FILE NAME: hp-vt-1.1.1-1.sles10.linux.rpm
TITLE: HP Virus Throttle for SUSE Linux Enterprise Server 10 [x86/AMD64/EM64T]
VERSION: 1.1.1
LANGUAGE: English
CATEGORY: Software Solutions
DIVISIONS: Enterprise and Mainstream Servers
PRODUCTS AFFECTED:
HP NC110T PCI Express Single POrt Gigabit Server Adpater
HP NC150T 4-Port Gigabit Combo Switch Adapter
HP NC310F PCI-X Gigabit Server Adapter
HP NC320x PCI Express Gigabit Server Adapter
HP NC324i Integrated PCI Express Dual Port Gigabit Server Adapter
HP NC325x Integrated PCI Express Dual Port Gigabit Server Adapter
HP NC326x Integrated PCI Express Dual Port Gigabit Server Adapter
HP NC340T PCI-X Quad-port Gigabit Server Adapter
HP NC360T PCI Express Dual Port Gigabit Server Adapter
HP NC364T PCI Express Quad Port Gigabit Server Adapter
HP NC370x Multifunction Gigabit Server Adapter
HP NC371i Integrated Multifunction Gigabit Server Adapter
HP NC373x Multifunction Gigabit Server Adapter
HP NC374x PCI Express Multifunction Gigabit Server Adapter
HP NC380x PCI Express Dual Port Multifunction Gigabit Server Adapter
HP NC1020 Gigabit Server Adapter
HP NC6132 Gigabit Server Adapter
HP NC6133 Gigabit Server Adapter
HP NC6136 Gigabit Server Adapter
HP NC6170 Gigabit Server Adapter
HP NC6770 Gigabit Server Adapter
HP NC7131 Gigabit Server Adapter
HP NC7132 Gigabit Server Adapter
HP NC7150 Gigabit Server Adapter
HP NC7170 Gigabit Server Adapter
HP NC7760 Gigabit Server Adapter
HP NC7761 Gigabit Server Adapter
HP NC7770 Gigabit Server Adapter
HP NC7771 Gigabit Server Adapter
HP NC7780 Gigabit Server Adapter
HP NC7781 Gigabit Server Adapter
HP NC7782 Gigabit Server Adapter
OPERATING SYSTEM: SUSE Linux Enterprise Server 10 [x86/AMD64/EM64T]
PREREQUISITES: HP ProLiant Essentials License Management Package (hp-pel)
must be installed before installing the HP Virus Throttle for
SUSE Linux Enterprise Server 10 [x86/AMD64/EM64T].
Some distribution supplied firewalls may need to be modified
for proper HP Virus Throttle operation, see the Troubleshooting
section of the HP Virus Throttle README for specific details.
EFFECTIVE DATE: March 26, 2007
SUPERSEDES: 1.1.0-11
DESCRIPTION: This RPM (RPM Package Manager) package contains the HP Virus
Throttle for SUSE Linux Enterprise Server 10 [x86/AMD64/EM64T].
ENHANCEMENTS/FIXES:
Update text file with new server adapters.
HOW TO USE:
1. Download the hp-vt-1.1.1-1.sles10.linux.rpm and
hp-vt-1.1.1-1.sles10.linux.txt to a directory on your hard drive and change
to that directory.
2. Refer to the hp-vt-1.1.1-1.sles10.linux.txt file for installation
instructions.
3. After the RPM is installed, you may delete the previously downloaded RPM
file.
4. Refer to the /opt/hp/hp-vt/README text file for additional information
after installing the RPM.
Copyright 2005-2007 Hewlett-Packard Development Company, L.P.
Product names mentioned herein may be trademarks and/or registered trademarks
of their respective companies
==================================README==================================
HP Linux Virus Throttle
Table of Contents
=================
Introduction
Known Issues
Installation
Configuration
Startup
Status
Log and Event File
Troubleshooting
Removal
Licensing
Introduction
################################################################################
Viruses typically spread by connecting to as many different machines as
possible. The HP Linux Virus Throttle (LVT) is a network packet-filtering
feature that helps slow down the spread of viruses on your system. HP LVT
monitors all outbound connection requests and counts the number of unique
connections. It detects abnormal (virus-like) behavior in the requests and
slows down excessive connection requests to new hosts until you can
determine if they are viral in nature and take action.
