HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

241

242

243

244

245

246

247

248

249

250

subsections. The global properties subsection is bracketed by the GLOBALS and

ENDGLOBALS keywords.

The following global properties are defined within the GLOBALS and ENDGLOBALS

keywords :

• aggregation: The aggregation property is an alert aggregation flag that is used

to either enable or disable alert aggregation. The property value is specified using

the syntax described in “Type VII: Flags” (page 145) and is equivalent to the

Schedule Manager Alert Aggregation option box described in “Configuring Alert

Aggregation” (page 88). The property set to “1” is equivalent to the Alert

Aggregation option box that is selected in the GUI Schedule Manager. The property

set to "0" is equivalent to the Alert Aggregation option box that is not selected.

• rt_alerts: The rt_alerts property is an alert aggregation flag that is used to

enable or disable the generation of real time alerts when alert aggregation is

enabled. The property value is specified using the syntax described in “Type VII:

Flags” (page 145) and is equivalent to the Schedule Manager Real Time Alerts

option box described in “Configuring Alert Aggregation” (page 88). The property

set to “1” is equivalent to the Real Time Alerts option box being checked. The

property set to "0" is equivalent to the Real Time Alerts option box not being

checked.

• aggr_tuples: The aggr_tuples property is a set of alert aggregation tuples that

can be configured to aggregate alerts triggered by a process running a specified

program with alerts triggered by the process’ descendent processes. The property

tuple values are specified using the syntax described in “Type IX: Path Names /

Integer Pairs” (page 145) and each tuple is equivalent to a row in the Schedule

Manager Alert Aggregation table described in “Configuring Alert Aggregation”

(page 88).

• suppression: The suppression property is a duplicate alert suppression

property that is used to enable or disable duplicate alert suppression. The property

value is specified using the syntax described in “Type VII: Flags” (page 145) and

is equivalent to the Schedule Manager Duplicate Suppression option described in

“Configuring Duplicate Alert Suppression” (page 92). The property set to 1 is

equivalent to the Duplicate Alert Suppression box that is selected in the GUI

Schedule Manager. The property set to 0 is equivalent to the Duplicate Alert

Suppression box that is not selected.

• suppression_report: The suppression_report property is a duplicate alert

suppression property that enables or disables reporting of a summary of suppressed

alerts. This property is equivalent to the Schedule Manager Generate Suppression

Report option described in “Configuring Duplicate Alert Suppression” (page 92).

This property when set to 1 is equivalent to the Generate Suppression Report box

that is selected in the GUI Schedule Manager. This property when set to 0 is

equivalent to the Generate Suppression Report box that is not selected. This

property is ignored if the suppression property is set to 0.

• suppression_interval: The suppression_interval property is a duplicate

alert suppression property that specifies the time (since the first suppressed

duplicate alert) during which duplicate alerts of a unique alert are suppressed.

Surveillance Schedule Section 249