- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- expiration time of INTRUDER
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-04-2005 12:23 PM
тАО09-04-2005 12:23 PM
who can explain this phenomenon?
thanks!
TERMINAL INTRUDER
8
16:17:13
TERMINAL INTRUDER
12
16:16:55
TERMINAL INTRUDER
13
16:18:11
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-04-2005 03:37 PM
тАО09-04-2005 03:37 PM
Re: expiration time of INTRUDER
Each time a new suspect event occurs, the expiration time for that source is incremented by a random time period (between 0.5 and 1.5 times LGI_BRK_TMO). It's a sliding window, with older events being dropped. So, depending on the sequence of increments, the expiration time can go up and down with the count as events are added and dropped.
OpenVMS deliberately makes this chaotic so that even people who know the algorithm cannot predict when the effect of an intrusion detection will expire. The best they can do is assume worst case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 12:29 PM
тАО09-05-2005 12:29 PM
Re: expiration time of INTRUDER
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 02:25 PM
тАО09-05-2005 02:25 PM
Re: expiration time of INTRUDER
it's funny, hehe~
but i find some confused so i reopen this topic
you said that it's 0.5 - 1.5 times of TMO for the expiration time
but in this example. the TMO is about 40 mins
(sh time = 15:49:21)
so, 0.5 * 40 = 20 mins(min); 1.5 * 40 = 60 mins(max)
why does it up and down only in some seconds?
TERMINAL INTRUDER
8 16:17:13
TERMINAL INTRUDER
12 16:16:55
TERMINAL INTRUDER
13 16:18:11
could you help to explain it for me ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 05:53 PM
тАО09-05-2005 05:53 PM
Re: expiration time of INTRUDER
Just to make it a bit more clear.
LGI_BRK_TMO
LGI_BRK_TMO specifies the length of the failure monitoring
period. This time increment is added to the suspect's expiration
time each time a login failure occurs. Once the expiration period
passes, prior failures are discarded, and the suspect is given a
clean slate.
LGI_BRK_TMO is a DYNAMIC parameter.
LGI_BRK_LIM
LGI_BRK_LIM specifies the number of failures that can occur at
login time before the system takes action against a possible
break-in. The count of failures applies independently to login
attempts by each user name, terminal, and node. Whenever login
attempts from any of these sources reach the break-in limit
specified by LGI_BRK_LIM, the system assumes it is under attack
and initiates evasive action as specified by the LGI_HID_TIM
parameter.
The minimum value is 1. The default value is usually adequate.
LGI_BRK_LIM is a DYNAMIC parameter.
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 05:58 PM
тАО09-05-2005 05:58 PM
Re: expiration time of INTRUDER
LGI_HID_TIM
LGI_HID_TIM specifies the number of seconds that evasive action
persists following the detection of a possible break-in attempt.
The system refuses to allow any logins during this period, even
if a valid user name and password are specified.
LGI_HID_TIM is a DYNAMIC parameter.
All that help you can find in
$ mc sysman help Sys_Parameters
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 06:18 PM
тАО09-05-2005 06:18 PM
Re: expiration time of INTRUDER
but i still cannot make it out.
pls let me show my question more clearly
i know that there is 3 parameters:
LGI_BRK_LIM is for break-in count(here = 6)
LGI_BRK_TMO is for SUSPECT status(here = 30mins)
LGI_HID_TIM is for INTRUDER status(this is where i found the question)
the following is my testing data:
$sh time
15:49:21
$(try failure login for 8 times)
Count:8 Expiration: 16:17:13
$(keep trying)
Count:12 Expiration: 16:16:55
Count:13 Expiration: 16:18:11
my question is why the expiration time decreased when the count increase from 8 to 12...
from Michal said, "LGI_HID_TIM is a DYNAMIC parameter."
but if it's true, what's the exact scope for this "dynamic"?
thanks ! :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 07:52 PM
тАО09-05-2005 07:52 PM
Re: expiration time of INTRUDER
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 08:25 PM
тАО09-05-2005 08:25 PM
Re: expiration time of INTRUDER
i think there should be a rule in it...
i'm finding it :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2005 10:11 PM
тАО09-05-2005 10:11 PM
Re: expiration time of INTRUDER
I think John G explaination covers how this can happen.
Purely Personal Opinion