Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Modification of files/directories Template
Appendix A
152
File Being Modified
Table A-10 lists the alerts that this template generates and forwards to a response
program when a file is modified.
Table A-10 File Being Modified Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 2 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template
argv[3] Severity Integer 2 if file is truncated, potentially truncated,
deleted, or renamed.
3 if file’s mode or ownership is modified, if
file is created, or if file is opened for writing
or appending.
Alert Severity
argv[4] UTC Time Integer <secs> UTC time in
number of seconds
since epoch when
file was modified
argv[5] Attacker String uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>
The user ID, group
ID, process ID,
and parent
process ID of the
process that
modified the file
argv[6] Target of
Attack
String file=<full pathname>,
type=<type>,mode=<mode>,uid=<uid>,
gid=<gid>,inode=<inode>,device=<de
vice>
The full pathname
of the file that was
modified and the
file’s type, mode,
uid, gid,
inode, and
device number
argv[7] Summary String Filesystem modification or potential
modification.
Alert summary