Manualshelf

TMS zl Module Release Notes ST.1.0.090603

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
Software Fixes ST.1.0.090603
Release ST.1.0.090603
PR_37838 — The log does not display the correct message when an attack is detected by IPS
The following log is displayed during an IPS attack:
time="2009-03-19 09:57:14" severity=critical pri=1
fw=ProCurve-TMS-zl-Module id=ips_attack_family rule=3331 msg="IPS
detection: Allow: Backdoor FeRAT 1.00" src=192.168.1.20 srcport=1079
dst=192.168.3.20 dstport=1234 proto=TCP ruleaction=Allow ruleth-
reat=Critical connectiondirection=initiator packetdirection=2 pack-
etlength=43 ipidentification=914 rulefam=BACKDOOR ruledsc="Backdoor
FeRAT 1.00" subfamid=ips_signature_based_logs attackid=no-id
mtype=iips_l5_l7_attack mid=3331 timetolive=3 actiontype=log
Go to IPS>Settings>Actions page and set the threat level to the default values:
Critical=Terminate session
Severe=Block traffic
Minor=Block traffic
Warning=Allow traffic
Information=Allow traffic
The following log is displayed, which does not display the correct action:
time="2009-03-19 02:01:49" severity=major pri=2
fw=ProCurve-TMS-zl-Module id=ips_attack_family rule=3101 msg="IPS
detection: Allow: Doly Backdoor for Windows detection"
src=192.168.1.20 srcport=1051 dst=192.168.3.20 dstport=1015
proto=TCP ruleaction=Allow rulethreat=Severe connectiondirec-
tion=initiator packetdirection=2 packetlength=44 ipidentifica-
tion=42240 rulefam=BACKDOOR ruledsc="Doly Backdoor for Windows
detection" subfamid=ips_signature_based_logs attackid=no-id
mtype=iips_l5_l7_attack mid=3101 timetolive=3 actiontype=block
time="2009-03-19 02:01:49" severity=critical pri=1
fw=ProCurve-TMS-zl-Module id=ips_attack_family rule=3189 msg="IPS
detection: Allow: BackDoor Digital Root Beer" src=192.168.1.20
srcport=1050 dst=192.168.3.20 dstport=2600 proto=TCP ruleac-
tion=Allow rulethreat=Critical connectiondirection=initiator pack-
etdirection=2 packetlength=60 ipidentification=38912
rulefam=BACKDOOR ruledsc="BackDoor Digital Root Beer" subf-
amid=ips_signature_based_logs attackid=no-id
mtype=iips_l5_l7_attack mid=3189 timetolive=3 actiontype=terminate
PR_38512 — When the same IPS attack was continuously launched against the TMS zl
Module and generating log entries, log throttling was not working and many of the same IPS
log entries were populating the log file.
12