Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
61626364656667686970
and displayed in the GUI network nodes and logged in the alert log file (defined by the
IDS_ALERTFILE configuration variable) of the agent:
File-related aggregated alerts
File-related real-time alerts that could not be aggregated
Non-file-related real-time alerts
These alerts are also sent to any response programs in the response directory, as defined by the
IDS_RESPONSEDIR configuration variable described in “Global Configuration (page 187) (the
default is /opt/ids/response). Optionally, all real-time alerts (that is, both file and non-file-related
alerts) can also be issued concurrently by the agent when aggregation is enabled. The real-time
alerts will only be sent to response programs in the real-time response directory, as defined by the
IDS_RT_RESPONSEDIR configuration variable described in “Global Configuration (page 187)
(the default is /opt/ids/rt_response). The ability to have a separate set of response programs
that receive real time alerts preserves the HIDS ability to do real time automated response (that
does not require human intervention such as automatically killing an offending process) while at
the same time allowing an administrator to monitor fewer alerts with alert aggregation. When a
schedule is configured to issue both aggregated alerts and real- time alerts, the response scripts
in the IDS_RT_RESPONSEDIR directory are intended primarily for performing real-time automated
response that do not require human intervention. Killing an offending process or closing a client
connection are examples of responses that can be automated.
The response scripts in the IDS_RESPONSEDIR directory in turn, are intended primarily for reporting
alerts (by e-mail to an administrator, or to the OVO console using the HIDS OVO/SPI) for human
consumption.
Alert aggregation is enabled by default for all newly created and predefined surveillance schedules.
It can be configured either by using the GUI Schedule Manager window, or by editing a schedule
in text format. For more information on the schedule in text format, see “Surveillance Schedule Text
File” (page 193).
To enable and configure Alert Aggregation, follow these steps:
1. Select a schedule in the Schedules panel.
Figure 18 Schedule Manager Screen-Alert Aggregation Tab
2. Select the Alert Aggregation tab on the Schedule Manager screen.
68 Using the Schedule Manager Screen