Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

191

192

193

194

195

196

197

198

199

200

Automated Response

Introduction

Appendix B

183

Introduction

The automated alert response feature of HP-UX HIDS is a powerful tool.

Response programs allow you to automatically capture alerts as they are generated by

the HP-UX HIDS agent and to use your own tools to process them and make decisions,

such as alerting a system administrator about a potential intrusion. They work in

addition to the normal agent-administration interface of HP-UX HIDS in which alerts

are reported to the System Manager process on the administration system.

The response programs are executed on the agent system that generates the alert, thus

allowing for near real-time intrusion response in the face of potential misuse.

General Guidelines

Consider these guidelines when responding to an intrusion attempt on your systems:

1. Do not do anything that is illegal in your region of the world.

Consult your local legal counsel before devising any response strategy.

2. Balance the response against the threat.

Not every target of an attack justiﬁes an equal response, and the response should be

in proportion to the threat.

3. Determine if attack isolation is more important than continuous availability.

In response to an attack, you may decide to disable the networking on a server to

isolate it from further attacks. This isolation also serves to preserve any evidence of

an intrusion. However, by isolating the server you may interfere with legitimate

business activities.

Response Methods

Responses to intrusions generally fall into one of the following methods.

1. Forwarding Information

Information about the alert can be forwarded by sending an e-mail or calling a pager.

Filtering is needed to prevent repeated alerts from causing a storm of paging

requests. See examples in “Forwarding Information” on page 196.

2. Halting Further Attacks

It may be possible to halt further attacks by changing an attribute of the system. For

example, disabling an account, disabling remote logins, changing a directory's access

permissions. See examples in“Halting any further attacks” on page 198.

3. “Preservation of evidence” on page 200

If evidence is to be preserved and analyzed, a response script may halt all further

processing on the system. Alternatively it could disable network connections so that

the machine is preserved in a running state. See examples in “Preservation of

evidence” on page 200.

4. Restoration of a Known Good State