Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Modification of Files/Directories Template
Appendix A
149
File Being Modified
This template generates and forwards the following alert to a response program when a
file is modified:
Table A-10 File Being Modified Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 2 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template
argv[3] Severity Integer 2 if file is truncated, potentially truncated,
deleted, or renamed.
3 if file’s mode or ownership is modified, or
file is created, or file is opened for writing or
appending.
Severity
argv[4] UTC Time Integer <secs> UTC time in
number of seconds
since epoch when
file is modified.
argv[5] Attacker String “uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>”
TheuserID,group
ID, process ID,
and parent
process ID of the
process that
modified the file.
argv[6] Target of
Attack
String “file=<full pathname>,
mode=<mode>,uid=<uid>,gid=<gid>,
inode=<inode>,device=<device>”
Thefullpathname
of the file that was
modified and the
file’s mode, uid,
gid, inode, and
device number.
argv[7] Summary String “Filesystem modification or potential
modification”
Alert summary