FILE NAME: hp-vt-1.1.0-2.sles8.linux.rpm TITLE: HP Virus Throttle for SUSE Linux Enterprise Server 8 SP4 [x86/AMD64] VERSION: 1.1.0 LANGUAGE: English CATEGORY: Software Solutions DIVISIONS: Enterprise and Mainstream Servers PRODUCTS AFFECTED: HP NC150T 4-Port Gigabit Combo Switch Adapter HP NC310F PCI-X Gigabit Server Adapter HP NC320x Gigabit Server Adapter HP NC324i Integrated Dual Port PCI Express Gigabit Server Adapter HP NC325i Integrated Dual Port PCI Express Gigabit Server Adapter HP NC1020 Gigabit Server Adapter HP NC3123 Fast Ethernet Adapter HP NC3133 Fast Ethernet Adapter HP NC3134 Fast Ethernet Adapter HP NC3135 Fast Ethernet Adapter HP NC3163 Fast Ethernet Adapter HP NC6132 Gigabit Server Adapter HP NC6133 Gigabit Server Adapter HP NC6136 Gigabit Server Adapter HP NC6170 Gigabit Server Adapter HP NC6770 Gigabit Server Adapter HP NC7131 Gigabit Server Adapter HP NC7132 Gigabit Server Adapter HP NC7150 Gigabit Server Adapter HP NC7170 Gigabit Server Adapter HP NC7760 Gigabit Server Adapter HP NC7761 Gigabit Server Adapter HP NC7770 Gigabit Server Adapter HP NC7771 Gigabit Server Adapter HP NC7780 Gigabit Server Adapter HP NC7781 Gigabit Server Adapter HP NC7782 Gigabit Server Adapter OPERATING SYSTEM: SUSE Linux Enterprise Server 8 SP4 [x86/AMD64] PREREQUISITES: HP ProLiant Essentials License Management Package (hp-pel) must be installed before installing the HP Virus Throttle for SUSE Linux Enterprise Server 8 SP4 [x86/AMD64]. EFFECTIVE DATE: February 10, 2006 SUPERSEDES: 1.0.0-9 DESCRIPTION: This RPM (RPM Package Manager) package contains the HP Virus Throttle for SUSE Linux Enterprise Server 8 SP4 [x86/AMD64]. ENHANCEMENTS/FIXES: Add simulation_mode option to hp-vt.conf allowing configuration and fine tuning without actually throttling traffic. HOW TO USE: 1. Download the hp-vt-1.1.0-2.sles8.linux.rpm and hp-vt-1.1.0-2.sles8.linux.txt to a directory on your hard drive and change to that directory. 2. Refer to the hp-vt-1.1.0-2.sles8.linux.txt file for installation instructions. 3. After the RPM is installed, you may delete the previously downloaded RPM file. 4. Refer to the /opt/hp/hp-vt/README text file for additional information after installing the RPM. Copyright 2005-2006 Hewlett-Packard Development Company, L.P. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies ==================================README================================== HP Linux Virus Throttle Table of Contents ================= Introduction Known Issues Installation Configuration Startup Status Log and Event File Troubleshooting Removal Licensing Introduction ################################################################################ Viruses typically spread by connecting to as many different machines as possible. The HP Linux Virus Throttle (LVT), is a network packet-filtering feature that helps slow down the spread of viruses on your system. HP LVT monitors all outbound connection requests and counts the number of unique connections. It detects abnormal (virus-like) behavior in the requests, and slows down excessive connection requests to new hosts until you can determine if they are viral in nature and take action. When you install HP LVT on your system, the iptable_filter and ip_queue modules are loaded and a QUEUE target created so all connection requests pass through HP LVT. The driver maintains a delay queue of connection requests and a list of known hosts that have established connections. The Virus Throttle examines all outbound traffic for connection requests, and when one is received, it determines if the request is for a known host. If known, the request is passed down the protocol stack as a normal request. If not known, the request is added to the delay queue. Periodically, the delay queue is examined, and the oldest request and all other connection requests to that same host are removed and passed down the protocol stack. A high water mark and low water mark are maintained for the delay queue and are used to determine when "virus-like" behavior is occurring or has stopped. - When the rate of connections requests exceeds the rate of HP LVT removing them from the delay queue, a high water mark in the queue is exceeded, and the driver indicates "virus-like" activity. - When the rate of connection requests slows so that the number of queue entries falls below a low water mark, the driver indicates that the "virus-like" activity has stopped. When "virus-like" activity is detected or has stopped, HP LVT logs an event (see Log and File Event later in this document), if HP Management agents are installed, a Simple Network Management Protocol (SNMP) trap may be sent (see HP Management agent documentation for details on sending traps). Known Issues ################################################################################ None. See the Troubleshooting section for resolving common problems. Installation ################################################################################ Run the following command to install the HP Virus Throttle package: rpm -Uvh hp-vt-x.x.x-x.distribution.linux.rpm Where "x.x.x-x" is the version of HP LVT, and "distribution" is the distribution identifier. To enable HP LVT, an Intelligent Networking Pack License - Linux Edition must be installed on the system. This requires the installation of the ProLiant Essentials Intelligent Networking Pack (PEINP) License Manager from the Network Controller Drivers for Ethernet (NCDE) (release 8.10 or later). An HP LVT License is provided with each PEINP CD. For information on how to purchase a license, go to: http://www.hp.com/cgi-bin/sbso/exit.cgi?goto=product/security/computing/proliantessentials When you have the license, add the license key by running /opt/hp/hp-pel/nalicense -a license_string For the latest driver, firmware, and documentation updates, go to http://www.hp.com/servers/networking Configuration ################################################################################ The HP LVT configuration file is a text file located at /etc/opt/hp/hp-vt/hp-vt.conf. Each configurable item is documented in the hp-vt.conf file, which can be edited with any text editor. Startup ################################################################################ The HP LVT requires the iptable_filter and ip_queue modules. If either is not available, an error message is printed with specific details when HP LVT is started. Currently, only one application may register for the iptables QUEUE target. If another application has already registered for the QUEUE target, an error message will be logged with specific details. Although HP LVT is configured to start on system boot-up, you can start it immediately after installation without rebooting using the following command: /etc/init.d/hp-vt start Any errors during startup are sent to the screen. If changes are made to the hp-vt.conf configuration file, HP LVT must be restarted to recognize the changes. This can be done using the following command: /etc/init.d/hp-vt restart The HP LVT can be manually stopped using the following command: /etc/init.d/hp-vt stop The HP LVT can be conditionally restarted (restarted only if it is currently running) using one of the following commands: /etc/init.d/hp-vt try-restart /etc/init.d/hp-vt force-reload Status ################################################################################ The status of HP LVT can be obtained by running: /etc/init.d/hp-vt status If HP LVT is running, the following information is reported (in relation to the last time HP LVT was started). The virus-like activity status is reported as: virus-like activity has not occurred Meaning no "virus-like" activity is currently detected and none has been detected. virus-like activity is currently occurring Meaning "virus-like" activity is currently detected. virus-like activity has occurred in the past Meaning no "virus-like" activity is currently detected, but "virus-like" activity has been detected in the past. The following statistics are reported: connection establishing packets The number of connection packets seen. packets passed without delay The number of connection packets that were passed without a delay because the target was a known host. packets placed on queue The number of connection packets put on the delay queued. packets removed from queue The number of connection packets removed from the delay queue. currently queued packets The number of connection packets currently on the delay queue. maximum packets on queue The maximum number of packets on the delay queue at any point since HP LVT was last started. times virus-like activity detected The number of times "virus-like" activity was detected. packets dropped due to queue overflow The number of packets that were dropped due to the delay queue being full. The following configuration information is reported: delay queue size The maximum number of connection requests in the delay queue. delay queue seconds The rate at which the oldest connection request is removed from the delay queue (and all other connection requests to that same host) and passed down the protocol stack. known host working set size The number of known hosts. delay queue high water mark The number of connection requests in the delay queue at which point "virus-like" activity is indicated. delay queue low water mark The number of connection requests in the delay queue below which "virus-like" activity is no longer indicated. Log and Event File ################################################################################ All messages are logged to /var/opt/hp/hp-vt/hp-vt.log. Log messages are in the following format: [TAG] SP [DATE] SP TEXT TAG is one of: ALERT_VLA_DETECTED To indicate virus-like activity detected. ALERT_VLA_STOPPED To indicate virus-like activity has stopped. DROPPING_CONNECTIONS To indicate connections are being dropped. After this event is logged, it will not be logged again until the low water mark is reached. ERROR To indicate errors, such as out of range configuration parameters in hp-vt.conf. WARNING To indicate warnings, such as not being able to load the ip6_queue module. INFO To indicate informative events, such as HP LVT starting and stopping. SP is one or more spaces. DATE is the current date stamp in the following format: Thu Feb 10 12:54:35 CST 2005 TEXT is free form text which may or may not exist in every message. Lines that do not start with a tag are a continuation of the previous line. A few sample lines are provided below. [INFO] [Thu Feb 10 10:34:15 CST 2005] hp-vt started [ALERT_VLA_DETECTED] [Thu Feb 10 12:54:35 CST 2005] [INFO] [Thu Feb 10 12:54:36 CST 2005] first text line of second info message second text line of second info message [ALERT_VLA_STOPPED] [Thu Feb 10 12:54:58 CST 2005] Troubleshooting ################################################################################ Monitor the hp-vt.log file, by running "tail -f /var/opt/hp/hp-vt/hp-vt.log" in a separate window, for messages. Problem: Virus-like activity has been detected. Possible cause: A virus has infected your server. OR A non-virus program is exhibiting virus-like behavior by making more connections to more unknown hosts than the HP LVT configuration parameter settings. Possible solution: In a time-sensitive manner, identify the program or programs responsible for the virus-like behavior. This can be done by using such commands as netstat and ps. - If the program or programs is/are unknown, treat as a virus. - If the program or programs is/are known, then reconfigure the HP LVT configuration parameters to not trigger on such normal or expected activity. Problem: All connection request packets are not being processed by HP LVT. Possible cause: A firewall rule may be intercepting the connection request, and not allowing them to reach the HP LVT iptable rule (hp_vt iptable chain). Possible solution: Start HP LVT prior to loading any firewall rules. The "iptables -L" command will list all rules. Removal ################################################################################ To remove the Virus Throttle package, run the following command: rpm -e hp-vt Licensing ################################################################################ See the LICENSE text file in this directory. -------------------------------------------------------------------------------- Copyright 2005 Hewlett-Packard Development Company, L.P. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.