HPE Community
Operating System - HP-UX
1753826 Members
8340 Online
108805 Solutions
New Discussion юеВ

HIDS 9000 v2.2

 
David_711
Frequent Advisor

тАО10-06-2004 11:03 AM

тАО10-06-2004 11:03 AM

HIDS 9000 v2.2

Somebody can help me with information about the specific roll of the idscor and idssysdsp proceses and idsagent.pid file?

Thanks a lot.

David
0 Kudos
Reply
3 REPLIES 3
Olivier Decorse
Respected Contributor

тАО10-07-2004 07:36 AM

тАО10-07-2004 07:36 AM

Re: HIDS 9000 v2.2

Hi David,

idscor stands for IDS Correlation Engine (subprocess) : HP-UX HIDS uses a correlation process that takes data from system data sources and determines whether an alert should be issued.

idssysdsp : DSP : Data Source Process : HP-UX HIDS provides a way of observing what people are doing on your systems and networks. This is accomplished through a set of data gathering modules that gather and format information from data sources at various points within the system.

idsagent.pid certainly contains the PID (process identifier) of the idsagent.

Olivier.

PS : Don't forget to assign points, if any response helps you !
They say "install windows 2k, xp or better", so i install unix !
0 Kudos
Reply
David_711
Frequent Advisor

тАО10-11-2004 08:43 AM

тАО10-11-2004 08:43 AM

Re: HIDS 9000 v2.2

And the idskerndsp?

Thanks
David
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

тАО10-11-2004 10:43 AM

тАО10-11-2004 10:43 AM

Re: HIDS 9000 v2.2

The idssysdsp monitors btmp(s)/wtmp(s) for failed and successful logins, and monitors sulog for failed and successful su attempts.

The idskerndsp gathers system call audit records from the kernel to monitor for file system modifications, race conditions, buffer overflows, etc...

Both dsps send their events/records to idscor to correlate them and produce alerts according to each detection template's heuristics.

A general discussion of the major components of HIDS is in the Admin Guide (Chapter 1) available on docs.hp.com.

We will be coming out with HIDS v3.0 in the near future. V3.0 will have greatly improved performance and scalability as well as more powerful alert filtering capabilities.

Pierre
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.