When you install HP LVT on your system, the iptable_filter and ip_queue modules
are loaded and a QUEUE target is created so all connection requests pass
through HP LVT.
The driver maintains a delay queue of connection requests and a list of known
hosts that have established connections.
The Virus Throttle examines all outbound traffic for connection requests,
and when one is received, it determines if the request is for a known host. If
known, the request is passed down the protocol stack as a normal request. If
not known, the request is added to the delay queue. Periodically, the delay
queue is examined, and the oldest request and all other connection requests to
that same host are removed and passed down the protocol stack.
A high water mark and low water mark are maintained for the delay queue and
are used to determine when "virus-like" behavior is occurring or has stopped.
- When the rate of connection requests exceeds the rate at which HP LVT
removes them from the delay queue, a high water mark in the queue is
exceeded and the driver indicates "virus-like" activity.
- When the rate of connection requests slows so that the number of queue
entries falls below a low water mark, the driver indicates that the
"virus-like" activity has stopped.
When "virus-like" activity is detected or has stopped, HP LVT logs an
event (see Log and File Event later in this document) and if HP
Management agents are installed, a Simple Network Management Protocol (SNMP)
trap may be sent (see HP Management agent documentation for details on
sending traps).
Known Issues
################################################################################
See the Troubleshooting section for resolving common problems.
No known issues with this release.
Installation
################################################################################
Run the following command to install the HP Virus Throttle package:
rpm -Uvh hp-vt-x.x.x-x.distribution.linux.rpm
Where "x.x.x-x" is the version of HP LVT and "distribution" is the distribution
identifier.
To enable HP LVT, an Intelligent Networking Pack License - Linux Edition must
be installed on the system. This requires the installation of the ProLiant
Essentials Intelligent Networking Pack (PEINP) License Manager from the Network
Controller Drivers for Ethernet (NCDE) (release 8.10 or later).
An HP LVT License is provided with each PEINP CD. For information on how to
purchase a license, go to:
http://h18000.www1.hp.com/products/servers/proliantessentials/inple/index.html
When you have the license, add the license key by running
/opt/hp/hp-pel/nalicense -a license_string
For the latest driver, firmware, and documentation updates, go to
http://www.hp.com/servers/networking
Configuration
################################################################################
The HP LVT configuration file is a text file located at
/etc/opt/hp/hp-vt/hp-vt.conf. Each configurable item is documented in
the hp-vt.conf file, which can be edited with any text editor.
Startup
################################################################################
The HP LVT requires the iptable_filter and ip_queue modules. If either is not
available, an error message is printed with specific details when HP LVT is
started. Currently, only one application may register for the iptables QUEUE
target. If another application has already registered for the QUEUE target,
an error message will be logged with specific details.
Although HP LVT is configured to start on system boot-up, you can start it
immediately after installation without rebooting using the following command:
/etc/init.d/hp-vt start
Any errors during startup are sent to the screen.
If changes are made to the hp-vt.conf configuration file, HP LVT must be
restarted to recognize the changes. This can be done using the following
command:
/etc/init.d/hp-vt restart
The HP LVT can be manually stopped using the following command:
/etc/init.d/hp-vt stop
The HP LVT can be conditionally restarted (restarted only if it is currently
running) using one of the following commands:
/etc/init.d/hp-vt try-restart
/etc/init.d/hp-vt force-reload
Status
################################################################################
The status of HP LVT can be obtained by running:
/etc/init.d/hp-vt status
If HP LVT is running, the following information is reported (in relation to the
last time HP LVT was started).
The virus-like activity status is reported as:
virus-like activity has not occurred
Meaning no "virus-like" activity is currently detected and none
has been detected.
virus-like activity is currently occurring
Meaning "virus-like" activity is currently detected.
virus-like activity has occurred in the past
Meaning no "virus-like" activity is currently detected, but
"virus-like" activity has been detected in the past.
