Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Alert Summary
Appendix A
123
Alert Summary
For each alert, Table A-1 lists the attack detected, alert severity and the detection
template that generates the alert.
Table A-1 Detection Templates
Attack Detected Alert Alert Severity Detection Template
A process attempted to execute on its
stack, perhaps as part of a stack
buffer overflow attack
Buffer overflow
detected
1 Buffer Overflow
Template
Potential buffer overflow of a
privileged program using an
unusually long program argument
and/or using an argument that
contains a non-printable character
Potential buffer
overflow detected
1 Buffer Overflow
Template
A file reference for a privileged
program was changed
File reference change 1 Race Condition
Template
A privileged setuid script was
executed via a symbolic link
Race condition attack 1 Race Condition
Template
A privileged setuid script was
executed, but not necessarily via a
symbolic link
Potential Race
Condition attack
2 Race Condition
Template
A read-only file was truncated,
deleted, or renamed
Filesystem
modification or
potential
modification
2 Modification of
Files/Directories
Template
A read-only file’s mode or ownership
was modified, the file was created, or
the file was opened for writing or
appending
Filesystem
modification or
potential
modification
3 Modification of
Files/Directories
Template
An append-only file was truncated,
potentially truncated, deleted,
renamed, or opened with write
permission in non-append mode
Append-only file
modified or
potentially modified
2 Changes to Log File
Template
A privileged setuid file was or was
potentially created, or the setuid bit
was turned on a regular file owned
by a privileged user, or the owner of
a setuid file was changed from a
non-privileged user to a privileged
user
Setuid file created 1 Creation of Setuid
File Template