HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

271

272

273

274

275

276

277

278

279

280

Buffer overflow triggers false positives

□ Because Buffer Overflow uses a heuristic, it may trigger false positives. If it does,

please document what actions were performed that generated the alert, and contact

HP support so we can improve the heuristic.

For more information on buffer overflow, see “Some Template Configuration

Guidelines” (page 84).

Duplicate alerts appear in System Manager

If you see duplicate alerts, you might have multiple instances of the same template

configured in your schedule within different surveillance groups with overlapping

time tables.

Getting several aggregated alerts for the same process

Problem: Alerts generated by a process running a program specified in an alert

aggregation tuple are being aggregated into several aggregated alerts.

Cause: The maximum alert delay specified in the alert aggregation tuple for the program

being run by this process is too small.

Action: Increase the maximum alert delay in the alert aggregation tuple to aggregate

over a longer period of time.

GUI runs out of memory after receiving around 19,000 alerts

Problem: During resynchronization, after receiving around 19,000 alerts, the process

slows down drastically. On the admin host, the following error message is logged in

the /var/opt/ids/gui/guierror.log file:

java.lang.OutOfMemoryError <<no stack trace available>>

On the agent host, the following error messages is logged in the

/var/opt/ids/error.log file:

libcomm: pid=11983 thread_id=3: ssl_write_bytes: Timed out

attempting to write 5 bytes.libcomm: pid=11983 thread_id=3:

write_msg: error writing message header, errno=11: Resource

temporarily unavailable

Cause: These errors occur when the Java Virtual Machine (JVM) has insufficient memory.

Action: To avoid this problem, increase the heap size of JVM to 256M. To increase the

heap size of JVM to 256M, uncomment the following line in idsgui:

# -Xmx256m \

Move the above line after $JAVA_RUN in the idsgui script.

The idsadmin Command needs installed agent certificates

You must run the idsadmin command on an administration host where agent

certificates are installed. You can use IDS_genAgentCerts to generate a local agent

certificate on the administration host. If the agent filesets, which include

Troubleshooting 273