Host Intrusion Detection System Administrator's Guide Release 3.0

Conﬁguration

Enabling Large Numbers of Agents

Chapter 2

Step 9. If your new value is different, you will need to create a new kernel and reboot. Follow the

steps provided by SAM.

Enabling Over 20 Inbound Requests

The HP-UX HIDS administration system communicates with agent systems with the

TCP protocol. On some systems, the TCP parameter, tcp_conn_request_max, is set

initially to allow up to 20 inbound requests to be active at one time. If you have a larger

number of agent systems, this value may be inadequate.

If this is a problem, an agent’s error log will contain messages like “write_msg: error

opening connection to remote host...”, “open_connection: connect error”, and

“open_connection: Timed out waiting on select() for connect to complete”.

You can view and change this parameter with the ndd command.

To view and change the value of tcp_conn_request_max

Step 1. To view the current value, enter the command:

# ndd -get /dev/tcp tcp_conn_request_max

If this value is 20, or some number smaller than your number of agent systems, then

proceed to Step 2 and adjust it to the number of agents you intend to monitor (or

greater).

Step 2. To change the value, become root and modify the /etc/rc.config.d/nddconf

conﬁguration ﬁle by adding the following lines:

TRANSPORT_NAME[

index

]=tcp

NDD_NAME[

index

]=tcp_conn_request_max

NDD_VALUE[

index

value

where

index

is a shell array index, as described in the ﬁle, and

value

is the value to be

assigned. For example, if this is the ﬁrst entry in the ﬁle and you want to set the value of

tcp_conn_request_max to 4096 (a common choice), the entry would be:

TRANSPORT_NAME[0]=tcp

NDD_NAME[0]=tcp_conn_request_max

NDD_VALUE[0]=4096

The new value will be applied on future system boots.

Step 3. To apply the new value immediately, enter the command:

# ndd -c /etc/rc.config.d/nddconf

To verify that the new value is active, use the ndd -get command from Step 1.