HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
A Templates and Alerts
This appendix describes the detection templates that constitute the surveillance groups.
It also describes the alerts that are passed to the System Manager and to the response
programs by the HIDS agent. This appendix addresses the following topics:
• “Alert Summary” (page 135)
• “Limitations” (page 139)
• “Template Property Types” (page 140)
• “Buffer Overflow Template” (page 146)
• “Race Condition Template” (page 152)
• “Modification of files/directories Template” (page 157)
• “Changes to Log File Template” (page 163)
• “Creation and Modification of setuid/setgid File Template” (page 166)
• “Creation of World-Writable File Template” (page 170)
• “Modification of Another User’s File Template” (page 175)
• “Login/Logout Template” (page 179)
• “Repeated Failed Logins Template” (page 185)
• “Repeated Failed su Commands Template” (page 188)
Alert Summary
Table A-1 lists the attack detected, the alert severity, and the detection template that
generates the alert, for each alert.
Table A-1 Detection Templates
Detection TemplateAlert SeverityAttackAlert
Buffer Overflow Template1A process attempted to
execute on its stack, perhaps
as part of a stack buffer
overflow attack.
Buffer overflow
detected
Buffer Overflow Template1Potential buffer overflow of a
privileged program using an
unusually long program
argument, or using an
argument that contains a
non-printable character.
Potential buffer
overflow detected
Race Condition Template1A file reference for a
privileged program was
modified.
File reference change
Race Condition Template1
A privileged setuid script
was executed using a symbolic
link.
Race condition attack
Alert Summary 135