Troubleshooting

Troubleshooting

Determine whether any changes have been made to the detection templates, which may filter out the alerts (such as ignoring whole directories or users).

If no login/logout alerts are seen, /var/adm/wtmp might be corrupted. To check, run the last command and see if it prints an error or segmentation faults. If so, you need to do the following as root:

#rm /var/adm/wtmp

#touch /var/adm/wtmp

#chown adm:adm /var/adm/wtmp

Is the communication to the agent timing out? Check the agent’s /var/opt/ids/error.log for timeout messages. If timeout messages appear, try increasing the timeout values in the agent’s /etc/opt/ids/ids.cf configuration file; see “Remote Communication Configuration” on page 209.

If /var/opt/ids/error.log contains "out of memory" errors, the maximum data segment size may need to be increased or more swap space might need to be added. Run kmtune -l-q maxdsiz (kctune on HP-UX 11i v2) and /usr/sbin/swapinfo to determine your current tunable setting and swap usage, respectively.

Buffer overflow triggers false positives

Because Buffer Overflow uses a heuristic, it may trigger false positives. If it does, please document what actions were performed that generated the alert, and contact HP support so we can improve the heuristic.

For more information on buffer overflow, see “Some Template Configuration Guidelines” on page 74.

Duplicate alerts appear in System Manager

If you see duplicate alerts, you might have multiple instances of the same template configured in your schedule within different surveillance groups with overlapping time tables.

Idsadmin needs installed agent certificates

You must run the idsadmin program on an administration host where agent certificates are installed. You can use IDS_genAgentCerts to generate a local agent certificate on the administration host. If the agent filesets, which include IDS_genAgentCerts, are not installed, you can copy the directory /etc/opt/ids/ids/certs/agent (and its contents) from a remote agent host to the administration host.

Idsadmin notifies of bad certificate when pinging a remote agent

Idsamin may notify of bad certificates if the certificate created on the admin host for the agent is not yet valid on the agent host due to the system time difference between the admin host and the remote agent host. For example:

./idsadmin -a hostname -i 1.2.3.4 -l /tmp/fooooo Successfully opened /tmp/fooooo

244

Appendix G

Page 256
Image 256
HP Host Intrusion Detection System (HIDS) manual Buffer overflow triggers false positives, 244