Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Buffer Overﬂow Template

Appendix A

140

NOTE See Table B-1 in Appendix B for the deﬁnition of additional arguments that can be used

to access speciﬁc alert information (for example, pid and ppid) without having to parse

the string alert ﬁelds.

Argument with Nonprintable Character

Table A-5 lists the alerts that this template generates and forwards to a response

program when a privileged setuid program was invoked with an argument that

contains a nonprintable character.

argv[8] Details String Potential buffer overﬂow attack

by process with pid <pid> and

ppid <ppid> when

executing<program>(type=<ty

pe>, inode=<inode>,

device=<device), invoked as

follows: <argv[0><argv[1]...

Length of the longest argument

is <value>, which surpasses the

longest expected argument

length of <unusual_arg_len>.

Total length of argument is

<value>.

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in number

of seconds since

epoch when a

privileged setuid

program was run

with an unusually

long program length

Table A-4 Unusual Argument Length Alert Properties (Continued)

Response

Program

Argument

Alert Field

Alert

Field

Type

Alert Value/Format Description

Table A-5 Argument with Non-printable Character Alert Properties

Response

Program

Argument

Alert

Field

Alert

Field Type

Alert Value/Format Description

argv[1] Template

code

Integer 0 Unique code

assigned to

template

argv[2] Version Integer 2 Version of the

template