Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Buffer Overﬂow Template

Appendix A

138

NOTE See Table B-1 in Appendix B for the deﬁnition of argv[10] through argv[32] which you

can use to access speciﬁc alert information (for example, pid and ppid) without having

to parse the string alert ﬁelds.

argv[3] Severity Integer 1 Alert severity

argv[4] UTC Time Integer <secs> UTC time in number of

seconds since epoch

when execute-on-stack

was detected

argv[5] Attacker String uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

The user ID, group ID,

process ID, and parent

process ID of the process

that attempted to

execute on its stack

argv[6] Target of

Attack

String program=<full

pathname>,type=<type>,

mode=<mode>,uid=<uid>,gid=<

gid>,inode=<inode>,device=<

device>

The full pathname of the

program the attacker

was running when

attempting to execute

off the stack and the

program’s type, mode,

uid, gid, inode, and

device number

argv[7] Summary String Buffer overﬂow detected Alert summary

argv[8] Details String Buffer overﬂow detected by kernel

for process with pid <pid> and

ppid <ppid> when

executing<program>(type=<type

>, inode=<inode>,

device=<device), invoked with

<args>

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in number of

seconds since epoch

when execute-on-stack

was detected

Table A-3 Execute on Stack Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field

Type

Alert Value/Format Description