HPE Community
Operating System - OpenVMS
1753518 Members
4934 Online
108795 Solutions
New Discussion юеВ

expiration time of INTRUDER

 
SOLVED
Go to solution
Davor_7
Regular Advisor

тАО09-04-2005 12:23 PM

тАО09-04-2005 12:23 PM

expiration time of INTRUDER

when you become an intruder, and when your trial counts being up. the expiration time is up and down. that's stranger.
who can explain this phenomenon?
thanks!


TERMINAL INTRUDER
8
16:17:13


TERMINAL INTRUDER
12
16:16:55


TERMINAL INTRUDER
13
16:18:11


0 Kudos
22 REPLIES 22
John Gillings
Honored Contributor

тАО09-04-2005 03:37 PM

тАО09-04-2005 03:37 PM

Re: expiration time of INTRUDER

Davor,

Each time a new suspect event occurs, the expiration time for that source is incremented by a random time period (between 0.5 and 1.5 times LGI_BRK_TMO). It's a sliding window, with older events being dropped. So, depending on the sequence of increments, the expiration time can go up and down with the count as events are added and dropped.

OpenVMS deliberately makes this chaotic so that even people who know the algorithm cannot predict when the effect of an intrusion detection will expire. The best they can do is assume worst case.
A crucible of informative mistakes
0 Kudos
John Gillings
Honored Contributor

тАО09-05-2005 12:29 PM

тАО09-05-2005 12:29 PM

Re: expiration time of INTRUDER

Curious... this thread is marked with a magic rabbit, but there are no points assigned.
A crucible of informative mistakes
0 Kudos
Davor_7
Regular Advisor

тАО09-05-2005 02:25 PM

тАО09-05-2005 02:25 PM

Re: expiration time of INTRUDER

John
it's funny, hehe~

but i find some confused so i reopen this topic

you said that it's 0.5 - 1.5 times of TMO for the expiration time
but in this example. the TMO is about 40 mins
(sh time = 15:49:21)
so, 0.5 * 40 = 20 mins(min); 1.5 * 40 = 60 mins(max)
why does it up and down only in some seconds?
TERMINAL INTRUDER
8 16:17:13
TERMINAL INTRUDER
12 16:16:55
TERMINAL INTRUDER
13 16:18:11

could you help to explain it for me ?
0 Kudos
Mike Reznak
Trusted Contributor

тАО09-05-2005 05:53 PM

тАО09-05-2005 05:53 PM

Re: expiration time of INTRUDER

Hi
Just to make it a bit more clear.

LGI_BRK_TMO

LGI_BRK_TMO specifies the length of the failure monitoring
period. This time increment is added to the suspect's expiration
time each time a login failure occurs. Once the expiration period
passes, prior failures are discarded, and the suspect is given a
clean slate.

LGI_BRK_TMO is a DYNAMIC parameter.


LGI_BRK_LIM

LGI_BRK_LIM specifies the number of failures that can occur at
login time before the system takes action against a possible
break-in. The count of failures applies independently to login
attempts by each user name, terminal, and node. Whenever login
attempts from any of these sources reach the break-in limit
specified by LGI_BRK_LIM, the system assumes it is under attack
and initiates evasive action as specified by the LGI_HID_TIM
parameter.

The minimum value is 1. The default value is usually adequate.

LGI_BRK_LIM is a DYNAMIC parameter.

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
Mike Reznak
Trusted Contributor

тАО09-05-2005 05:58 PM

тАО09-05-2005 05:58 PM

Re: expiration time of INTRUDER

I've forgot to insert the third one...

LGI_HID_TIM

LGI_HID_TIM specifies the number of seconds that evasive action
persists following the detection of a possible break-in attempt.
The system refuses to allow any logins during this period, even
if a valid user name and password are specified.

LGI_HID_TIM is a DYNAMIC parameter.

All that help you can find in

$ mc sysman help Sys_Parameters

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
Davor_7
Regular Advisor

тАО09-05-2005 06:18 PM

тАО09-05-2005 06:18 PM

Re: expiration time of INTRUDER

hi all, thanks for your reply.
but i still cannot make it out.
pls let me show my question more clearly

i know that there is 3 parameters:
LGI_BRK_LIM is for break-in count(here = 6)
LGI_BRK_TMO is for SUSPECT status(here = 30mins)
LGI_HID_TIM is for INTRUDER status(this is where i found the question)

the following is my testing data:
$sh time
15:49:21
$(try failure login for 8 times)
Count:8 Expiration: 16:17:13
$(keep trying)
Count:12 Expiration: 16:16:55
Count:13 Expiration: 16:18:11


my question is why the expiration time decreased when the count increase from 8 to 12...
from Michal said, "LGI_HID_TIM is a DYNAMIC parameter."
but if it's true, what's the exact scope for this "dynamic"?

thanks ! :)
0 Kudos
Ian Miller.
Honored Contributor

тАО09-05-2005 07:52 PM

тАО09-05-2005 07:52 PM

Re: expiration time of INTRUDER

dynamic means that system parameter can be changed and the updated value be effective without rebooting the system
____________________
Purely Personal Opinion
0 Kudos
Davor_7
Regular Advisor

тАО09-05-2005 08:25 PM

тАО09-05-2005 08:25 PM

Re: expiration time of INTRUDER

but how it changes?
i think there should be a rule in it...

i'm finding it :)
0 Kudos
Ian Miller.
Honored Contributor

тАО09-05-2005 10:11 PM

тАО09-05-2005 10:11 PM

Re: expiration time of INTRUDER

"why the expiration time decreased when the count increase from 8 to 12..."

I think John G explaination covers how this can happen.

____________________
Purely Personal Opinion
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.