HPE Community
Operating System - HP-UX
1834480 Members
3418 Online
110067 Solutions
New Discussion

HIDS problem

 
Rene Mendez_4
Super Advisor

‎10-27-2004 04:09 AM

‎10-27-2004 04:09 AM

HIDS problem

Hi have many problems with IDS 9000 version 2.2 when download new version the HIDS.

Problem with:
Message KernelDSP:idskerndsp
Now no audit login (this is configured)
Problem with performance the idscor.

Regards.
Rene
0 Kudos
Reply
5 REPLIES 5
Pierre Pasturel
Respected Contributor

‎10-27-2004 06:44 AM

‎10-27-2004 06:44 AM

Re: HIDS problem

Rene -

I will need more details about the problem
with the kernel dsp and with no "audit login." Please provide any error messages you are observing, details about your schedule, expected vs actual behavior, etc....

As far as performance, this is being addressed in the upcoming V3.0 release due out before the end of the year.

Pierre
0 Kudos
Reply
Rene Mendez_4
Super Advisor

‎10-28-2004 07:47 AM

‎10-28-2004 07:47 AM

Re: HIDS problem

Hello thanks for you response

I send top in this show idsagent use all processor.

In manager present error:
1%Tue Oct 19 10:22:51 2004%10002%KernelDSP:idskerndsp: Dropping audit records due to heavy load. First notice.
1%Tue Oct 19 10:23:03 2004%10002%KernelDSP:idskerndsp: No longer dropping audit records.

I send the configurations.

Regards
Rene
0 Kudos
Reply
Gratien D'haese_2
Advisor

‎10-29-2004 01:11 AM

‎10-29-2004 01:11 AM

Re: HIDS problem

Did you activate the templates "race condition attacks" and "buffer overflow attacks"? If yes, then try to de-activate those and watch how the CPU behaves?

Another reason could be the use of "blocking mode" (IDDS_MODE 2 set by default). If the problem persists set IDDS_MODE to 3 in the /etc/opt/ids/ids.cf file.

Gratien

PS: HIDS A.03 will address this problem according HP (cfr. Pierre Pasturel who follows this forum for HIDS & HP).
0 Kudos
Reply
Dennis E. James
Advisor

‎10-29-2004 02:22 AM

‎10-29-2004 02:22 AM

Re: HIDS problem

Just curious any idea when HIDS A3.0 will be available.
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎11-03-2004 07:13 AM

‎11-03-2004 07:13 AM

Re: HIDS problem

Rene-

These issues are addressed by V3.0, although under heavy load conditions, running the Race Condition template might still result in audit records being dropped by the idskerndsp.

V3.0 is due out before the end of the calendar year. I will post a notice on this forum when it is available on software.hp.com.

Pierre
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.