HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
3. Select the Alert Aggregation option box to enable alert aggregation.
4. Select the Real Time Alerts option box to enable the generation of real-time alerts when alert
aggregation is enabled.
NOTE: When the Alert Aggregation option box is not selected, the Real Time Alerts option
box is automatically selected to indicate that real-time alerts will be generated.
5. Enter the path name of a program under the Programs to Aggregate Alerts for table column
to aggregate alerts triggered by a process running that program, and by the process’
descendent processes. The executable path name can be specified using regular expressions
and extended regular expressions. For more information about UNIX regular expressions, see
“UNIX Regular Expressions ” (page 105).
In the corresponding Maximum Alert Delay table column entry, specify the maximum number
of seconds that must be spent aggregating alerts triggered by a process running the program
and by alerts triggered by the process’ dependent processes. An aggregated alert will be
generated when either the process running the specified program terminates or when the
specified time elapses, whichever comes first.
The actual number of seconds spent aggregating alerts can be up to 5 seconds greater than
specified, as the elapsed time is checked after every 5 seconds to minimize CPU consumption
by the agent.
A program entry and the corresponding maximum alert delay entry is called an alert
aggregation tuple.
NOTE: If a program is not specified in an alert aggregation tuple (with alert aggregation
enabled), only file-related alerts triggered by a process (and not its descendent processes)
executing the program are aggregated. Alerts triggered by a process whose executable path
name is not specified in an alert aggregation tuple are aggregated until an hour elapses or
the process terminates, whichever comes first.
For the case where an alert is triggered by a process that is a descendent of more than one
process whose program is specified in an alert aggregation tuple, the process’s alert will be
aggregated under the program being run by the closest ancestor in terms of process depth.
For example, take the case where p0, p1, and p2 are three processes where p0 is running
program0 and is the parent of p1, p1 is running program1 and is the parent of p2, and p2
is running program2 and is a descendent of both p0 and p1. If both program0 and program1
are specified in their own alert aggregation tuple, then any alert triggered by the process p2
will be aggregated under program1, unless p1 also triggers an alert, in which case alerts
triggered by both p1 and p2 will be aggregated under program0.
6. Click Save. The entered values will be saved.
Guidelines for Configuring Alert Aggregation
• By specifying a regular expression in an aggregation tuple that exactly matches the program’s
full and resolved path name, there is no ambiguity of which program is specified for
aggregating alerts triggered by a process running the program, and by any process
descendents. However, you may need to specify a regular expression that matches both
relative path name and full path name in case one of the following conditions occur:
◦ The program is started before running a schedule
◦ The warning message "Dropping audit records due to heavy load" appears in the agent’s
error log, as defined by the IDS_ERRORFILE configuration variable described in “Global
Configuration” (page 183). The default path is /var/opt/ids/error.log.
66 Using the Schedule Manager Screen