11-19-2007 03:15 PM - edited 03-09-2019 07:25 PM
I'm getting numerous CSA log error entries that are coming from different machines with the following message:
The rule request has been submitted to the Rule Engine the maximum number of times. This request is no longer blockable, and the default action will be taken.
When I go to details I get the following:
Event Text The rule request has been submitted to the Rule Engine the maximum number of times. This request is no longer blockable, and the default action will be taken.
Event Time 11/19/2007 4:11:56 PM
Code RULE_RESUBMIT_LIMIT_EXCEEDED
PInt 413
time 1885.3 (seconds since boot)
type APICALL
ApiOperation SuprisingDriver
ApiPString1 keyboard
ApiPString2 \SystemRoot\System32\Drivers\KeyEx2.SYS
FlattenedForm (t-1195510315 n-703125000 z--21600 sm-3691 sc-9 dm-1 dc-7 cd-234 p*(i-413 r*(type-17 time-18853 pnd-83891510 rid-83891093 rapi*(op-44 p*(a-keyboard a-\SystemRoot\System32\Drivers\KeyEx2.SYS a- ) ) ) ) )
It appears to be a problem with the KeyEx2.SYS file which has to do with Tivoli but I'm not sure how to configure this a something to ignore.
Any ideas.
11-19-2007 08:50 PM
Hi Stephen
Sounds like your remote keyboard driver is intercepting system calls and CSA is supicious.
There should be a corresponding alert that you may be able to use to make an exception.
Trusted Rootkit or Trojan Detection maybe?
What version of CSA?
Tom
11-20-2007 05:05 AM
I'm using 5.2.0.225 with a remote database server. I agree with what you are saying but I'm not sure how to get around this as normally when you get some sort of information message first. Any help will be greatly appriciated.
11-20-2007 08:42 AM
Remote keyboard drivers can trigger the kernel protection rule in the system hardening module and set the system state to 'untrusted rootkit detected'.
If this is the case (it should say how many hosts are in this state in the summary screen), create a trusted rootkit set rule for KeyEx2.SYS and reset the system state on all the affected hosts.
If this is not what is happening then I need more info.
Tom
11-20-2007 09:27 AM
I took a look at the Summary Screen and it has 0 for Untrusted RootKit.
What's kind of strange is these errors may come in at a 100+ for a few machines and then stop and then a few hours later more or there may not even be any for a day.
11-20-2007 09:47 AM
Now it seems more likely that it is an System API control, All Applications, Trap keystrokes rule monitoring the keyboard driver.
It might coming in waves because someone is remoting to the machine when the messages generate.
Tom
11-20-2007 01:32 PM
Looks like you may have hit on it. I guess I didn't read the details correctly. Would you happen to know why the error message is so cryptic on this error instead of most of them that are fairly straight forward?
I've got some people checking on the machines in question to see if Tivoli is still installed and will get back next week some time on how it turns out.
11-20-2007 02:08 PM
I couldn't tell you why the alert is phrased that way.
Maybe a better alert message would be "the rule was triggered too many times so the user doesn't get to choose any more"
or
"Uncle!"
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide