Re: CSA Log Entries Submitted Maximum Number of Times

derens · ‎11-19-2007

I'm getting numerous CSA log error entries that are coming from different machines with the following message:

The rule request has been submitted to the Rule Engine the maximum number of times. This request is no longer blockable, and the default action will be taken.

When I go to details I get the following:

Event Text The rule request has been submitted to the Rule Engine the maximum number of times. This request is no longer blockable, and the default action will be taken.

Event Time 11/19/2007 4:11:56 PM

Code RULE_RESUBMIT_LIMIT_EXCEEDED

PInt 413

time 1885.3 (seconds since boot)

type APICALL

ApiOperation SuprisingDriver

ApiPString1 keyboard

ApiPString2 \SystemRoot\System32\Drivers\KeyEx2.SYS

FlattenedForm (t-1195510315 n-703125000 z--21600 sm-3691 sc-9 dm-1 dc-7 cd-234 p*(i-413 r*(type-17 time-18853 pnd-83891510 rid-83891093 rapi*(op-44 p*(a-keyboard a-\SystemRoot\System32\Drivers\KeyEx2.SYS a- ) ) ) ) )

It appears to be a problem with the KeyEx2.SYS file which has to do with Tivoli but I'm not sure how to configure this a something to ignore.

Any ideas.

tsteger1 · ‎11-19-2007

Hi Stephen

Sounds like your remote keyboard driver is intercepting system calls and CSA is supicious.

There should be a corresponding alert that you may be able to use to make an exception.

Trusted Rootkit or Trojan Detection maybe?

What version of CSA?

Tom

derens · ‎11-20-2007

I'm using 5.2.0.225 with a remote database server. I agree with what you are saying but I'm not sure how to get around this as normally when you get some sort of information message first. Any help will be greatly appriciated.

tsteger1 · ‎11-20-2007

Remote keyboard drivers can trigger the kernel protection rule in the system hardening module and set the system state to 'untrusted rootkit detected'.

If this is the case (it should say how many hosts are in this state in the summary screen), create a trusted rootkit set rule for KeyEx2.SYS and reset the system state on all the affected hosts.

If this is not what is happening then I need more info.

Tom

derens · ‎11-20-2007

I took a look at the Summary Screen and it has 0 for Untrusted RootKit.

What's kind of strange is these errors may come in at a 100+ for a few machines and then stop and then a few hours later more or there may not even be any for a day.

tsteger1 · ‎11-20-2007

Now it seems more likely that it is an System API control, All Applications, Trap keystrokes rule monitoring the keyboard driver.

It might coming in waves because someone is remoting to the machine when the messages generate.

Tom

derens · ‎11-20-2007

Looks like you may have hit on it. I guess I didn't read the details correctly. Would you happen to know why the error message is so cryptic on this error instead of most of them that are fairly straight forward?

I've got some people checking on the machines in question to see if Tivoli is still installed and will get back next week some time on how it turns out.

tsteger1 · ‎11-20-2007

I couldn't tell you why the alert is phrased that way.

Maybe a better alert message would be "the rule was triggered too many times so the user doesn't get to choose any more"

or

"Uncle!"

Tom