Host Intrusion Detection System Administrator's Guide Release 3.0
Automated Response
Sample Response Programs
Appendix B
199
Disable remote networking If you have determined that an intrusion is originating
from a remote location, this script will disable networking on the system.
IMPORTANT This script requires privilege and should not be installed as a setuid privileged script.
This script is for illustration purposes only. Please refer to “Writing Privileged Response
Programs” on page 190 for help on how to safely write a privileged response program.
NOTE The agent will be unable to make new connections to the HP-UX HIDS System Manager
and you will have to log in to the system at the console. Any existing connections will
remain open, but new connections handled by inetd will be refused.
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
# Disable networking on the system as an extreme response to
# a remote launched intrusion.
RECIPIENT="root"
# If we have a file modification alert
if[$1="2"]
then
# and if the target of the attack is the password file
if [ ${17} = "/etc/passwd" ]; then
echo "Critical intrusion: halting networking\n$8" \
| /usr/bin/mailx -s "$7" ${RECIPIENT}
/sbin/init.d/inetd stop
fi
fi