HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

C Tuning Schedules and Generating Alert Reports

This appendix describes how to tune schedules and generate alert reports using the idsadmin

command.

This appendix addresses the following topics:

• “Tuning Schedules Using the idsadmin Command.”

• “Generating Alert Reports Using the idsadmin Command.”

Tuning Schedules Using the idsadmin Command

The tune command enables you to tune schedules and reduce the number of false positives

(alerts that are generated because of normal system activity). The tune command can be invoked

from the idsadmin's command line or its interactive command interface.

The tune command reduces the time and effort to deploy and maintain Surveillance Schedules

by:

• Eliminating the time consuming and error prone process of manually generating filtering

rules.

• Facilitating the review of alerts from multiple agents running the same schedule, by

presenting an alert report that consolidates duplicate alerts and groups alerts triggered by

the same program.

• Performing automatic schedule updates and deployments.

This tool effectively automates the process of identifying and filtering file-related alerts that the

HIDS administrator consider safe to ignore (i.e., alerts generated because of normal system

activity). This tool can be used to perform the following tasks:

• Customize a preconfigured schedule to filter out alerts generated as part of normal system

activity during the initial HIDS deployment.

• Fine tune an existing schedule if new alerts that are considered safe to ignore are generated

after deployment.

Functioning of the tune Command

The following scenarios depict the functioning of the tune command during initial deployment

and after deployment:

During Initial Deployment

During initial setup, administrators can use the tune command to fine tune one of the predefined

schedules. Following is the process by which a sample schedule can be tuned:

1. In a test environment, run all the applications that you expect to run in the production

environment.

2. Deploy one of the sample schedules provided with HIDS.

3. Let the schedule run for enough time so that it generates enough alerts.

4. Once enough alerts are generated, enter the tune command.

5. The tune command provides suggested filters to filter out these alerts generated because

of normal system activity.

6. The tune command then automatically updates and deploys the schedule.

7. Administrators can also choose to view and modify the tune command report and the

schedule before deployment.

After HIDS Deployment

After deployment, if there are a large number of 'false positives', the administrator can run the

tune command to fine tune the schedules. The tune command analyzes alerts generated on the

agents and suggests filters to filter the unwanted alerts. The tune command then automatically

Tuning Schedules Using the idsadmin Command 179