Manuals / HP / Computer Equipment / Software

HP Host Intrusion Detection System (HIDS) manual Alerts generated, 168

Models: Host Intrusion Detection System (HIDS)

1 270
Download 270 pages 6.58 Kb
Page 180
Image 180

Templates and Alerts

Login/Logout Template

NOTE

uids_to_monitor takes precedence over uids_to_ignore when both the lists are set. If

 

uids_to_monitor is not empty, values in uids_to_ignore are ignored.

 

Property: uids_to_ignore

 

 

User ids in this list will allow those users to login, logout and su without generating

 

an alert.

 

Property: uids_to_monitor

 

Alerts are generated when the user ids in this list login, logout or su if the

 

corresponding monitor_*_flag is set to 1.

 

Property: monitor_su_flag

 

When set to 1, the template will monitor successful su attempts by users specified in

 

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

 

uids_to_ignore.

 

Property: monitor_login_flag

 

When set to 1, the template will monitor successful logins by users specified in

 

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

 

uids_to_ignore.

 

Property: monitor_logout_flag

 

When set to 1, the template will monitor successful logouts by users specified in

 

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

 

uids_to_ignore.

 

Property: ip_filters

 

Contains a list of triplets {ip_address, mask, severity}.

 

This property filters login alerts and determines the alert’s severity based on which

 

remote host or network the login was made from. If a login’s remote host IP address

 

matches one of the triplet’s IP address qualified by the triplet’s network mask, then

 

the alert severity is set to the corresponding triplet’s severity. A severity level of 0

 

indicates an alert for a login event with a matching remote IP address will be filtered

 

except for user root and ids. If a login event’s remote host IP address does not match

 

any triplet, then a severe (severity=2) alert is generated for root and ids users and a

 

moderate (severity=3) alert for all other users. The value of the mask must be set to

 

255.255.255.255 if the ip_address is a host address; otherwise, the mask must be

 

set to the network mask to qualify the value in ip_address as a network address.

 

Host address filtering is only applied to those login events that are not filtered out by

 

the uids_to_ignore and uids_to_monitor template properties.

Alerts generated

• “Login/Logout” on page 169

by this template

• “Successful su Detected” on page 170

 

168

Appendix A

Page 179 Page 181
Page 180
Image 180
HP Host Intrusion Detection System (HIDS) manual Alerts generated, 168
Page 179 Page 181