HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

NOTE: Alert filters are generated only for file related alerts.

The following fields in the entries in the file related alerts section of the Tune Command Report

can be modified:

• <Filter Type>

• <File Filter>

• <Program Filter>

The following examples show sections of a Tune Command Report, where the Tune command

has suggested a filter for the alert.

Example C-4 Suggested Exact Filters

ATTACK PROGRAM| /opt/OV/bin/OpC/opcmon --> (X) |

/var/opt/OV/tmp/OpC/monagtp | Filesystem

modification or potential modification | 0 | 3

| Wed Oct 11 13:12:46 2006 | 12 |

^/var/opt/OV/tmp/OpC/monagtp$ |

^/opt/OV/bin/OpC/opcmon$ | | 2

In this entry, the tune command displays the filtering rule for alerts that are generated when

the opcmon program modifies the /var/opt/OV/tmp/monagtp. The filtering rule is an

exactmatch because it specifies one specific program and target file (i.e., it does not use any

regular expression wildcard characters to match more than one file).

Example C-5 Suggested Filters with Regular Expressions

ATTACK PROGRAM| /sbin/mkdir --> (R) |

/opt/hpservices/tmp/propTempa01134

| Filesystem modification or potential modification

|0 |3 | Sun Dec 10 12:11:06 2006 | 1 |

^/opt/hpservices/tmp/[a-z,A-Z]{9}[0-9]{5}$ |

^/sbin/mkdir$ | Temporary file detected in monitored

path! Check the pathnames_to_watch property.| 2

In this entry, the tune command displays a filtering rule for alerts that are generated when a

process running /sbin/mkdir creates temporary files in /opt/hpservices/tmp/ whose

names consists of 9 letters followed by 5 digits.

NOTE: Filters for temporary files are only generated for alerts triggered by the following

detection templates:

• Creation of World-Writable File

• Modification of Files/Directories

• Modification of Another User's File

• Changes to Log File

Step 3: Updating and Deploying the Schedule

After exiting the editor displaying the Tune Report, a new editor session displays an updated

schedule that reflects any filtering rules that were set in the Tune Report. The update schedule

can be manually modified if needed. After exiting the editor displaying the updated schedule,

the administrator must confirm whether or not to deploy the updated schedule to all the agents

running that schedule.

Generating Alert Reports Using the idsadmin Command

This section describes the various reporting options you can use with the idsadmin command

to generate alert reports that are easy to view and print.

Using the idsadmin report feature, you can perform the following tasks:

184 Tuning Schedules and Generating Alert Reports