Managing Virus Pattern Recognition

For Web servers that are being accelerated by the Novell BorderManager 3.8 reverse proxy capability, Novell has added a new Virus Pattern Recognition feature that can help protect against such attacks.


The Virus Pattern Configuration Screen

The Virus Pattern Configuration screen is a console-based screen dedicated to virus pattern configuration and monitoring. This screen is reached by entering 23 on the Proxy Console screen. The information displayed is periodically refreshed for monitoring.

The following information describes each section of this screen, the parameters, their meaning, and, where applicable, their default values and configuration methods.


Configuration

The items in the Configuration section of the screen are as follows:

Number of Patterns: The current number of patterns in the database. This value is not configurable. It starts at 0 and is incremented each time a new pattern is successfully added to the database.

Pattern Size: The size of the pattern, in bytes. The default setting is 16. This is a global setting that is used for all patterns, so modify it with care.

Pattern Start Offset: Indicates where the virus pattern starts, as a byte offset from the actual beginning of the request.

The default setting is 1. This is a global setting that is used for all patterns, so modify it with care.

Refresh Interval: Specifies the time interval when the incoming request distribution is studied for Auto Update heuristic purposes.

The default value is 10 seconds. The value can be modified using the virus -r interval command.

Hit Threshold: The threshold upon which the automatic detection of new virus patterns is based.

The default value is 250. The value can be modified using the virus -t threshold command.

Virus Auto Update: Indicates whether or not the Auto Update feature is enabled.

The default value is 0 (disabled). The Auto Update feature can be enabled using the virus -e 1 command.


Monitoring

The items in the Monitoring section of the screen are as follows:

Virus Requests: The number of incoming requests that have matched a virus pattern. This value is not configurable. It starts at 0 and is incremented each time a pattern match is detected.

Non Virus Requests: The number of incoming requests that did not match a virus pattern. This value is not configurable. It starts at 0 and is incremented each time a pattern match fails.

Recommend Threshold: A recommended value for the Auto Update threshold parameter. After the server has been up for a while, this gives a good lower limit for the hit threshold.

Maximum Non Virus Hit Rates: The maximum or peak number of incoming humble (non-virus) requests received in one time interval.

Average Virus Hit Rates: The average number of incoming virus requests received over all the time intervals crossed so far.

Average Non Virus Hit Rates: The average number of incoming humble (non-virus) requests. The threshold setting must be greater than this value.


Virus Source IP Address

This section displays the last ten IP addresses of sources that sent virus requests.


Last Predicted Request.

This section displays the last request that was made a suspect.


Choosing a Proper Threshold

The configuration section of the Virus Pattern Configuration screen contains a Hit Threshold parameter that gives the current threshold value.

The following rules of thumb can be used for arriving at an appropriate new threshold value:

You can change the threshold value by executing the following command at the system console:

virus -t threshold

The threshold and refresh time interval settings are tightly coupled. If you raise the threshold, you need to increase the time interval accordingly, and vice versa. You can change the refresh time interval value by executing the following command at the system console:

virus -r time interval


Miscellaneous Tasks

This section outlines how to perform various tasks involved in the day-to-day operation of the Virus Pattern Recognition feature.


Specifying a Maximum Number of Patterns

Each pattern added to the database takes up 64 bytes of RAM. For memory and performance reasons, you might want to set a limit on the number of patterns allowed in the virus pattern database. To do this, specify the following command at the system console:

virus -m max virus patterns

where maximum virus patterns is an integer specifying the maximum number of patterns allowed in the database. This value should be set below 256.


Clearing Existing Virus Patterns

To clear all existing patterns from the database, type the following command at the system console:

virus -c


Viewing Online Help

To display online help and usage information, type the following command at the system console:

virus -? or virus -h


Verifying the Blocking of Virus Requests

To verify whether the Virus Pattern Recognition feature is working, select the proxy.log file (located in sys:\etc\proxy) for dropped request.

The following is an example of a dropped request:

63.146.66.41 - - [09/Aug/2001:04:47:27 -0600] "(bad request line)GET%00/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (truncated)" 400 2248


Disabling the Virus Pattern Recognition Feature

To disable the Virus Pattern Recognition feature, change the value of the ScanVirusPatterns parameter in proxy.cfg to 0 and restart the Proxy Server.

[Extra Configuration]ScanVirusPatterns=0