Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Repeated Failed Logins Template
Appendix A
174
Failed Login Attempts
This template generates and forwards the following alerts to a response program when
repeated failed logins are detected.
Table A-23 Failed Login Attempts Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 8 Unique code assigned to
template
argv[2] Version Integer 2 Version of the template
argv[3] Severity Integer 2 for user root or ids and 3 for all
other users
Severity
argv[4] UTC Time Integer <secs> UTC time in number of
seconds since epoch
when
<max_failed_login>
number of failed logins
are detected for a
particular target login
account.
argv[5] <empty> n/a n/a This field is empty
argv[6] <empty> n/a n/a This field is empty
argv[7] Summary String “Failed login attempts” Alert summary
argv[8] Details String “More than <max_failed_login> failed
logins by user <username>
(REMOTE: <fully qualified host
name> <IP address>)”
Detailed alert
description
argv[9] Local
Time
Integer <secs> Local time in number of
seconds since epoch
when
<max_failed_login>
number of failed logins
are detected for a
particular target login
account.
argv[10] Flag Integer 1 Indicates a failed login
alert versus a failed su
alert.
argv[11] User String <username> Name of target login
name that a user was
attempting to login as.