HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

241

242

243

244

245

246

247

248

249

250

After the specified time, HIDS generates a report summary. However, if the number

of duplicate alerts exceed the number specified in the suppression_count

property (see below), a summary of duplicate alerts can be generated earlier than

the time specified in suppression_interval. This property is equivalent to

the Suppression Interval field in the GUI Schedule Manager. The default value of

this property is 6h. This means that when suppression is turned on, by default

HIDS suppresses duplicate alerts for a unique alert for 6 hours unless the number

of duplicates suppressed exceeds the number specified in the

suppression_count property. This property is ignored if the suppression

property is set to 0.

• suppression_count: The suppression_count property is a duplicate alert

suppression property that specifies the number of duplicate alerts that can be

suppressed within the specified suppression interval (for a unique alert), after

which, a summary of duplicate alerts can be reported. This property is equivalent

to the Suppression Count field in the GUI Schedule Manager. The default value

of this property is 100. This means that HIDS sends a report if there are 100 or

more suppressed alerts (after the first duplicate alert is suppressed) for a unique

alert within the specified suppression_interval. This property is ignored if

the suppression property is set to 0.

• suppression_targets_to_ignore: The suppression_targets_to_ignore

property is a duplicate alert suppression property that specifies the files and

directories for which duplicate alerts are not suppressed. This property is equivalent

to the Suppression Targets to Ignore field in the GUI Schedule Manager. This

property is ignored if the suppression property is set to 0. By default, duplicate

alerts for the following property values (these are interpreted as regular

expressions) are not suppressed:

— ^/etc/passwd$

— ^/etc/group$

— ^/stand/vmunix$

— ^/stand/system$

— ^/\.rhosts$

— ^/etc/inetd\.conf$

For more information on regular expressions, see “UNIX Regular Expressions ”

(page 138)

Surveillance Group Section

The section contains the following keywords and syntax:

GROUPPERIOD

NAME <group name>

GMT <integer>

STARTTIME hh:mm:d

ENDTIME hh:mm:d

GROUP <group name>...

ENDGROUP

ENDGROUPPERIOD

250 The Surveillance Schedule Text File