Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Buffer Overflow Template
Appendix A
139
Unusual Argument Length
Table A-4 lists the alerts that this template generates and forwards to a response
program setuid when a privileged setuid program is invoked with an argument equal
to or greater than the unusual_arg_len property value.
Table A-4 Unusual Argument Length Alert Properties
Response
Program
Argument
Alert Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 0 Unique code
assigned to template
argv[2] Version Integer 2 Version of the
template
argv[3] Severity Integer 1 Alert severity
argv[4] UTC Time Integer <secs> UTC time in number
of seconds since
epoch when a
privileged setuid
program was run
with an unusual
program length.
argv[5] Attacker String uid=<uid>, gid=<gid>,
pid=<pid>, ppid=<ppid>
The user ID, group
ID, process ID, and
parent process ID of
the process that
executed a privileged
setuid program
with an unusually
long argument
length
argv[6] Target of
Attack
String file=<full pathname>,
type=<type>,mode=<mode>,
uid=<uid>,gid=<gid>,inode
=<inode>,device=<device>
The full pathname of
the setuid program
the attacker
executed with an
unusually long
argument length and
the program’s type,
mode, uid, gid,
inode, and device
number
argv[7] Summary String Potential Buffer overflow
detected.
Alert summary