Blocking Virus Requests in HTTP Accelerator

For Web servers that are being accelerated by Novell BorderManager 3.8's reverse proxy capability, Novell has added a new Virus Pattern Recognition feature to Novell BorderManager 3.8 that can help protect against such attacks. This enhancement includes features to facilitate its configuration and monitoring.

To enable this feature, you must have the latest version of proxy.nlm.

You also need the following lines in the sys:\etc\proxy\ proxy.cfg file, which is used to initialize the Novell BorderManager Proxy Server at startup:

[Extra Configuration]ScanVirusPatterns=1[Virus Pattern Configuration]NoOfVirusPatterns=0PatternSize=16PatternStartOffset=1EnablePatternAutoUpdate=1

If you don't have these lines in the proxy.cfg file when you start the Proxy Server, you will receive a "virus command not found" message on the system console when you try to specify any of the console commands described below.


Command Line Configuration

Configuration of the Virus Pattern Recognition feature is accomplished via console commands that are run from the system console. As with most console-based systems, responses to commands are written back to the system console and recorded in a log file (in this case, proxy.log).

NOTE:  The command syntax below is specified in BNF (Backus-Naur Format) notation, a formal system of notation developed in the 1960s to describe the syntax of a given command set or computer programming language.


Adding and Deleting Virus Request Patterns

After the Proxy Server is up and running with its initial pattern database loaded, you can add new patterns while the server is running. The console command syntax for adding a new virus pattern is as follows:

virus add -p pattern -o origLength

where pattern is a 16-byte character string located at offset 1 in the HTTP GET request, and origLength is the original size of the request in bytes. These are mandatory option-value pairs. The string value for pattern should be enclosed in quotation marks; the value for origLength is given as an integer. For example:

virus add -p "default.ida?NNNN" -o 385

The Proxy Server looks at the specified offset in each incoming request and reads the next 16 bytes. If that string matches any of the patterns in the existing database, the request is considered a virus request and is blocked.

NOTE:  The pattern size and start offset are set to 16 and 1, respectively, by default. You can change these values in the proxy.cfg file, but do so with caution. They are global parameters that apply to all entries in the pattern database.

To delete a pattern from the database, use the same syntax but replace the add command with del. For example:

virus del -p "default.ida?NNNN" -o 385


Updating the Database via a Script (NCF File)

Another aspect of the Virus Pattern Recognition feature is the capability to update the database in a script-like fashion by placing a list of virus add commands in an NCF file and running the file on the console. This enables you to update the virus pattern database without having to bring the Proxy Server down.

You can use the following command to write all existing entries in the database into an NCF file: virus dump

The name of the dump file is sys:\etc\proxy\virpat.ncf. This NCF file can be run as part of the Proxy Server restart process, or you can run it manually after the Proxy Server has been loaded.


Enabling and Configuring Auto Update

Novell BorderManager 3.8 provides an Auto Update feature that automatically detects virus requests and adds their patterns to the database. This feature's heuristic (self-learning) request examination method is especially useful in detecting frequently changing virus request patterns.

The heuristics look at the incoming request distribution within a specified amount of time. For these heuristics to work, two parameters must be properly configured:

Threshold: This parameter defines the number of new requests that hash to the same value that is allowed within the time interval before those requests are considered suspect. The default value is 250; this can be changed via the virus -t threshold console command.

Refresh Time Interval: This parameter defines the amount of time, in seconds, after which identical requests received beyond the threshold value are checked for virus pattern content. The default value is 10 seconds; this can be changed via the virus -r time interval console command.

When more than the threshold number of identical requests are received within the specified time interval, that request is considered suspect and is scheduled for further analysis via a background process. In the meantime, the Proxy Server continues to receive all requests so that valid requests are never blocked.

The Virus Pattern Configuration screen provides information that can help you adjust these parameters for your particular system. See Choosing a Proper Threshold for details.

There are two ways to enable this Auto Update feature. One is by entering the following command at the system console: virus -e 1

NOTE:  Specifying a value of 0 (zero) in this command disables Auto Update.

The other way to enable this feature is to place the following option in the proxy.cfg file:

[Virus Pattern Configuration]EnablePatternAutoUpdate=1


Adding New Virus Keywords

Virus request patterns of the same virus type contain keywords or character strings that can be used to identify the request.

For example, all URLs with Code Red virus requests contain the string cmd.exe. Because the presence of this string identifies the URL as a virus request, "cmd.exe" is a keyword.

NOTE:  In this Code Red example, adding *CMD.EXE * as a filter rule in routers blocks all requests containing this keyword.

Keywords come into play only after a request has been labelled as suspect through the heuristics described above. At that point, the suspect request is checked for the presence of certain keywords. If a match is found, the request is labelled a virus request and its pattern is added to the database. Any future requests containing that keyword are automatically blocked.

To add a new keyword to the list of existing keywords, enter the following command at the system console:

virus add -k keyword

where keyword is a character string that determines whether a suspect request is a humble request or a virus request.


Monitoring the Virus Pattern Recognition Feature

Because the effectiveness of a feature can be best understood through monitoring, the Novell BorderManager Proxy Server includes a Virus Pattern Configuration screen. All virus pattern-related configuration and statistical information is tracked and displayed on this separate server console screen.


Effect on Performance

Because there is very little overhead involved in checking incoming HTTP requests, enabling the Virus Pattern Recognition feature does not adversely affect Novell BorderManager Proxy Server performance.