HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

211

212

213

214

215

216

217

218

219

220

C Tuning Schedules and Generating Alert Reports

This appendix describes how to tune schedules and generate alert reports using the

idsadmin command.

This appendix addresses the following topics:

• “Tuning Schedules Using the idsadmin Command.”

• “Generating Alert Reports Using the idsadmin Command.”

Tuning Schedules Using the idsadmin Command

The tune command enables you to tune schedules and reduce the number of false

positives (alerts that are generated because of normal system activity). The tune

command can be invoked from the idsadmin's command line or its interactive

command interface.

The tune command reduces the time and effort to deploy and maintain Surveillance

Schedules by:

• Eliminating the time consuming and error prone process of manually generating

filtering rules.

• Facilitating the review of alerts from multiple agents running the same schedule,

by presenting an alert report that consolidates duplicate alerts and groups alerts

triggered by the same program.

• Performing automatic schedule updates and deployments.

This tool effectively automates the process of identifying and filtering file-related alerts

that the HIDS administrator consider safe to ignore (i.e., alerts generated because of

normal system activity). This tool can be used to perform the following tasks:

• Customize a preconfigured schedule to filter out alerts generated as part of normal

system activity during the initial HIDS deployment.

• Fine tune an existing schedule if new alerts that are considered safe to ignore are

generated after deployment.

Functioning of the tune Command

The following scenarios depict the functioning of the tune command during initial

deployment and after deployment:

During Initial Deployment

During initial setup, administrators can use the tune command to fine tune one of the

predefined schedules. Following is the process by which a sample schedule can be

tuned:

1. In a test environment, run all the applications that you expect to run in the

production environment.

2. Deploy one of the sample schedules provided with HIDS.

3. Let the schedule run for enough time so that it generates enough alerts.

Tuning Schedules Using the idsadmin Command 219