Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Template Property Types
Appendix A
130
Type II: Pathnames/Programs Pairs
These properties allow users to specify combinations of file pathnames and program
pathnames, such that alerts normally generated for files (i.e., regular files, directories,
etc.) specified in the "Pathnames to be monitored" property are suppressed when the
file(s) are modified by selected program(s).
Note that pathnames and programs are specified as regular expressions just as
pathnames_to_[not]_watch are specified. See the default property settings for the
kernel templates for examples of pathnames/programs pair specifications.
Pathnames/programs properties come in pairs. There can be n > 0 such pairs in a
configuration file. For each member of a pair, its property values consist of a set ofm>0
lists. For the pathname member of a pair, each property value consists of a list of p > 0
regular expressions separated by ampersand (&) characters, whereas for its matching
program member, each property value is a list of q > 0 regular expressions as its value.
In general, p#q. An example of a valid property pair would be as follows:
pathnames_1 | f1 & f2 | f3 & f4 & f5 | f6
programs_1 | p1 & p2 & p3 | p3 & p4 | p5
With these two lines, an alert is not generated for file f1 if the event was triggered by any
of the p1, p2 or p3 programs; likewise, f2 is not monitored if the event was triggered by
any of p1, p2 or p3. Analogously, an alert is suppressed for f3, f4, and f5 if the alert is
triggered by program p3 or p4.
NOTE The pair pathnames_0/programs_0 is a special case where alerts for files specified in
pathnames_0 will not be generated when the corresponding programs in programs_0 or
any of the program’s child processes or grandchild processes triggers the alert. For
example, for the Modification of Files/Directories template, if pathnames_0 contains
^/opt/ to specify the /opt directory and programs_0 contains /usr/sbin/swinstall,
then alerts normally generated for modifications to files under /opt are suppressed when
the files are modified by either swinstall or any of its child processes (e.g., control
scripts) or grandchild processes (e.g., commands invoked in a control script).
• A set of two lines like:
1.
pathnames_1 | f1 & f2
programs_1 | p1 & p2 & p3
Is equivalent to the set of four lines:
2.
pathnames_1 | f1
programs_1 | p1 & p2 & p3
pathnames_2 | f2
programs_2 | p1 & p2 & p3
Or to the six lines set:
3.