HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Example 12 Suggested Exact Filters

ATTACK PROGRAM| /opt/OV/bin/OpC/opcmon --> (X) |

/var/opt/OV/tmp/OpC/monagtp | Filesystem

modification or potential modification | 0 | 3

| Wed Oct 11 13:12:46 2006 | 12 |

^/var/opt/OV/tmp/OpC/monagtp$ |

^/opt/OV/bin/OpC/opcmon$ | | 2

In this entry, the tune command displays the filtering rule for alerts that are generated when the

opcmon program modifies the /var/opt/OV/tmp/monagtp. The filtering rule is an exactmatch

because it specifies one specific program and target file (i.e., it does not use any regular expression

wildcard characters to match more than one file).

Example 13 Suggested Filters with Regular Expressions

ATTACK PROGRAM| /sbin/mkdir --> (R) |

/opt/hpservices/tmp/propTempa01134

| Filesystem modification or potential modification

|0 |3 | Sun Dec 10 12:11:06 2006 | 1 |

^/opt/hpservices/tmp/[a-z,A-Z]{9}[0-9]{5}$ |

^/sbin/mkdir$ | Temporary file detected in monitored

path! Check the pathnames_to_watch property.| 2

In this entry, the tune command displays a filtering rule for alerts that are generated when a

process running /sbin/mkdir creates temporary files in /opt/hpservices/tmp/ whose

names consists of 9 letters followed by 5 digits.

NOTE: Filters for temporary files are only generated for alerts triggered by the following detection

templates:

• Creation of World-Writable File

• Modification of Files/Directories

• Modification of Another User's File

• Changes to Log File

Step 3: Updating and Deploying the Schedule

After exiting the editor displaying the Tune Report in interactive mode, there will be a prompt for

modifying the group names in the schedule. Tuning a schedule file will modify the existing templates

in the group. Modification to templates in a group will be reflected on HP-UX Containers (HP-UX

SRPs) of the same schedule files or other schedule files or both files configured with the same group

name on the administration system. It is recommended that the group names be unique if the

configuration is not same. Then a new editor session displays an update schedule that reflects any

filtering rules that are set in the tune report. The update schedule can be manually modified if

needed. After exiting the editor, if the group names are changed, there will be a prompt to save

the schedule in new file or the existing schedule will be overwritten. The tuned schedule will be

activated on the agent.

Generating Alert Reports Using the idsadmin Command

This section describes the various reporting options you can use with the idsadmin command to

generate alert reports that are easy to view and print.

Using the idsadmin report feature, you can perform the following tasks:

• Generate reports for one or more SRPs in an agent host if the agent is configured to monitor

HP-UX Container

• View alert statistics by agent, severity, alert type, and detection agent, if the agent is configured

to monitor HP-UX Containers (HP-UX SRP) then by Containers (SRP)

• Generate a consolidated report across multiple agents

Generating Alert Reports Using the idsadmin Command 173