Host Intrusion Detection System Administrator's Guide Release 3.0

Automated Response

Sample Response Programs

Appendix B

200

Preservation of evidence

NOTE Consult your local legal counsel to determine what steps must be taken to preserve

evidence for use in court. The example scripts presented below do not meet the legal

requirements for preservation of evidence.

Putting a process to sleep It may be necessary to preserve the evidence of an

intrusion for later analysis. In this example, a process which has caused an alert will be

stopped. Any activity by the process will be halted; the process's memory image can be

analyzed at a later time.

IMPORTANT This script requires privilege and should not be installed as a setuid privileged script.

This script is for illustration purposes only. Please refer to “Writing Privileged Response

Programs” on page 190 for help on how to safely write a privileged response program.

#!/usr/bin/sh

## Sample HP-UX HIDS alert response script

## Stop a process which has performed an intrusive activity.

RECIPIENT=”root”

# If we have a file modification alert

if[$1=“2”]

then

# and if the target of the attack is the password file

if [ ${17} = “/etc/passwd” ]; then

# obtain the process id from the alert

pid=${11}

echo “Critical intrusion: halting process ${pid} running ${24} t

hat modified /etc/passwd” \

| /usr/bin/mailx -s “$7” ${RECIPIENT}

kill -STOP ${pid}