Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

Templates and Alerts

Changes to Log File Template

Appendix A

156

Use these properties to ﬁlter out alerts generated when a particular program

modiﬁes a particular ﬁle other than appending . See “Type II: Path Names/Programs

Pairs” on page 132 for a detailed description of these property pairs.

Alerts generated

by this template

See Table A-12 for information about the alerts that this template generates.

Append-Only File Being Modiﬁed

Table A-12 lists the alerts that this template generates and forwards to a response

program when a ﬁle is modiﬁed in a way other than being appended to.

Table A-12 Append-Only File Being Modiﬁed Alert Properties

Response

Program

Argument

Alert

Field

Alert Field

Type

Alert Value/Format Description

argv[1] Template

code

Integer 3 Unique code

assigned to

template

argv[2] Version Integer 2 Version of the

template

argv[3] Severity Integer 2 Alert Severity

argv[4] UTC Time Integer <secs> UTC time in

number of seconds

since epoch when

ﬁle was modiﬁed

argv[5] Attacker String uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

The user ID, group

ID, process ID,

and parent

process ID of the

process that

modiﬁed the ﬁle

argv[6] Target of

Attack

String file=<full pathname>,

type=<type>,mode=<mode>,uid=<

uid>,gid=<gid>,inode=<inode>,

device=<device>

The full pathname

of the ﬁle that was

modiﬁed and the

ﬁle’s type, mode,

uid, gid,

inode, and

device number.

argv[7] Summary String Append-only ﬁle modiﬁed or

potentially modiﬁed

Alert summary