Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Login/Logout Template
Appendix A
176
• Because the login name (ut_user in a utmp structure) is not available for a logout
event, the template retrieves the login name from the wtmp log. If the log has been
cleared, the template creates a logout alert that does not contain the user name, only
the device on which the logout occurred.
• The template generates alerts for ftp logins without the remote host IP address on
11i V1 unless the wu-ftp 2.6.1 patch is installed.
• The host address filtering provided by this template is vulnerable to IP spoofing.
• On IPv6 configured machines, alerts do not display the IP address