Administrator's Guide
Templates and Alerts
Buffer Overflow Template
Appendix A
136
NOTE Refer to Table B-1 in Appendix B for the definition of argv[10] through argv[32] that can
be used to access specific alert information (ie., pid, ppid) without having to parse the
string alert fields above.
argv[3] Severity Integer 1 Critical Severity
argv[4] UTC Time Integer <secs> UTC time in number of
seconds since epoch
when execute-on-stack
was detected.
argv[5] Attacker String “uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>”
The user ID, group ID,
process ID, and parent
process ID of the process
that attempted to
execute on its stack
argv[6] Target of
Attack
String “program=<full pathname>,
mode=<mode>,uid=<uid>,gid=<gid>
,
inode=<inode>,device=<device>”
Thefull pathname ofthe
program the attacker
was running when
attempting to execute
off the stack and the
program’s mode, uid,
gid, inode, and device
number
argv[7] Summary String “Buffer overflow detected” Alert Summary
argv[8] Details String “Buffer overflow detected by kernel
for process with pid <pid> and ppid
<ppid> when
executing<program>(type=<type>,
inode=<inode>, device=<device),
invoked with <args>”
Detailed alert
description
argv[9] Local Time Integer <secs> Local time in number of
seconds since epoch
when execute-on-stack
was detected
Table A-3 Execute on Stack Alert Properties (Continued)
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description