Hopling Technologies B.V. H5486868 사용자 설명서
The information contained in this document is subject to change. This document contains proprietary information, which is protected by copyright
laws. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language or program language
without prior written consent of Hopling Technologies B.V..
HD.02.104.00001
Page: 103(128)
11.2.11 Event: virusDetect
The Xnet Viper has a way of detecting worm viruses passing through the gateway. Viruses like
the Nimba, Sasser and other worm viruses have a typical behavior in that they open up a large
number of simultaneous TCP/IP connections to start infecting other systems. The Xnet Viper can
determine the number of sessions that each user has opened per minute. For non infected user
systems the number of simultaneous connections will normally not be higher than 50. However,
a worm virus can easily open over 100 simultaneous TCP/IP connections. The way of detecting
worm viruses works on the basis of setting a threshold for simultaneous TCP/IP connections.
Once this threshold is exceeded for a particular user the Xnet Viper will signal this to the portal
by generating the virusDetect event. At that point the portal server can decide what to do, either
log the user out, place the user in the restricted virus queue or do nothing.
The threshold to trigger the virusDetect event is default set to 100 simultaneous TCP/IP sessions
per minute. This is done using the variable VIRUS_DETECT="100" in the file:
/config/hopling/virtual_gw/virtual_gw_0/hotspot_mode/hotspot.conf
the Nimba, Sasser and other worm viruses have a typical behavior in that they open up a large
number of simultaneous TCP/IP connections to start infecting other systems. The Xnet Viper can
determine the number of sessions that each user has opened per minute. For non infected user
systems the number of simultaneous connections will normally not be higher than 50. However,
a worm virus can easily open over 100 simultaneous TCP/IP connections. The way of detecting
worm viruses works on the basis of setting a threshold for simultaneous TCP/IP connections.
Once this threshold is exceeded for a particular user the Xnet Viper will signal this to the portal
by generating the virusDetect event. At that point the portal server can decide what to do, either
log the user out, place the user in the restricted virus queue or do nothing.
The threshold to trigger the virusDetect event is default set to 100 simultaneous TCP/IP sessions
per minute. This is done using the variable VIRUS_DETECT="100" in the file:
/config/hopling/virtual_gw/virtual_gw_0/hotspot_mode/hotspot.conf
. When the variable
is set to zero the number of simultaneous sessions will be set to unlimited.
The default value for the VIRUS_DETECT threshold can be set on a per user basis by the remote
portal upon the authentication of the user. Please refer to paragraph: 10.2.4 on how to set this
during authentication.
The default value for the VIRUS_DETECT threshold can be set on a per user basis by the remote
portal upon the authentication of the user. Please refer to paragraph: 10.2.4 on how to set this
during authentication.
#@! <upload> <event> <reserved2> <reserved3> <reserved4>
#@$ <"Virtual Gateway 0: Event file for the virusDetect event">
#
# file:/config/hopling/virtual_gw/virtual_gw_0/events/virusDetect
#
# Configuration file for the Hopling Xspot
# (c) Hopling Technologies 2004, 2005, 2006
# Ivo van Ling (support@hopling.com)
#
# This file contains the configuration parameters for the "virusDetect" event.
#
# Event name
#TITLE="configuration parameters for the virusDetect event."
#START
event virusDetect
# Additional parameters
gateway_ID $CLIENT_STRING
software_VER $SW_VERSION
flavour $FLAVOUR
flavour_type $FLAVOUR_TYPE
build_nr $BUILD_NR
build_tag $BUILD_TAG
platform_VER $HW_PLATFORM
platform_TYPE $HW_TYPE
macEth0 $MAC_ETH0
wireless_NET $WIFI_0_0_SSID
vpn_server $VGW_0_VPN_SERVER
cust_MAC $CUST_MAC
cust_IP $CUST_IP
#@$ <"Virtual Gateway 0: Event file for the virusDetect event">
#
# file:/config/hopling/virtual_gw/virtual_gw_0/events/virusDetect
#
# Configuration file for the Hopling Xspot
# (c) Hopling Technologies 2004, 2005, 2006
# Ivo van Ling (support@hopling.com)
#
# This file contains the configuration parameters for the "virusDetect" event.
#
# Event name
#TITLE="configuration parameters for the virusDetect event."
#START
event virusDetect
# Additional parameters
gateway_ID $CLIENT_STRING
software_VER $SW_VERSION
flavour $FLAVOUR
flavour_type $FLAVOUR_TYPE
build_nr $BUILD_NR
build_tag $BUILD_TAG
platform_VER $HW_PLATFORM
platform_TYPE $HW_TYPE
macEth0 $MAC_ETH0
wireless_NET $WIFI_0_0_SSID
vpn_server $VGW_0_VPN_SERVER
cust_MAC $CUST_MAC
cust_IP $CUST_IP
When a virusDetect event is generated with the above configuration for the virusDetect event
the following URL is called from the Xnet Viper:
http://www.hopling.nl/download_config/log.php?date=20050904202755&hopling=XnetMkI-
c20930&event=virusDetect&gateway_ID=&software_VER=3.0.1&platform_VER=Net4511&platform_TYPE=PRISM
WWR&macEth0=00:00:24:c2:09:30&cust_MAC=00:12:3f:15:09:62&cust_IP=192.168.0.11&wireless_NET=Hopli
ng Technologies 0
c20930&event=virusDetect&gateway_ID=&software_VER=3.0.1&platform_VER=Net4511&platform_TYPE=PRISM
WWR&macEth0=00:00:24:c2:09:30&cust_MAC=00:12:3f:15:09:62&cust_IP=192.168.0.11&wireless_NET=Hopli
ng Technologies 0