HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

Step 1: Analyzing Alerts and Tuning Schedules...............................................................171

Section Related to File Related Alerts.........................................................................173

Section Related to Aggregated Alerts........................................................................173

Section Related to System Alerts...............................................................................174

Using the tune Command........................................................................................174

Step 2: Modifying the Filters in the Tune Command Report...............................................175

Step 3: Updating and Deploying the Schedule................................................................176

Generating Alert Reports Using the idsadmin Command............................................................176

The idsadmin Command Reporting Options........................................................................177

Using the idsadmin Command to Generate Reports..............................................................181

Benefits of Generating Reports in raw Format..................................................................185

D The Agent Configuration File....................................................................186

The Agent Configuration File..................................................................................................186

Forcing Active Agent to Reread Configuration File................................................................186

Log File Rotation..............................................................................................................186

Global Configuration............................................................................................................187

Correlator Process Configuration.............................................................................................187

Data Source Process Configuration.........................................................................................188

Kernel Audit Data DSP......................................................................................................189

Remote Communication Configuration.....................................................................................190

E The Surveillance Schedule Text File...........................................................192

Getting Started.....................................................................................................................192

Automating the Activation of Surveillance Schedules.................................................................192

Surveillance Schedule Text File...............................................................................................193

Surveillance Schedule Section................................................................................................193

Container (SRP) Configuration Section.....................................................................................195

Surveillance Group Section....................................................................................................195

F Error Messages.......................................................................................199

Agent Messages...................................................................................................................199

System Manager Messages....................................................................................................203

G Troubleshooting.....................................................................................208

Troubleshooting....................................................................................................................209

Agent and System Manager cannot communicate with each other..........................................209

Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present............210

Agent does not start on system boot...................................................................................210

Agent halts abnormally, leaving ids_* files and message queues............................................211

Agent host appears to hang and/or you see message disk full...............................................211

Agent needs further troubleshooting...................................................................................211

Agent does not start after installation..................................................................................212

Agents appear to be stuck in polling status..........................................................................212

Agent displays error if hostname to IP mapping is not registered in name service......................212

Aggregated alerts targets or details field are truncated and the same aggregated alert has several

entries logged in the IDS_ALERTFILE...................................................................................212

Alert date/time sort seems inconsistent...............................................................................213

Alerts are not being displayed in the alert browser...............................................................213

Buffer overflow triggers false positives.................................................................................213

Duplicate alerts appear in System Manager........................................................................213

Getting several aggregated alerts for the same process.........................................................214

8 Contents