HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

221

222

223

224

225

226

227

228

229

230

Table C-2 Reporting Options Supported by idsadmin (continued)

DescriptionOption

Comma-separated list of alert fields to print in a report, where:

• hostname — The hostname of the agent that generated

the alert.

• ipaddr — The host IP address of the agent that generated

the alert.

• template — The template that generated the alert.

• localdate — The local date and time of the event that

triggered the alert.

• utcdate — The UTC date and time of the event that

triggered the alert.

• utcsecs — The UTC time of the event that triggered the

alert.

• severity — The alert severity.

• count — Number of times this alert was generated. For

aggregated alerts, this field contains the number of alerts

that were aggregated into a single alert.

• attacker — Program that triggered the attack for file

related alerts. User that triggered the attack for login/logout

or su alerts. For aggregated alerts, the program that

triggered the alerts and/or whose forked programs triggered

the alerts.

• target — For file related alerts, the pathname of the

targeted file. For login/logout, or su alerts, the targeted user

account. For aggregated alerts, set to {multiple targets}.

• event — The event that triggered the target. For

aggregated alerts, this field is set to {multiple targets}.

• user — The user (ruid:rgid:euid:egid) that triggered the

alert.

• summary — Alert summary.

• details — Alert details.

By default, all fields (except the template field) are displayed.

--alert-fields

Specifies that only alerts with the specified severity levels are

reported. By default, alerts of all severity levels are included

in the alert report.

If this option is not specified, alerts of all severity levels are

included in the report.

--alert-severities critical |

severe | moderate | all

Comma separated list of email addresses to which alert reports

are sent.

--email-to EMAIL_ADDRESS1,

EMAIL_ADDRESS2, ...

Used with the --email-to reporting options. Text of an email

message containing a report. Text must be enclosed in double

quotes if it contains white spaces. This option can be specified

only from the command line and not from the interactive menu

prompt.

--email-message TEXT

Generating Alert Reports Using the idsadmin Command 229