Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Buffer Overflow Template
Appendix A
137
How this template
is configured
Table A-2 lists the configurable properties that this template supports.
• Property: priv_uid_list
A list of system-level user IDs.
This list should contain those users who are considered to have elevated access to
the system. Only programs that run with an effective user ID equal to one of the
listed integers are monitored for the use of unusually long arguments or arguments
with nonprintable characters. In general, the user IDs of other privileged accounts
(for example, Webmaster or news administrator) should be added and none of the
default UIDs should be removed.
• Property: unusual_arg_len
An integer value set to what is considered an unusually long argument length.
This property value can be configured to what is considered an unusually long
argument length for privileged setuid executables run on the system, which might
indicate a buffer overflow attack.
• Property: pathnames_to_not_watch
Pathnames of programs that can be safely ignored.
Any buffer overflow alert for a program whose pathname is matched by a regular
expression in this property will be filtered out and not reported.
Alerts generated
by this template
• “Execute on Stack” on page 137
• “Unusual Argument Length” on page 139
• “Argument with Nonprintable Character” on page 140
Execute on Stack
Table A-3 lists the alerts that this template generates and forwards to a response
program when an execute-on-stack condition is detected by the HP-UX 11i kernel.
Table A-2 Buffer Overflow Template Properties
Name Type Default Value
priv_uid_list III 0|1|2|3|4|5|9|11
unusual_arg_len VIII 500
pathnames_to_not_watch I <empty>
Table A-3 Execute on Stack Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 0 Unique code assigned to
the template
argv[2] Version Integer 2 Version of the template