Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Buffer Overﬂow Template

Appendix A

139

argv[3] Severity Integer 1 Critical severity

argv[4] UTC Time Integer <secs> UTC time in

number of seconds

since epoch when

a privileged setuid

program was run

with an argument

that contains a

non-printable

character

argv[5] Attacker String “uid=<uid>, gid=<gid>, pid=<pid>,

ppid=<ppid>”

Theuser ID, group

ID, process ID,

and parent

process ID of the

process that

executed a

privileged setuid

program with an

argument that

contains a

non-printable

character

argv[6] Target of

Attack

String “ﬁle=<full pathname>,

mode=<mode>,uid=<uid>,gid=<gid>,

inode=<inode>,device=<device>”

The full pathname

of the setuid

program the

attacker executed

with an argument

that contains a

non-printable

character and the

program’s mode,

uid, gid, inode,

and device

number.

argv[7] Summary String “Potential Buffer overﬂow detected” Alert summary

argv[8] Details String “Potential buffer overﬂow attack by

process with pid <pid> and ppid <ppid>

when executing<program>(type=<type>,

inode=<inode>, device=<device), invoked

as follows: "<argv[0><argv[1]..." contains

non-printable character(s).”

Detailed alert

description

Table A-5 Argument with Non-printable Character Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field Type

Alert Value/Format Description