1839143 Members
2741 Online
110136 Solutions
New Discussion

HIDS enhancements

 
Michael Tully
Honored Contributor

HIDS enhancements

Hi,

We are currently evaluating the HIDS product. I am a little concerned on system performance and the time it takes to have things reported.
From this below posting Pierre Pasturel (HP) has mentioned that the version 3 of the product will be available before the end of the year.
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=727910

I was wondering what list of enhancements and fixes are in the new version.
Anyone for a Mutiny ?
6 REPLIES 6
Rainer von Bongartz
Honored Contributor

Re: HIDS enhancements

Michael,

here is a statement from Pierre from another post:

Here are the major improvements/enhancements in v3.0:

- Significant performance (throughput and CPU utilization) and scalability improvements.
- New template property syntax, full support of Unix regular expressions, and almost complete reduction of "Unknown" program alerts for better alert filtering capabilities.
- Support of idsadmin command line tool that now supports a new option to automate the pushing of schedules to remote agents.
- A toolkit of conversion utilities to migrate customized v2.x surveillance schedules to the new v3.0 schedule format in order to preserve existing deployment efforts



Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Michael Tully
Honored Contributor

Re: HIDS enhancements

Excellent thanks Rainer!

I was also wanting to know what server requirements are needed to run this beast. I've browsed the release notes and there not really anything in there that gives this info.

amount of RAM
server level A class L class ??

From what I've been shown by my collegue, I'll wait for V3
There seems to be too many problems in it's current form to place this beast into production.
Anyone for a Mutiny ?
Steven E. Protter
Exalted Contributor

Re: HIDS enhancements

Michael,

At Internet Security Class we did a full series of tests using D220 machines. I recall there was 512 MB of RAM. This was v 2.1

Fully configured to collect all data, the CPU was over 50% busy on the workstations that were configured as servers. We teamed up, one set up the client, the other set up the server.

What they recommended was that instead of trashing older hardware, take a workstation(maybe) or older server class box and make it a dedicated HIDS server.

While the response on the dedicated server was not great, the client boxes were able to function more or less normally. The overhead was not so bad.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Michael Tully
Honored Contributor

Re: HIDS enhancements

Hi SEP,

From the performance I see (A400 1Gb RAM) the system is running 100% CPU ALL the time.

Mind you I did not set this up, but it certainly does not give me any warm and fuzzy feelings about rolling it out. There is nothing else on this system except for HIDS. At the moment I could not possibly approach my manager with a rollout plan until some of these performance issues are sorted.

In my previous posting, I should have included about how much grunt is required to run a client as well. Anyone got any ideas? I am looking at running somewhere in the vicinity of 30 clients.

Regards
Michael
Anyone for a Mutiny ?
Steven E. Protter
Exalted Contributor

Re: HIDS enhancements

I'm assuming that the level of data collection on the server is not under your control. I've played with this on L2000 boxes at work with 2 GB of RAM (now they have 8).

Both there and in class the performance of the server was substantially changed by what level of monitoring you set up.

Setting this up with 30 clients and maxmimum monitoring is going to eat up a lot of CPU and bandwidth.

If you can get a review of what is being monitored and make some intelligent choices as to what matters to your organization it can be done. Back in 2002 I sat in class with a few Admins from larger shops. They had dozens of HP-UX HIDS(i think it was called IDS then) connected to a K class server being the HIDS monitor box.

It was 100% CPU but it did keep up. I talked with tem after class and they fine tuned the monitoring.

If you throw enough CPU and memory at the problem, that will work too. I've been told by sources at HP, maybe Pierre that v3 does solve some of the performance problems of earlier versions.

You're in for some fun. Please zero point this. I seem to like the way my words look when posted tonight. Hope I helped a bit.

Good Luck,

Steve
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Michael Tully
Honored Contributor

Re: HIDS enhancements

Hi SEP,

What I found out was that every single possible monitor was actually turned on ....

So I did the next best thing, turned everything off and selectively started turning things on. I now have a server that is running at less than 5% CPU. Now that I have it running in the manner that I should have expected in the first place, I'm going to turn on a few more monitors and deploy to a few more servers to see how it goes.

What was happening as well (before I turned the monitors off) was that many of the 'mock' alerts from me trying things were not getting logged at all.

Regards
Michael
(who looks like I'm learning HIDS whether I like it or not ;^)
Anyone for a Mutiny ?