HPE Community
Operating System - HP-UX
1833758 Members
2711 Online
110063 Solutions
New Discussion

Re: IDS/9000 idscor, idsagent, idssysdsp performance

 
Dave van Nierop
Advisor

‎08-12-2003 04:36 AM

‎08-12-2003 04:36 AM

IDS/9000 idscor, idsagent, idssysdsp performance

I have implemented IDS/9000 v2.1 (B.02.01.32) on several 11.i systems. When the idsagent startup script is launched, I noticed in top that idscore (especially), idsagent and idssysdsp processes occupy a high CPU load average (see snip below).

I checked the security forum for previous posts on performance and can only find Pierre's mention of checking executable files located in /opt/ids/response. The only executables in that directory are:
-r-x------ 1 ids ids 16384 Mar 22 2002 ids_alertResponse
-r-x------ 1 ids ids 573 Aug 23 2001 send_alert_to_vpo.sh

Anybody have any ideas?
0 Kudos
Reply
3 REPLIES 3
Rainer von Bongartz
Honored Contributor

‎08-12-2003 04:56 AM

‎08-12-2003 04:56 AM

Re: IDS/9000 idscor, idsagent, idssysdsp performance


You mean something like this ???

3 ? 22555 ids 241 20 27680K 14000K run 87:05 95.14 94.98 idscor
1 ? 23806 root 154 20 11548K 6044K sleep 11830:32 14.15 14.12 oninit
1 ? 22556 ids 168 20 13044K 208K sleep 5:15 4.52 4.51 idssysdsp
2 ? 22397 ids 152 20 14168K 10716K run 4:40 3.87 3.86 idsagent

The files in opt/ids/response got nothing to do with performance. This are just executables that are triggered in case of level 1 alerts.

Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Joanne Keegan
Regular Advisor

‎08-18-2003 07:30 PM

‎08-18-2003 07:30 PM

Re: IDS/9000 idscor, idsagent, idssysdsp performance

Hi,

There are some notes within the documentation supplied with IDS/9000 concerning performance related issues. If my memory serves me right, by turning off security options within the templates will help the situation.

I did turn the suggested options off, but found that inheritantly the idsagent continues to use a lot of resources. If I find the notes that I'm talking about, I post another reply.

Regards,

Joanne
0 Kudos
Reply
Chris Wong
Trusted Contributor

‎08-18-2003 08:47 PM

‎08-18-2003 08:47 PM

Re: IDS/9000 idscor, idsagent, idssysdsp performance

Checking for buffer overflows seems to use a lot of resources. Instead of monitoring for this, use the executable_stack setting in the kernel to not allow them (after setting it to warn first to make sure none of your needed apps will fail). The other advanced feature, searching for race conditions, also uses more resources. This isn't as easily protected against, but making sure that SUID programs are properly patched and user's can't create their own (use mount option -nosuid) will help.

- Chris
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.