HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
NOTE: No filters are generated for aggregated alerts, and they cannot be filtered using the
idsadmin tune command.
Section Related to System Alerts
The summary of system alerts contains the following fields:
<attacker> <attacked> <action> <severity> <template>
<date> <count>
Where:
• <attacker> is the hostname or the IP address of the remote host from which the alert was
generated (in the case of a login alert). In the case of a logout alert, it is the terminal from
which the user logged out. In case of a successful su attack, failed login, or failed su attack,
it is the name of the user who caused the alert.
• <attacked> is the hostname or IP address of the agent under attack.
• <action> is the action for which the alert was generated.
• <severity> is the severity level of the alert. It can be 1 (critical), 2 (severe), or 3 (moderate).
• <template> is the name of the template.
• <date> is the time at which the first such alert was detected.
• <count> is the number of duplicate alerts.
NOTE: No filters are generated for system alerts, and they cannot be filtered using the idsadmin
tune command.
NOTE: Duplicate failed login and su attempts can be suppressed using the
max_failed_[login,su], warning_interval, and fail_interval template properties.
Using the tune Command
The following examples show different ways of using the tune command to tune your schedules:
174 Tuning Schedules and Generating Alert Reports