Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
81828384858687888990
Configuring Alert Aggregation
Alert aggregation can reduce the overall number of alerts for better manageability,
while maintaining a detailed description of each potential intrusive activity.
Alert aggregation is a surveillance schedule feature that, when enabled, aggregates file
related alerts triggered by the same process or by multiple related processes. When a
surveillance schedule has alert aggregation enabled, thousands of file related real-time
alerts triggered by a process or group of related processes can be aggregated into a
single aggregated alert. Alert aggregation facilitates the administrators task of analyzing
alerts by reducing the total number of alerts issued. For example, without alert
aggregation, a rm /etc/* command generates multiple real-time alerts for deleting
files that are specified as read-only by the Modification of files/directories detection
template. With alert aggregation enabled, a single aggregated alert is issued to capture
the deletion of all the files by the same process executing the rm command. Alert
aggregation can be configured to aggregate alerts triggered by a process running a
specified program and by the process descendent processes (that is, child process,
grandchild process, and so on) . For example, installing a bundle using the swinstall
command can trigger many alerts by a process running swagent in addition to the
alerts triggered by swagents descendent processes. The swagent descendent
processes run commands in the control scripts associated with the bundle. This feature,
therefore, allows all alerts triggered by a single action (installing software) to be issued
in a single aggregated alert instead of being issued as potentially hundreds or thousands
of real-time alerts triggered by multiple processes. When alert aggregation is enabled,
the following alerts are issued and displayed in the GUI network nodes and logged in
the alert log file (defined by the IDS_ALERTFILE configuration variable) of the agent:
File-related aggregated alerts
File-related real-time alerts that could not be aggregated
Non-file-related real-time alerts
These alerts are also sent to any response programs in the response directory, as defined
by the IDS_RESPONSEDIR configuration variable described in “Global Configuration”
(page 240) (the default is /opt/ids/response). Optionally, all real-time alerts (that
is, both file and non-file-related alerts) can also be issued concurrently by the agent
when aggregation is enabled. The real-time alerts will only be sent to response programs
in the real-time response directory, as defined by the IDS_RT_RESPONSEDIR
configuration variable described in “Global Configuration” (page 240) (the default is
/opt/ids/rt_response). The ability to have a separate set of response programs
that receive real time alerts preserves the HIDS ability to do real time automated
response (that does not require human intervention such as automatically killing an
offending process) while at the same time allowing an administrator to monitor fewer
alerts with alert aggregation. When a schedule is configured to issue both aggregated
alerts and real- time alerts, the response scripts in the IDS_RT_RESPONSEDIR directory
are intended primarily for performing real-time automated response that do not require
88 Using the Schedule Manager Screen