The standalone DLT drive on EYEWI seems to have lost its mind. I’ve replaced it with the DLT1 that used to be on MIR, and it seems happy now. I had to reconfigure NetBackup a bit to make it not complain about the drives, but the snapshot dump of the catalog filesystem works fine (although there seems to be something wacky with /tmp that I need to look into).
Apparently the first system disk on RAHU died at some point. Since we’re mirroring, we’re still ok, but the VxFS snapshot that was using it has been failing. Sun is sending out a replacement drive.
Apparently a couple of the user agent rules I applied to the PacketShaper were overly broad and were catching systems that did not have spyware running. My guess is that spyware had at one time been on these systems but had been removed. However, the removal probably didn’t revert IE’s user agent string back to the original, and thus tripped the shaper rules. I’ve removed those particular rules, keeping the ones that seem to be associated with standalone spyware agents.
ROJ crashed last night at about 21:20 — apparently a memory error of some sort. It saved a crash dump and rebooted, and SHANTI recorded full system logs during the event. I’ve opened a case with Sun support and sent logs and crash dump on to them for analysis. Meanwhile, ROJ seems to be running well again.
I’ve spent a little while the last few days building a list of PacketShaper rules to identify spyware web activity based primarily on user agent strings that the spyware programs use. Seems to be doing the right thing and blocking those user agents, though I don’t have a handy spyware-infected box to test it with.
I put the blocked class on the outbound link only, and used the class criterion for HTTP traffic to identify matching user agent strings. I had to move this class above the “Services” class in order for this HTTP traffic to be classified here rather than in the general allowed HTTP traffic.
I have identified user agent strings by running Snort on BIFROST and using the bleeding-snort malware rulesets. Mostly this has caught MarketScore, but there have been a number of other ones falling into the pot as well.
Looking at IPS boxes recently. The idea being that they’d block virus/worm/etc. propagation, clamp down on spyware, stop some other attacks, and possibly throttle P2P (although the shaper is doing fine in that regard).
I re-purposed one of the FreeBSD VMware instances yesterday to serve as a FLEXlm license server for Maple 10.
I gave it a minimal set of resources and then reloaded the Linux emulation packages onto the OS. FLEXlm seems relatively straightforward to manage, despite it being a “legacy” product that no company seems to want to admit having ownership of. In any case, it works, and I closed of access to the system from off campus.
The trickiest part, actually, was with some weird bug between VMware and FreeBSD where it would hang and spike the VMware server CPU at the point in the boot process that it was probing the parallel port. I disabled both parallel and serial ports in the VMware BIOS, and after a while it seemed to boot up again. I don’t know if I solved the problem, though.