Manualshelf

Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
81828384858687888990
Schedule Manager Screen
Configuring Detection Templates
Chapter 5
73
2. Click the Edit button. An Edit dialog box is displayed (Figure 5-11) with the
current value.
Figure 5-11Edit Dialog - Edit
3. Edit the value in the text box. In general, the value cannot be null.
4. Click OK to accept the new value. Click Cancel to leave the value unchanged.
c. To delete a current value
1. Highlight one of the values in the Edit List display. If you highlight more than
one, the first one is processed.
2. Click the Delete button. The value is deleted. Lists can be empty.
Undoing and Redoing Changes
You can roll back and forth among the changes you’ve made by means of the Undo and
Redo buttons. See “Undoing and Redoing Changes” on page 65 for details.
Suggested Best Practices
The default configurations for the templates in HP-UX HIDS may result in many
generated alert messages. You may wish to fine-tune the operation of the templates by
editing the template properties. These guidelines will help you determine how best to
tune the templates to maximize detection of intrusions while minimizing spurious alerts
(also termed “false positives”).
It is important to realize that the throughput of HP-UX HIDS is affected by the
combination of templates activated at a given time. Some templates have more complex
heuristics and will impose a larger overhead on the system.
It may require a number of iterations to obtain a well-tuned set of templates for a given
system. The following methodology is recommended:
1. Identify the critical resources on the system that must be protected. Tune the
templates to focus on these critical resources.
2. Determine when the system is most vulnerable to threats. Create a surveillance
schedule to be active during the vulnerable time periods.
3. Determine if the system is in a “maintenance” mode at any time. Create a
surveillance schedule that is not active during maintenance time periods.
4. Start with a few surveillance templates in a surveillance group and add new
templates over time. Run the surveillance schedule for at least one day to determine
how many alerts are generated during normal system usage.