1 devices), it cannot be pushed to IDP 5.0 devices that are running a different detector version.
Note: The detector engines are different for ISG-IDP and stand-alone IDP devices. For ISG-IDP, the detector engine that is supported on ScreenOS 6.2 / ScreenOS 6.3 is different from ScreenOS 6.1. Similarly, for Stand-alone IDP devices, the detector engine is different for IDP 5.0 and IDP 5.1 devices.
The following table lists the supported detector versions for different operating systems:
| ScreenOS 6.3 |
3.5.xxxxx |
| ScreenOS 6.2 |
3.4.xxxxx |
| IDP 5.1 |
5.1.xxxxx |
| IDP 5.0 |
5.0.xxxxx |
Only the signatures, which are applicable for the specific detector versions, can be pushed to the device.
2020-10-18: Tagged article for EOL/EOE.