HPE Community
Operating System - HP-UX
1833780 Members
2315 Online
110063 Solutions
New Discussion

HIDS (Intrusion Detection) 4.0

 
Alzhy
Honored Contributor

‎02-23-2006 04:23 AM

‎02-23-2006 04:23 AM

HIDS (Intrusion Detection) 4.0

Okay.. I am impresed with the improvements (specially resource use and speed) with HIDS 4.0. In fact we might be adopting this as a standard very soon - as it is really efficient in tracking security related changes. I particularly like its abiiy to monitor filesystems and files for changes, etc..

Are there best practices documents out there for using HIDS 4.0? Also, those that have already used this (even older versions) - what experiences so far and practices have you implemented?

As we want to monitor the entire OS partitions - is their a best practice for managing HIDS whenever say patches are applied?

Thanks!
Hakuna Matata.
0 Kudos
Reply
2 REPLIES 2
John Payne_2
Honored Contributor

‎02-23-2006 05:45 AM

‎02-23-2006 05:45 AM

Re: HIDS (Intrusion Detection) 4.0

Nelson,

I am planning to look into adopting this in a couple of months when I get time. :) We also like what they are saying about the things they have added in version 4.

Please let me know your experiences rolling this out. (I would be also interested in any gotchas...)

Thanks

John
Spoon!!!!
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎02-23-2006 08:00 PM

‎02-23-2006 08:00 PM

Re: HIDS (Intrusion Detection) 4.0

Nelson -

Thanks for the initial feedback. The resource and speed improvements were actually introduced with V3.0 back in December 2004.

The V4.0 Admin Guide on docs.hp.com (http://docs.hp.com/en/5991-5199/admin-guide.pdf) contains a Security Best Practices section in Chapter 5 starting on page 101.

V4.0 introduced Alert Aggregation to reduce alert volume and you will find some guidelines in Chapter 5 starting on page 112. Be sure, though, to read about Alert Aggregation starting on page 108. The large number of individual alerts that HIDS generated pre-V4.0 during a swinstall or swremove was a major complaint (and understandably so), and V4.0 addresses this with alert aggregation (see p.108). Alert Aggregation is not specific to alerts triggered by SD; it is a general and configurable method of aggregating all alerts triggered by the same process and/or related processes.

And if you are new to HIDS, I encourage you to read even more of the Admin Guide :)

We certainly welcome any feedback, whether it be the need for a more thorough best practice document, enhancements to current features, or suggestions for new features. We are currently considering several new features for the next few releases and we do take customer feedback into consideration.

Pierre

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.