Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Template Property Types
Appendix A
133
pathnames_1 | f1 & f2
programs_1 | p1
pathnames_2 | f1 & f2
programs_2 | p2
pathnames_3 | f1 & f2
programs_3 | p3
• However, it is not equal to the following:
4.
pathnames_1 | f1
programs_1 | p1 & p2 & p3
pathnames_2 | f2
programs_2 | p1 & p3
The rationale here is to provide a finer granularity for users to specify their file-
monitoring dependencies. That is, in (4) an alert for f2 is generated if the event was
triggered by p2, in contrast to what happens when any of (1), (2) or (3) are used.
WARNING
Specifying a program’s relative path name to ignore alerts is unsafe whether the path
name refers to a script or an executable program. An attacker can construct an attack
script or program with the same relative path name and alerts would be filtered if the
relative path name is specified as value in a pathnames/program pair.
Type III: UIDs
The values for this property type consists of lists of UIDs that the template is to
explicitly take into account (type IIIa) or explicitly ignore (type IIIb) when determining
whether or not to issue an alarm. The following template property specifies three UIDs,
which will be explicitly taken into account when the template generates an alert:
priv_uid_list | 22|1|43
The following template property specifies that alerts concerning the three UIDs will not
be generated:
uids_to_ignore | 21|3|53
Type IV: UID Pairs
The values for this property type consist pairs of UIDs. This template type is currently
used only in the Modification of Another User’s File template. In each pair, the two
members are separated by a comma. When an event is received for a file that is being
monitored, the following criteria are applied for every pair in the list: