Host Intrusion Detection System Administrator's Guide Release 3.0
Automated Response
Sample Response Programs
Appendix B
201
Snapshot of critical system state Extending the previous example, this script will
take a snapshot of critical system state information that can be used for later analysis:
• currently executing process list
• who is logged into the system
• a record of login/logout attempts
• a list of active network connections
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Take a snapshot of the important system state information when
# the intrusion occurred.
# State information is stored in a snapshot file with the UTC time of
# the intrusion alert appended to it
RECIPIENT=”root”
# Setting the umask to a “sane” value
umask 077
file=”/var/opt/ids/tmp/snapshot.$4”
# title line
echo “System state after potential intrusion:\n$8” > ${file}
# ps output
echo “\n----------\nList of currently executing processes:\n” >> ${file}
ps -ef >> ${file}
# who is logged in
echo “\n----------\nList of currently logged in users:\n” >> ${file}
/usr/bin/who >> ${file}
# record of login/logout
echo “\n----------\nLast login/logout activity:” >> ${file}
/usr/bin/last >> ${file}
# active network connections
echo “\n----------\nActive network connections (netstat -a):\n” >> ${file}
/usr/bin/netstat -a >> ${file}