Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

Templates and Alerts

Buffer Overﬂow Template

Appendix A

137

Unusual Argument Length

This template generates and forwards the following alert to a response program setuid

when a privileged program was invoked with an argument equal to or greater than the

unusual_arg_len property value:

Table A-4 Unusual Argument Length Alert Properties

Response

Program

Argument

Alert Field

Alert

Field

Type

Alert Value/Format Description

argv[1] Template

code

Integer 0 Unique code

assigned to template

argv[2] Version Integer 2 Version of the

template

argv[3] Severity Integer 1 Critical severity

argv[4] UTC Time Integer <secs> UTC time in number

of seconds since

epoch when a

privileged setuid

program was run

with an unusual

program length.

argv[5] Attacker String “uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>”

The user ID, group

ID, process ID, and

parent process ID of

the process that

executed a privileged

setuid program with

an unusually long

argument length

argv[6] Target of

Attack

String “ﬁle=<full pathname>,

mode=<mode>,uid=<uid>,gid=<g

id>,

inode=<inode>,device=<device>”

The full pathname of

the setuid program

the attacker

executed with an

unusually long

argumentlengthand

the program’s mode,

uid, gid, inode, and

device number

argv[7] Summary String “Potential Buffer overﬂow

detected.”

Alert summary