HPE Community
Operating System - HP-UX
1830226 Members
1562 Online
109999 Solutions
New Discussion

Host Intrustion Detection (HIDS) memory usage.

 
SOLVED
Go to solution
Stephen Tanner
Occasional Advisor

‎02-16-2005 06:12 AM

‎02-16-2005 06:12 AM

Host Intrustion Detection (HIDS) memory usage.

I've noticed that the memory used by idscor gradually increases over time. I had scaled back the schedule to not include race detection or buffer overflow detection, which decreased memory utilization, but over two days I've seen a 40mb increase in memory utilization. Anyone have an idea of what may cause this?
0 Kudos
Reply
6 REPLIES 6
melvyn burnard
Honored Contributor

‎02-16-2005 07:12 AM

‎02-16-2005 07:12 AM

Solution

Re: Host Intrustion Detection (HIDS) memory usage.

Well you do not specify which version of HIDs or OS you are using, but this may be of interest:
PHKL_30588:

( SR:8606353439 CR:JAGaf14233 )
High kernel memory usage is sometimes observed when using HIDS.
This is an 11.11 patch
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
Reply
Stephen Tanner
Occasional Advisor

‎02-16-2005 07:33 AM

‎02-16-2005 07:33 AM

Re: Host Intrustion Detection (HIDS) memory usage.

HP-UX version is 11.11
Host IDS version is B.03.00.00
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-16-2005 07:44 AM

‎02-16-2005 07:44 AM

Re: Host Intrustion Detection (HIDS) memory usage.

There are patches to the OS that help with HIDS I believe.

This product has never been very low profile on memory usage. How much it uses depends on what you ask it to do.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
melvyn burnard
Honored Contributor

‎02-16-2005 07:45 AM

‎02-16-2005 07:45 AM

Re: Host Intrustion Detection (HIDS) memory usage.

I would suggest you investigate installing the patch if not already installed.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
Stephen Tanner
Occasional Advisor

‎02-16-2005 07:46 AM

‎02-16-2005 07:46 AM

Re: Host Intrustion Detection (HIDS) memory usage.

Thanks guys, I will do that.
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎02-17-2005 08:51 AM

‎02-17-2005 08:51 AM

Re: Host Intrustion Detection (HIDS) memory usage.

Stephen -

The 11.11 patch will not impact idscor's memory usage (although I encourage you to install the patch to avoid the memory leak in the kernel). idscor will dynamically allocate more memory in order to handle a higher throughput of system call activity to monitor for intrusions.

idscor memory size starts at around 60Meg and can grow to around 200Meg. I would be concerned if idscor continues to chew up memory beyond 200Meg over a couple of weeks, in which case there might be a memory leak.

For performance reasons, we process all activity in memory (vs temporarily storing activity on disk) to monitor the system.

We can consider making the max memory usage of idscor configurable, with the understanding that this could hurt performance or result in missed intrusions.

Not running the race condition template will improve the memory usage, but the buffer overflow (BO) template is no longer CPU or memory resource intensive as it was prior to V3.0, so you can consider still running the BO template.

Pierre

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.