Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Template Property Types
Appendix A
134
• The effective UID of the process modifying this file is the same as the first member of
the pair.
• The owner of the file has the same UID as the second member of the pair.
If both these conditions are true, no alert is issued.
Following is an example of this type of property value:
uid_pairs_to_ignore | 2, 16 | 4, 3
In this example, if the file’s owner’s UID is 16, and the effective UID of the modifying
process is 2 then no alarm is triggered.
Type V: Network Triplets
The values for this property type consist of network information triplets. The members
of a triplet are as follows:
• IP address: An IP address. For IPv4, the address must be in standard dot notation;
for IPv6, in colon notation.
• Network mask: The network mask value qualifies the value in the IP address field
to an individual host address or a network address. A value of 255.255.255.255
means the value in the IP address field is an individual host address; otherwise, it is
a network address. The network mask follows the notational requirements for IP
addresses.
• Severity code: An integer representing a severity level (0=no alert, 1=critical,
2=severe, 3=moderate), where a severity level of 0 specifies that no alert should be
generated for a matching {IP address, Network Mask, 0} triplet.
The following template configuration command line gives an example for this type of
property value:
ip_filters | 192.168.0.2, 255.255.255.255,1|\
192.168.20.0, 255.255.255.0, 0
Type VI: Time Strings
Time strings are strings that represent time intervals. Each time string has the
following syntax:
integer [units]
The integer component is a positive integer, representing a time interval. The units
component, when present, indicates the time units that integer is expressed in. The
following units are supported:
• s:Seconds
• m: Minutes
• h: Hours
• d: Days
• w: Weeks