HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

211

212

213

214

215

216

217

218

219

220

□ Is the communication to the agent timing out?. Check the agent’s /var/opt/ids/

error.log for timeout messages. If timeout messages appear, try increasing the timeout

values in the agent’s /etc/opt/ids/ids.cf configuration file; see “Remote

Communication Configuration” (page 195).

□ If /var/opt/ids/error.log contains out-of-memory errors, the maximum data segment

size may need to be increased or more swap space might need to be added. Run kmtune

-l -q maxdsiz (kctune on HP-UX 11i v2 and HP-UX 11i v3) and /usr/sbin/swapinfo

to determine your current tunable setting and swap usage, respectively.

Buffer overflow triggers false positives

□ Because Buffer Overflow uses a heuristic, it may trigger false positives. If it does, please

document what actions were performed that generated the alert, and contact HP support

so we can improve the heuristic.

For more information on buffer overflow, see “Some Template Configuration Guidelines”

(page 69).

Duplicate alerts appear in System Manager

If you see duplicate alerts, you might have multiple instances of the same template configured

in your schedule within different surveillance groups with overlapping time tables.

Getting several aggregated alerts for the same process

Problem: Alerts generated by a process running a program specified in an alert aggregation tuple

are being aggregated into several aggregated alerts.

Cause: The maximum alert delay specified in the alert aggregation tuple for the program being

run by this process is too small.

Action: Increase the maximum alert delay in the alert aggregation tuple to aggregate over a

longer period of time.

GUI runs out of memory after receiving around 19,000 alerts

Problem: During resynchronization, after receiving around 19,000 alerts, the process slows down

drastically. On the admin host, the following error message is logged in the

/var/opt/ids/gui/guierror.log file:

java.lang.OutOfMemoryError <<no stack trace available>>

On the agent host, the following error messages is logged in the /var/opt/ids/error.log

file:

libcomm: pid=11983 thread_id=3: ssl_write_bytes: Timed out attempting

to write 5 bytes.libcomm: pid=11983 thread_id=3: write_msg: error writing

message header, errno=11: Resource temporarily unavailable

Cause: These errors occur when the Java Virtual Machine (JVM) has insufficient memory.

Action: To avoid this problem, increase the heap size of JVM to 256M. To increase the heap size

of JVM to 256M, uncomment the following line in idsgui:

# -Xmx256m \

Move the above line after $JAVA_RUN in the idsgui script.

The idsadmin Command needs installed agent certificates

You must run the idsadmin command on an administration host where agent certificates are

installed. You can use IDS_genAgentCerts to generate a local agent certificate on the

administration host. If the agent filesets, which include IDS_genAgentCerts, are not installed,

you can copy the directory /etc/opt/ids/ids/certs/agent (and its contents) from a remote

agent host to the administration host.

216 Troubleshooting