Host Intrusion Detection System Administrator's Guide Release 3.0

Templates and Alerts

Appendix A

172

• Because the login name (ut_user in a utmp structure) is not available for a logout

event, the template retrieves the login name from the wtmp[s] log. If the log has

been cleared, the template will create a logout alert that does not contain the user

name, only the device on which the logout occurred.

• The template will generate alerts for ftp logins without the remote host IP address

on 11i version 1.0 unless the wu-ftp 2.6.1 patch is installed.

• The host address ﬁltering provided by this template is subject to IP spooﬁng.