ECO kit FILTER_SERVER-070_A053
---------------------------------------------------------------------------
FILTER_SERVER-070_A053 - ECO kit Rev 7.0 for MultiNet 5.3A 6-Sep-2011
Copyright © 2009-2011 Process Software, LLC
This kit updates MultiNet V5.3 Rev A with new versions of
the IPS components for MultiNet 5.3A:
FILTER_SERVER.EXE
FLTSVRSHR.EXE
FILTER_SERVER_CONTROL.EXE
The ranking for this ECO is 1 - Recommended: multiple components may fail.
Included in this kit are fixes for the following :
- The STARTUP message to the FILTER_SERVER process could be lost, which
could result in events being ignored by IPS rather than being processed.
[DE 11167]
This kit requires at least the following ECO's also be installed
on the system:
KERNEL-UPDATE-060_A053
SET_INTERFACE-030_A053
CONFIGURE_NETWORK-020_A063
SSH-030_A053
This kit also includes updated documentation on the MultiNet Intrusion
Protection System (IPS). This documentation may be found in
MULTINET_COMMON_ROOT:[MULTINET.DOCUMENTS]MULTINET_ADMIN_GUIDE_IPS_CH33.PDF
A system reboot must be performed after installing this kit.
---------------------------------------------------------------------
As part of DE 10892, the following logical names have been added to
help tune the IPS FILTER_SERVER process (these must be defined
using the /SYSTEM qualifier):
MULTINET_FILTER_SERVER_MBX_MSGS
This defines the number of event messages that can exist
in the FILTER_SERVER mailbox at any time. The default is
400. If the mailbox becomes full, additional messages will
simply be lost. Note that if the size of the mailbox is
changed, the existing mailbox must first be deleted by
running MULTINET:DELMBX.EXE and following the instructions
it displays.
MULTINET_FILTER_SERVER_QUOTA_CHECK
If defined (the value is ignored), the FILTER_SERVER process
will check for remaining TQELM and ASTLM quotas. If these
quotas are within 10% of being exhausted, a warning message
will be sent to OPCOM. If these quotas become exhausted, the
FILTER_SERVER process will likely enter MUTEX state and
hang.
MULTINET_FILTER_SERVER_QUOTA_CHECK_TIME
Defines the frequency, in seconds, between quota checks.
The default is 15 minutes (900 seconds).
MULTINET_FILTER_SERVER_TQELM
Defines the size of the TQELM quota with which the
FILTER_SERVER process will be created. Default is 500.
MULTINET_FILTER_SERVER_ASTLM
Defines the size of the ASTLM quota with which the
FILTER_SERVER process will be created. Default is 500.
The values for TQELM and ASTLM must be set and adjusted according
to anticipated and measured traffic.
When choosing values for TQELM, good rule of thumb is to allocate
TQELM as follows:
1 for automated hourly reporting
1 for automated 24-hour maintenance
1 for automated quota checking
1 for each source address per rule per component for
which an event has been received. These timers
are used to clean up internal address structures
after 24 hours of inactivity from the address.
1 for each non-empty event queue per source address
per rule per component. These timers are used
to delete aged events from the event queue.
For ASTLM, it tends to be used at a slightly higher rate than TQELM,
so plan accordingly.
--------------------------------------------------------------------------
The following fixes from prior ECO's are included in this kit:
FILTER_SERVER-010_A053
----------------------
- Correct a possible channel leak.
(DE 10857 FILTER_SERVER-010_A053 ECO Rank 4.0)
FILTER_SERVER-020_A053
----------------------
- When parsing the FILTER_SERVER_CONFIG.DAT file, the following errors
are encountered, then the FILTER_SERVER process exits, if SNMP
reporting isn't enabled in the configuration file:
No enterprise string specified for SNMP logging
No specific trap ID specified for SNMP logging
No generic trap ID specified for SNMP logging
[DE 10887]
- The following message may be encountered when performing a
SET IPS/RESTART command, although the command does complete
successfully:
Error fetching JPI info, %SYSTEM-F-SUSPENDED, process is suspended
[DE 10888]
FILTER_SERVER-030_A053
-----------------------
- When running in an environment where a large number of events are
generated (for example, an email server), the processes that are
reporting events may hang in RWMBX state, and the FILTER_SERVER
process may enter MUTEX state and hang. [DE 10892]
FILTER_SERVER-041_A053
----------------------
- Correct errors in parsing exclude addresses.
(DE 10903 FILTER_SERVER-040_A053 ECO Rank 3.)
- When using common link interfaces, filters are not set properly
on all interfaces in the common link set.
FILTER_SERVER-050_A053
----------------------
- When an error occurs that causes the FILTER_SERVER process to
exit, make sure more meaningful message are written to both the
log file and to OPCOM. [DE 11088]
FILTER_SERVER-060_A053
----------------------
- The FILTER_SERVER process may accvio when attempting to log a
message to OPCOM.