Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Buffer Overflow Template
Appendix A
140
NOTE Refer to Table B-1 in Appendix B for the definition of argv[10] through argv[32] that can
be used to access specific alert information (i.e., pid, ppid) without having to parse the
string alert fields above.
Limitations • The template does not detect that an actual buffer overflow attack was successful,
and only detects that one might have been attempted.
• The template only reports exec-on-stack buffer overflow attacks on HP-UX 11i when
exec-on-stack protection is enabled.
argv[9] Local Time Integer <secs> Local time in
number of seconds
since epoch when
a privileged setuid
program was run
with an argument
that contains a
non-printable
character.
Table A-5 Argument with Non-printable Character Alert Properties (Continued)
Response
Program
Argument
Alert
Field
Alert
Field Type
Alert Value/Format Description