HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

201

202

203

204

205

206

207

208

209

210

Alert date/time sort seems inconsistent

□ Two factors come into play in this seeming inconsistency: First, the agent’s date/time stamp

is based on the local host time when the alert was received. Second, the time the System

Manager uses to sort the alert is based on the UTC when the alert actually occurred. Under

normal circumstances, these two times are identical. On occasion, however, there may be a

difference depending on internal processing time, which may make the alert list inconsistent.

Alerts are not being displayed in the alert browser

□ Check to see if they are appearing in /var/opt/ids/alert.log.

□ Check for errors in the error browser.

□ Determine whether IDDS failed at boot-up: Use the /etc/dmesg command to verify that there

are no messages saying, IDDS disabled.

□ Verify that the host name and IP address are configured and valid.

□ In the event that the keys have become corrupted, regenerate all key sets using procedures

from “Setting Up HP-UX HIDS Secure Communications” (page 21).

□ Verify that the agent system is set to “Running” (with a green background) in the System

Manager.

□ Determine whether any changes have been made to the detection templates, which may filter

out the alerts (such as ignoring whole directories or users).

□ If no login/logout alerts are seen, /var/adm/wtmp might be corrupted. To check, run the

last command and see if it prints an error or segmentation faults. If so, you need to do the

following as root:

# rm /var/adm/wtmp

# touch /var/adm/wtmp

# chown adm:adm /var/adm/wtmp;

# chmod 644 /var/tmp/wtmp

On HP–UX 11i v2 operating systems, if removing wtmp still produces an error when running

the last command, also remove /var/adm/wtmps (it is automatically recreated).

□ Is the communication to the agent timing out?. Check the agent’s /var/opt/ids/error.log

for timeout messages. If timeout messages appear, try increasing the timeout values in the

agent’s /etc/opt/ids/ids.cf configuration file; see “Remote Communication

Configuration” (page 186).

□ If /var/opt/ids/error.log contains out-of-memory errors, the maximum data segment

size may need to be increased or more swap space might need to be added. Run kmtune

-l -q maxdsiz (kctune on HP-UX 11i v3) and /usr/sbin/swapinfo to determine your

current tunable setting and swap usage, respectively.

Buffer overflow triggers false positives

□ Because Buffer Overflow uses a heuristic, it may trigger false positives. If it does, please

document what actions were performed that generated the alert, and contact HP support so

we can improve the heuristic.

For more information on buffer overflow, see “Some Template Configuration Guidelines”

(page 61).

Duplicate alerts appear in System Manager

If you see duplicate alerts, you might have multiple instances of the same template configured in

your schedule within different surveillance groups with overlapping time tables.

208 Troubleshooting