Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)

251

252

253

254

255

256

257

258

259

260

Troubleshooting

Appendix G

244

❏ Determine whether any changes have been made to the detection templates, which

may ﬁlter out the alerts (such as ignoring whole directories or users).

❏ If no login/logout alerts are seen, /var/adm/wtmp might be corrupted. To check, run

the last command and see if it prints an error or segmentation faults. If so, you need

to do the following as root:

# rm /var/adm/wtmp

# touch /var/adm/wtmp

# chown adm:adm /var/adm/wtmp

❏ Is the communication to the agent timing out? Check the agent’s

/var/opt/ids/error.log for timeout messages. If timeout messages appear, try

increasing the timeout values in the agent’s /etc/opt/ids/ids.cf conﬁguration

ﬁle; see “Remote Communication Conﬁguration” on page 209.

❏ If /var/opt/ids/error.log contains "out of memory" errors, the maximum data

segment size may need to be increased or more swap space might need to be added.

Run kmtune -l -q maxdsiz (kctune on HP-UX 11i v2) and /usr/sbin/swapinfo to

determine your current tunable setting and swap usage, respectively.

Buffer overﬂow triggers false positives

❏ Because Buffer Overﬂow uses a heuristic, it may trigger false positives. If it does,

please document what actions were performed that generated the alert, and contact

HP support so we can improve the heuristic.

For more information on buffer overﬂow, see “Some Template Conﬁguration

Guidelines” on page 74.

Duplicate alerts appear in System Manager

If you see duplicate alerts, you might have multiple instances of the same template

conﬁgured in your schedule within different surveillance groups with overlapping time

tables.

Idsadmin needs installed agent certiﬁcates

You must run the idsadmin program on an administration host where agent certiﬁcates

are installed. You can use IDS_genAgentCerts to generate a local agent certiﬁcate on

the administration host. If the agent ﬁlesets, which include IDS_genAgentCerts, are not

installed, you can copy the directory /etc/opt/ids/ids/certs/agent (and its contents)

from a remote agent host to the administration host.

Idsadmin notiﬁes of bad certiﬁcate when pinging a remote agent

Idsamin may notify of bad certiﬁcates if the certiﬁcate created on the admin host for the

agent is not yet valid on the agent host due to the system time difference between the

admin host and the remote agent host. For example:

./idsadmin -a hostname -i 1.2.3.4 -l /tmp/fooooo

Successfully opened /tmp/fooooo