ECO kit FILTER_SERVER-070_A053

---------------------------------------------------------------------------

FILTER_SERVER-070_A053 - ECO kit Rev 7.0 for MultiNet 5.3A     6-Sep-2011

    Copyright © 2009-2011 Process Software, LLC
 
    This kit updates MultiNet V5.3 Rev A with new versions of
    the IPS components for MultiNet 5.3A:

	FILTER_SERVER.EXE
	FLTSVRSHR.EXE
	FILTER_SERVER_CONTROL.EXE

    The ranking for this ECO is 1 - Recommended: multiple components may fail.

    Included in this kit are fixes for the following :

    - The STARTUP message to the FILTER_SERVER process could be lost, which
      could result in events being ignored by IPS rather than being processed.
      [DE 11167]

    This kit requires at least the following ECO's also be installed
    on the system:

	KERNEL-UPDATE-060_A053
	SET_INTERFACE-030_A053
	CONFIGURE_NETWORK-020_A063
	SSH-030_A053

    This kit also includes updated documentation on the MultiNet Intrusion
    Protection System (IPS).  This documentation may be found in

    MULTINET_COMMON_ROOT:[MULTINET.DOCUMENTS]MULTINET_ADMIN_GUIDE_IPS_CH33.PDF

    A system reboot must be performed after installing this kit.

    ---------------------------------------------------------------------

    As part of DE 10892, the following logical names have been added to 
    help tune the IPS FILTER_SERVER process (these must be defined 
    using the /SYSTEM qualifier):

    MULTINET_FILTER_SERVER_MBX_MSGS

        This defines the number of event messages that can exist
        in the FILTER_SERVER mailbox at any time.  The default is
        400.  If the mailbox becomes full, additional messages will
        simply be lost.  Note that if the size of the mailbox is
        changed, the existing mailbox must first be deleted by  
        running MULTINET:DELMBX.EXE and following the instructions
        it displays.

    MULTINET_FILTER_SERVER_QUOTA_CHECK

        If defined (the value is ignored), the FILTER_SERVER process 
        will check for remaining TQELM and ASTLM quotas.  If these 
        quotas are within 10% of being exhausted, a warning message 
        will be sent to OPCOM.  If these quotas become exhausted, the
        FILTER_SERVER process will likely enter MUTEX state and
        hang.

    MULTINET_FILTER_SERVER_QUOTA_CHECK_TIME

        Defines the frequency, in seconds, between quota checks.
        The default is 15 minutes (900 seconds).

    MULTINET_FILTER_SERVER_TQELM

        Defines the size of the TQELM quota with which the 
        FILTER_SERVER process will be created.  Default is 500.

    MULTINET_FILTER_SERVER_ASTLM

        Defines the size of the ASTLM quota with which the 
        FILTER_SERVER process will be created.  Default is 500.

    The values for TQELM and ASTLM must be set and adjusted according
    to anticipated and measured traffic.

    When choosing values for TQELM, good rule of thumb is to allocate 
    TQELM as follows:

           1 for automated hourly reporting
           1 for automated 24-hour maintenance
           1 for automated quota checking
           1 for each source address per rule per component for
                which an event has been received.  These timers
                are used to clean up internal address structures
                after 24 hours of inactivity from the address.
           1 for each non-empty event queue per source address
                per rule per component.  These timers are used
                to delete aged events from the event queue.

    For ASTLM, it tends to be used at a slightly higher rate than TQELM, 
    so plan accordingly.

--------------------------------------------------------------------------

    The following fixes from prior ECO's are included in this kit:

    FILTER_SERVER-010_A053
    ----------------------

    - Correct a possible channel leak.
      (DE 10857 FILTER_SERVER-010_A053 ECO Rank 4.0)

    FILTER_SERVER-020_A053
    ----------------------

    - When parsing the FILTER_SERVER_CONFIG.DAT file, the following errors
      are encountered, then the FILTER_SERVER process exits, if SNMP 
      reporting isn't enabled in the configuration file:

	No enterprise string specified for SNMP logging
	No specific trap ID specified for SNMP logging
	No generic trap ID specified for SNMP logging

      [DE 10887]

    - The following message may be encountered when performing a
      SET IPS/RESTART command, although the command does complete
      successfully:

	Error fetching JPI info, %SYSTEM-F-SUSPENDED, process is suspended

      [DE 10888]

    FILTER_SERVER-030_A053
    -----------------------

    - When running in an environment where a large number of events are
      generated (for example, an email server), the processes that are
      reporting events may hang in RWMBX state, and the FILTER_SERVER
      process may enter MUTEX state and hang.  [DE 10892]

    FILTER_SERVER-041_A053
    ----------------------

    - Correct errors in parsing exclude addresses.
      (DE 10903 FILTER_SERVER-040_A053 ECO Rank 3.)
                                                  
    - When using common link interfaces, filters are not set properly
      on all interfaces in the common link set.

    FILTER_SERVER-050_A053
    ----------------------

    - When an error occurs that causes the FILTER_SERVER process to
      exit, make sure more meaningful message are written to both the
      log file and to OPCOM.  [DE 11088]

    FILTER_SERVER-060_A053
    ----------------------

    - The FILTER_SERVER process may accvio when attempting to log a
      message to OPCOM.