Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Buffer Overflow Template
Appendix A
135
How this template
is configured
This template supports the following properties:
• Property: priv_uid_list
A list of system-level user IDs.
This list should contain those users that are considered to have elevated access to
the system. Only programs that run with an effective user ID equal to one of the
listed integers will be monitored for the use of unusually long arguments or
arguments with non-printable characters. In general, the user IDs of other
privileged accounts (e.g., Webmaster, News Administrator, etc.) should be added and
none of the dfeault UIDs should be removed.
• Property: unusual_arg_len
An integer value set to what is considered an unusually long argument length.
This property value can be configured to what is considered an unusually long
argument length for privileged setuid executables run on the system, which might
indicate a buffer overflow attack.
• Property: pathnames_to_not_watch
Pathnames of programs that can be safely ignored.
Any buffer overflow alert for a program whose pathname is matched by a regular
expression in this property will be filtered out and not reported.
Alerts generated
by this template
• “Execute on Stack” on page 135
• “Unusual Argument Length” on page 137
• “Argument with Non-printable Character” on page 138
Execute on Stack
This template generates and forwards the following alert to a response program when an
execute-on-stack condition is detected by the HP-UX 11i kernel:
Table A-2 Template Properties
Name Type Default Value
priv_uid_list III 0|1|2|3|4|5|9|11
unusual_arg_len VIII 500
pathnames_to_not_watch I <empty>
Table A-3 Execute on Stack Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 0 Unique code assigned to
the template
argv[2] Version Integer 2 Version of the template