HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Example 9 To tune schedules for two agents without any user interaction

% idsadmin –t –a abc.hp.com, xyz.hp.com --tune-no-review

This command (invoked from a shell command line) analyzes alerts for the two agents (abc.hp.com,

and xyz.hp.com) generated since the timestamp of the last alert to be tuned. The tune command

analyzes the alerts, and automatically updates and deploys the updated schedule on these agents.

No user interaction is required.

Example 10 To tune schedules for two agents after a given date, with options to review and modify

the Tune Command Report and the schedule

% idsadmin -t –a abc.hp.com, xyz.hp.com --start-date

20070101120000

This command (invoked from a shell command line) analyzes alerts for the two agents (abc.hp.com

and xyz.hp.com) starting from 1st January 2007 12:00 am. These alerts are then displayed in a

report format using the default editor, vi. You can review and modify the report, and save the

changes. The text schedule is displayed, and can be modified if needed and then deployed for

these two agents.

Example 11 To tune schedules for all agents in the sentinal.hosts file, and to review and

modify the Tune Command Report and the schedule

idsadmin> tune –a all

This command (invoked from the idsadmin interactive command prompt) analyzes alerts for all

agents listed in the sentinal.hosts file that were generated since the timestamp of the last alert

to be tuned. These alerts are then displayed in a report format using the default editor, vi.

Administrators can review and modify the report, and save the changes. The text schedule is

displayed, and administrators can modify the schedule if needed and then deploy the schedule

for these two agents.

Step 2: Modifying the Filters in the Tune Command Report

Administrators can review the alerts in the Tune Command Report and modify the filters to only

filter those alerts deemed safe to ignore. When modifying or setting filters, make sure to mark an

alert with an ‘X’ (when specifying only one file pathname), or ‘R’ (when specifying a filter with

regular expression wildcard characters to match one or more file pathnames). Save the file when

done.

NOTE: To prevent accidental modifications, the Tune Command Report is created with read-only

permissions. To modify the Tune Command Report, you must change the permissions of the report

file.

To unmark an alert, you can delete the ‘X’ or ‘R’, or replace the ‘X’ or ‘R’ with a blank space.

The marked alerts are filtered by updating the corresponding schedules, using the appropriate

filters.

NOTE: Alert filters are generated only for file related alerts.

The following fields in the entries in the file related alerts section of the Tune Command Report can

be modified:

• <Filter Type>

• <File Filter>

• <Program Filter>

The following examples show sections of a Tune Command Report, where the Tune command has

suggested a filter for the alert.

Tuning Schedules Using the idsadmin Command 175