The following statistics are reported:
connection establishing packets
The number of connection packets seen.
packets passed without delay
The number of connection packets that were passed without a delay
because the target was a known host.
packets placed on queue
The number of connection packets put on the delay queued.
packets removed from queue
The number of connection packets removed from the delay queue.
currently queued packets
The number of connection packets currently on the delay queue.
maximum packets on queue
The maximum number of packets on the delay queue at any point since
HP LVT was last started.
times virus-like activity detected
The number of times "virus-like" activity was detected.
packets dropped due to queue overflow
The number of packets that were dropped due to the delay queue
being full.
The following configuration information is reported:
delay queue size
The maximum number of connection requests in the delay queue.
delay queue seconds
The rate at which the oldest connection request is removed from the
delay queue (and all other connection requests to that same host) and
passed down the protocol stack.
known host working set size
The number of known hosts.
delay queue high water mark
The number of connection requests in the delay queue at which point
"virus-like" activity is indicated.
delay queue low water mark
The number of connection requests in the delay queue below which
"virus-like" activity is no longer indicated.
Log and Event File
################################################################################
All messages are logged to /var/opt/hp/hp-vt/hp-vt.log.
Log messages are in the following format:
[TAG] SP [DATE] SP TEXT
TAG is one of:
ALERT_VLA_DETECTED
To indicate virus-like activity detected.
ALERT_VLA_STOPPED
To indicate virus-like activity has stopped.
DROPPING_CONNECTIONS
To indicate connections are being dropped. After this event is
logged, it will not be logged again until the low water mark
is reached.
ERROR
To indicate errors, such as out of range configuration parameters
in hp-vt.conf.
WARNING
To indicate warnings, such as not being able to load the ip6_queue
module.
INFO
To indicate informative events, such as HP LVT starting and stopping.
SP is one or more spaces.
DATE is the current date stamp in the following format:
Thu Feb 10 12:54:35 CST 2005
TEXT is free form text which may or may not exist in every message.
Lines that do not start with a tag are a continuation of the previous line.
A few sample lines are provided below.
[INFO] [Thu Feb 10 10:34:15 CST 2005] hp-vt started
[ALERT_VLA_DETECTED] [Thu Feb 10 12:54:35 CST 2005]
[INFO] [Thu Feb 10 12:54:36 CST 2005]
first text line of second info message
second text line of second info message
[ALERT_VLA_STOPPED] [Thu Feb 10 12:54:58 CST 2005]
Troubleshooting
################################################################################
Monitor the hp-vt.log file for messages by running
"tail -f /var/opt/hp/hp-vt/hp-vt.log" in a separate window.
Problem:
HP LVT does not appear to be working properly after installation
since the "connection establishing packets" do not increment with each
outbound connection.
Possible cause:
Some distribution firewalls may disable, delete, or prevent previously
installed custom firewall rules on startup or shutdown. Some distribution
firewall rules could be preventing packets from reaching HP LVT by
dropping the packets or allowing them to continue directly to the remote
host without passing through HP LVT, in both cases HP LVT never receives
the packet.
Possible solution:
Install a firewall that runs after HP LVT and does not modify
existing iptable rules on firewall startup or shutdown.
Problem:
All or some connection request packets are not being processed by HP LVT.
Possible cause:
A firewall rule may be intercepting the connection request and not
allowing them to reach the HP LVT iptable rule (hp_vt iptable chain).
Possible solution:
Start HP LVT prior to loading any firewall rules. The "iptables -L"
command will list all rules.
Problem:
Virus-like activity has been detected.
Possible cause:
A virus has infected your server.
OR
A non-virus program is exhibiting virus-like behavior by making more
connections to more unknown hosts than the HP LVT configuration parameter
settings.
Possible solution:
In a time-sensitive manner, identify the program or programs responsible
for the virus-like behavior. This can be done by using such commands as
netstat and ps.
- If the program or programs is/are unknown, treat as a virus.
- If the program or programs is/are known, then reconfigure the HP LVT
configuration parameters to not trigger on such normal or expected
activity.
Removal
################################################################################
To remove the Virus Throttle package, run the following command:
rpm -e hp-vt
Licensing
################################################################################
See the LICENSE text file in this directory.
--------------------------------------------------------------------------------
Copyright 2005-2007 Hewlett-Packard Development Company, L.P.
Product names mentioned herein may be trademarks and/or registered
trademarks of their respective companies.