Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Buffer Overﬂow Template

Appendix A

142

NOTE See Table B-1 in Appendix B for the deﬁnition of additional arguments, that can be used

to access speciﬁc alert information (for example, pid and ppid) without having to

parse the string alert ﬁelds above.

Limitations This template has the following limitations:

• The template does not detect that an actual buffer overﬂow attack was successful. It

only detects that one might have been attempted.

• The template only reports exec-on-stack buffer overﬂow attacks on HP-UX 11i when

exec-on-stack protection is enabled.

argv[8] Details String Potential buffer overﬂow attack by

process with pid <pid> and ppid

<ppid> when

executing<program>(type=<type>,

inode=<inode>, device=<device),

invoked as follows:

<argv[0><argv[1]... contains

non-printable character(s).

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in

number of seconds

since epoch when

a privileged

setuid program

was run with an

argument that

contains a

nonprintable

character

Table A-5 Argument with Non-printable Character Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field Type

Alert Value/Format Description