Host Intrusion Detection System Administrator's Guide Release 3.1

Templates and Alerts
Login/Logout Template
Appendix A
176
Because the login name (ut_user in a utmp structure) is not available for a logout
event, the template retrieves the login name from the wtmp log. If the log has been
cleared, the template creates a logout alert that does not contain the user name, only
the device on which the logout occurred.
The template generates alerts for ftp logins without the remote host IP address on
11i V1 unless the wu-ftp 2.6.1 patch is installed.
The host address filtering provided by this template is vulnerable to IP spoofing.
On IPv6 configured machines, alerts do not display the IP address