Host Intrusion Detection System Administrator's Guide Release 3.0

Templates and Alerts
Buffer Overflow Template
Appendix A
138
NOTE Refer to Table B-1 in Appendix B for the definition of argv[10] through argv[32] that can
be used to access specific alert information (i.e., pid, ppid) without having to parse the
string alert fields above.
Argument with Non-printable Character
This template generates and forwards the following alert to a response program when a
privileged setuid program was invoked with an argument that contains a non-printable
character:
argv[8] Details String “Potential buffer overflow attack
by process with pid <pid> and
ppid <ppid> when
executing<program>(type=<type
>, inode=<inode>,
device=<device), invoked as
follows: "<argv[0><argv[1]..."
Length of the longest argument
is <value> which surpasses the
longest expected argument
length of <unusual_arg_len>.
Total length of argument is
<value>.
Detailed alert
description
argv[9] Local Time Integer <secs> Localtimeinnumber
of seconds since
epoch when a
privileged setuid
program was run
with an unusually
long program length
Table A-4 Unusual Argument Length Alert Properties (Continued)
Response
Program
Argument
Alert Field
Alert
Field
Type
Alert Value/Format Description
Table A-5 Argument with Non-printable Character Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field Type
Alert Value/Format Description
argv[1] Template
code
Integer 0 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template