HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

4. Once enough alerts are generated, enter the tune command.

5. The tune command provides suggested filters to filter out these alerts generated

because of normal system activity.

6. The tune command then automatically updates and deploys the schedule.

7. Administrators can also choose to view and modify the tune command report

and the schedule before deployment.

After HIDS Deployment

After deployment, if there are a large number of 'false positives', the administrator can

run the tune command to fine tune the schedules. The tune command analyzes alerts

generated on the agents and suggests filters to filter the unwanted alerts. The tune

command then automatically updates the schedule and deploys it over the two agents.

The administrator can choose to intervene in this process; however, it is not required.

Schedule Tuning Process

The process by which a schedule is tuned can be broken down into the following steps:

• “Step 1: Analyzing Alerts and Tuning Schedules.”

• “Step 2: Modifying the Filters in the Tune Command Report” (page 225)

• “Step 3: Updating and Deploying the Schedule” (page 227)

Figure C-1 provides a pictorial representation of the process by which HIDS tunes

schedules.

220 Tuning Schedules and Generating Alert Reports