HP-UX Host Intrusion Detection System Version 4.2 Administration Guide
Forwarding Information
The response script program can either send the alerts to the user through an email or store the
alerts in a log file.
Sending an Email
HP-UX HIDS logs alerts to a file on the local system and sends the alert information to the HP-UX
HIDS System Manager. Alert information can also be sent through email, as demonstrated in
the following script:
Example B-2 Sending Alerts Through Email
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Send an e-mail to root if a severity 1 alert is received
# Replace this comment with the target e-mail address
RECIPIENT=”root”
# If there is a severity 1 alert then send the details in
#e-mail
if [ $3 = “1” ]
then
echo “$8” | /usr/bin/mailx -s “$7” ${RECIPIENT}
fi
Logging to a Central syslog Server
While the HP-UX HIDS System Manager provides a central location for alerts, you can also log
alerts to a syslog server. The following script shows how this can be done.
Example B-3 Storing Alerts in Log Files
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Send a message to syslog containing the alert
# If there is a severity 1 alert then log the alert to
syslog
if [ $3 = “1” ]
then
/usr/bin/logger -t “HP-UX HIDS” “$8”
fi
NOTE: Administrators can also use the following HP-supported options:
• Consolidate alerts to a central log using syslog-ng with clog_tail
• Generate alert reports using the idsadmin --report feature. For more information on
the idsadmin --report feature, see “Generating Alert Reports Using the idsadmin
Command” (page 184)
172 Automated Response for Alerts