Manualshelf

HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
61626364656667686970
and displayed in the GUI network nodes and logged in the alert log file (defined by the
IDS_ALERTFILE configuration variable) of the agent:
File-related aggregated alerts
File-related real-time alerts that could not be aggregated
Non-file-related real-time alerts
These alerts are also sent to any response programs in the response directory, as defined by the
IDS_RESPONSEDIR configuration variable described in ??? (the default is /opt/ids/response).
Optionally, all real-time alerts (that is, both file and non-file-related alerts) can also be issued
concurrently by the agent when aggregation is enabled. The real-time alerts will only be sent to
response programs in the real-time response directory, as defined by the IDS_RT_RESPONSEDIR
configuration variable described in “Global Configuration (page 183) (the default is /opt/ids/
rt_response). The ability to have a separate set of response programs that receive real time
alerts preserves the HIDS ability to do real time automated response (that does not require human
intervention such as automatically killing an offending process) while at the same time allowing
an administrator to monitor fewer alerts with alert aggregation. When a schedule is configured to
issue both aggregated alerts and real- time alerts, the response scripts in the
IDS_RT_RESPONSEDIR directory are intended primarily for performing real-time automated
response that do not require human intervention. Killing an offending process or closing a client
connection are examples of responses that can be automated.
The response scripts in the IDS_RESPONSEDIR directory in turn, are intended primarily for reporting
alerts (by e-mail to an administrator, or to the OVO console using the HIDS OVO/SPI) for human
consumption.
Alert aggregation is enabled by default for all newly created and predefined surveillance schedules.
It can be configured either by using the GUI Schedule Manager window, or by editing a schedule
in text format. For more information on the schedule in text format, see “Surveillance Schedule Text
File” (page 189).
To enable and configure Alert Aggregation, follow these steps:
1. Select a schedule in the Schedules panel.
Figure 18 Schedule Manager Screen-Alert Aggregation Tab
2. Select the Alert Aggregation tab on the Schedule Manager screen.
Configuring Alert Aggregation 65