Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
81828384858687888990
NOTE: When the Alert Aggregation option box is not selected, the Real Time
Alerts option box is automatically selected to indicate that real-time alerts will be
generated.
5. Enter the path name of a program under the Programs to Aggregate Alerts for
table column to aggregate alerts triggered by a process running that program, and
by the process’ descendent processes. The executable path name can be specified
using regular expressions and extended regular expressions. For more information
about UNIX regular expressions, see “UNIX Regular Expressions (page 138).
In the corresponding Maximum Alert Delay table column entry, specify the
maximum number of seconds that must be spent aggregating alerts triggered by
a process running the program and by alerts triggered by the process’ dependent
processes. An aggregated alert will be generated when either the process running
the specified program terminates or when the specified time elapses, whichever
comes first.
The actual number of seconds spent aggregating alerts can be up to 5 seconds
greater than specified, as the elapsed time is checked after every 5 seconds to
minimize CPU consumption by the agent.
A program entry and the corresponding maximum alert delay entry is called an
alert aggregation tuple.
NOTE: If a program is not specified in an alert aggregation tuple (with alert
aggregation enabled), only file-related alerts triggered by a process (and not its
descendent processes) executing the program are aggregated. Alerts triggered by
a process whose executable path name is not specified in an alert aggregation tuple
are aggregated until an hour elapses or the process terminates, whichever comes
first.
For the case where an alert is triggered by a process that is a descendent of more
than one process whose program is specified in an alert aggregation tuple, the
process’s alert will be aggregated under the program being run by the closest
ancestor in terms of process depth. For example, take the case where p0, p1, and
p2 are three processes where p0 is running program0 and is the parent of p1, p1
is running program1 and is the parent of p2, and p2 is running program2 and is
a descendent of both p0 and p1. If both program0 and program1 are specified in
their own alert aggregation tuple, then any alert triggered by the process p2 will
be aggregated under program1, unless p1 also triggers an alert, in which case alerts
triggered by both p1 and p2 will be aggregated under program0.
6. Click Save. The entered values will be saved.
90 Using the Schedule Manager Screen