HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
C Tuning Schedules and Generating Alert Reports
This appendix describes how to tune schedules and generate alert reports using the idsadmin
command.
This appendix addresses the following topics:
• “Tuning Schedules Using the idsadmin Command.”
• “Generating Alert Reports Using the idsadmin Command.”
Tuning Schedules Using the idsadmin Command
The tune command enables you to tune schedules and reduce the number of false positives (alerts
that are generated because of normal system activity). The tune command can be invoked from
the idsadmin's command line or its interactive command interface.
The tune command reduces the time and effort to deploy and maintain Surveillance Schedules
by:
• Eliminating the time consuming and error prone process of manually generating filtering rules.
• Facilitating the review of alerts from multiple agents running the same schedule, by presenting
an alert report that consolidates duplicate alerts and groups alerts triggered by the same
program.
• Performing automatic schedule updates and deployments.
This tool effectively automates the process of identifying and filtering file-related alerts that the HIDS
administrator consider safe to ignore (i.e., alerts generated because of normal system activity).
This tool can be used to perform the following tasks:
• Customize a preconfigured schedule to filter out alerts generated as part of normal system
activity during the initial HIDS deployment.
• Fine tune an existing schedule if new alerts that are considered safe to ignore are generated
after deployment.
Functioning of the tune Command
The following scenarios depict the functioning of the tune command during initial deployment
and after deployment:
During Initial Deployment
During initial setup, administrators can use the tune command to fine tune one of the predefined
schedules. Following is the process by which a sample schedule can be tuned:
1. In a test environment, run all the applications that you expect to run in the production
environment.
2. Deploy one of the sample schedules provided with HIDS.
3. Let the schedule run for enough time so that it generates enough alerts.
4. Once enough alerts are generated, enter the tune command.
5. The tune command provides suggested filters to filter out these alerts generated because of
normal system activity.
6. The tune command then automatically updates and deploys the schedule.
7. Administrators can also choose to view and modify the tune command report and the schedule
before deployment.
After HIDS Deployment
After deployment, if there are a large number of 'false positives', the administrator can run the
tune command to fine tune the schedules. The tune command analyzes alerts generated on the
agents and suggests filters to filter the unwanted alerts. The tune command then automatically
170 Tuning Schedules and Generating Alert Reports