HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

“X” for exact match. This means that the filter is a regular expression that matches one

and only one file pathname.

—

— “R” for regular expression match. This means that regular expression wildcard characters

are used to match one or more file pathnames.

— “” (empty string) for no filter. This mean that no filter will be generated for this alert.

• <Attacked File> is the absolute name of the file under attack.

• <Action> is the action (event) for which the alert was generated.

• <User> is the euid:egid:ruid:rgid of the user who generated the alert.

• <Severity> is the severity level of the alert. It can be 1 (critical), 2 (severe), or 3 (moderate).

• <Date> is the date when the <Action> triggered the alert.

• <Count> is the number of duplicate alerts of this type.

• [File Filter] is an optional filter generated for pathname_X template property.

• [Program Filter] is an optional filter generated for program_X template property.

• [Filter Comment] can be set to a comment explaining the choice of filter. If there is no filter,

it explains the reason for not having a filter.

• <Template Code> is for internal use and must not be modified.

Section Related to Aggregated Alerts

The summary for aggregated alerts contains the following fields:

<Ancestor> <Number of alerts> <user> <highest

severity> <date> <count>

Where:

• <Ancestor> is the top-level program that caused the alert in a multi-process alert.

• <Number of alerts> is the number of alerts aggregated in the meta alert.

• <user> is the user who generated the alert.

• <highest severity> is the highest severity among all the alerts in the meta alert.

• <date> is the time when the first alert in the meta alert was generated.

• <count> is the number of occurrences of the same meta alert.

NOTE: No filters are generated for aggregated alerts, and they cannot be filtered using the

idsadmin tune command.

Section Related to System Alerts

The summary of system alerts contains the following fields:

Where:

• <attacker> is the hostname or the IP address of the remote host from which the alert was

generated (in the case of a login alert). In the case of a logout alert, it is the terminal from

which the user logged out. In case of a successful su attack, failed login, or failed su attack,

it is the name of the user who caused the alert.

• <attacked> is the hostname or IP address of the agent under attack.

• <action> is the action for which the alert was generated.

• <severity> is the severity level of the alert. It can be 1 (critical), 2 (severe), or 3 (moderate).

• <template> is the name of the template.

• <date> is the time at which the first such alert was detected.

• <count> is the number of duplicate alerts.

182 Tuning Schedules and Generating Alert Reports