HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

221

222

223

224

225

226

227

228

229

230

Example C-1 To tune schedules for two agents without any user interaction

% idsadmin –t –a abc.hp.com, xyz.hp.com --tune-no-review

This command (invoked from a shell command line) analyzes alerts for the two agents

(abc.hp.com, and xyz.hp.com) generated since the timestamp of the last alert to be

tuned. The tune command analyzes the alerts, and automatically updates and deploys

the updated schedule on these agents. No user interaction is required.

Example C-2 To tune schedules for two agents after a given date, with options to review

and modify the Tune Command Report and the schedule

% idsadmin -t –a abc.hp.com, xyz.hp.com --start-date

20070101120000

This command (invoked from a shell command line) analyzes alerts for the two agents

(abc.hp.com and xyz.hp.com) starting from 1st January 2007 12:00 am. These alerts are

then displayed in a report format using the default editor, vi. You can review and

modify the report, and save the changes. The text schedule is displayed, and can be

modified if needed and then deployed for these two agents.

Example C-3 To tune schedules for all agents in the sentinal.hosts file, and to

review and modify the Tune Command Report and the schedule

idsadmin> tune –a all

This command (invoked from the idsadmin interactive command prompt) analyzes

alerts for all agents listed in the sentinal.hosts file that were generated since the

timestamp of the last alert to be tuned. These alerts are then displayed in a report format

using the default editor, vi. Administrators can review and modify the report, and

save the changes. The text schedule is displayed, and administrators can modify the

schedule if needed and then deploy the schedule for these two agents.

Step 2: Modifying the Filters in the Tune Command Report

Administrators can review the alerts in the Tune Command Report and modify the

filters to only filter those alerts deemed safe to ignore. When modifying or setting filters,

make sure to mark an alert with an ‘X’ (when specifying only one file pathname), or

‘R’ (when specifying a filter with regular expression wildcard characters to match one

or more file pathnames). Save the file when done.

NOTE: To prevent accidental modifications, the Tune Command Report is created

with read-only permissions. To modify the Tune Command Report, you must change

the permissions of the report file.

To unmark an alert, you can delete the ‘X’ or ‘R’, or replace the ‘X’ or ‘R’ with a blank

space.

The marked alerts are filtered by updating the corresponding schedules, using the

appropriate filters.

Tuning Schedules Using the idsadmin Command 225