Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
919293949596979899100
Guidelines for Configuring Alert Aggregation
By specifying a regular expression in an aggregation tuple that exactly matches
the program’s full and resolved path name, there is no ambiguity of which program
is specified for aggregating alerts triggered by a process running the program, and
by any process descendents. However, you may need to specify a regular expression
that matches both relative path name and full path name in case one of the
following conditions occur:
The program is started before running a schedule
The warning message "Dropping audit records due to heavy load" appears in
the agent’s error log, as defined by the IDS_ERRORFILE configuration variable
described in “Global Configuration” (page 240). The default path is
/var/opt/ids/error.log.
Under these conditions, HIDS may only have access to the path name used to
invoke the program, and the path name used can either be a relative path name
or not be fully resolved. It can contain symbolic links.
For example, a program with full path name /usr/bin/program can be invoked
as program or as ../bin/program, or as /bin/program, where /bin is a
symbolic link to /usr/bin. Under the conditions previously stated, alert
aggregation cannot happen as expected if the regular expression
^/usr/bin/program$ is specified in the aggregation tuple instead of program.
When the Alert Aggregation option box is deselected in the GUI Schedule Manager
Alert Aggregation tab, the Real Time Alerts option box is disabled and is
automatically selected to indicate that real-time alerts will be issued.
Aggregated alerts, such as those generated when installing or removing software
using SD, can potentially be very large (many Kbytes in size). You may notice that
aggregated alerts in the IDS_ALERTFILE are divided into portions and sent to
response programs in portions. The first portion’s code field has a value of 11 and
the subsequent portions will have a code field value of 12 (see
/opt/ids/share/examples/ids_alertResponse.c). You will also notice
that alert targets and detail fields are truncated for these aggregated alert portions.
The kernel tunables (msgmax and msgmnb) govern the size of the alerts sent by
the idscor process to the idsagent process, using IPC message queues. To
minimize the segmentation of large aggregated alerts, you can increase the values
of the msgmax and msgmnb kernel tunables.
For large aggregated alerts, only the first portion of the aggregated alert is displayed
by the GUI network node. You must refer to the alert log file of the agent to see
the complete portion of the aggregated alert.
Configuring Alert Aggregation 91