HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
If both of these conditions are met, no alert is issued.
Following is an example of this type of property value:
user_pairs_to_ignore | root, daemon | 0, bin | root, 3 | 0, 4
In this example, an alert is not triggered if any of the following conditions are met:
- If the file owner’s name is root and the effective user ID of the modifying process corresponds
to the user name daemon.
- If the file owner’s user ID is 0 and the effective user ID of the modifying process corresponds to
the user name bin.
- If the file owner’s user ID corresponds to the user name root and the effective user ID of the
modifying process is 3.
- If the file owner’s user ID is 0 and the effective user ID of the modifying process is 4.
NOTE: Specifying user and group names are not supported for an agent running on a host where
HP-UX Container (HP-UX SRP) is configured, instead specify uid and gid. You can specify user and
group names for configuring Global SRP (init Container).
Type V: Network Triplets
Type V property values include network information triplets. The members of a triplet are as follows:
• IP Address: An IP address. For IPv4, the address must be in standard dot notation; for IPv6,
in colon notation.
• Network Mask: The network mask value qualifies the value in the IP address field to an
individual host address or a network address. The network mask follows the notational
requirements for IP addresses.
Network mask is specified in dotted decimal notation for IPv4 addresses and in prefix notation
for IPv6 addresses. In case of IPv4 addresses, a value of 255.255.255.255 means the value
in the IP address field is a host address, and in case of IPv6 addresses a prefix of /128 means
the IP address field is a host address. For example:
ip filters | 2001:DB8::, /32, 0 |
Where,
2001:DB8:: network address
/32 network mask for network address in prefix notation
0 no alerts are generated for hosts in specified network
• Severity Code: An integer representing a severity level (0=no alert, 1 = critical, 2 = severe,
3 = moderate), where a severity level of 0 specifies that no alert is generated for a matching
{IP address, Network Mask, 0} triplet.
The following template configuration illustrates a Type V property value:
ip_filters | 192.168.2.0, 255.255.255.0, 0 |
Where:
192.168.2.0 network address
255.255.255.0 network mask for a network address
0 no alerts are generated for hosts in the specified network
Type VI: Time Strings
The time strings property represents time intervals. Each time string has the following syntax:
integer[units]
The integer component is a positive integer representing a time interval. The units component,
when present, indicates the time units the integer is expressed in. The following units are supported:
s Seconds
m Minutes
h Hours
Template Property Types 111