HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

131

132

133

134

135

136

137

138

139

140

Table A-1 Detection Templates (continued)

Detection TemplateAlert SeverityAttackAlert

Repeated Failed su

Commands Template

2Repeated attempts to switch

to a user specified as

privileged

Failed su attempts

Repeated Failed su

Commands Template

3Repeated attempts to switch

to a user not specified as

privileged

Failed su attempts

a. Higher severity if specified by an ip_filter property. For more information about

the ip_filter property, see “Login/Logout Template” (page 179).

UNIX Regular Expressions

UNIX regular expressions are supported to specify template directory and file properties.

Template properties that specify path names (for example, pathnames_to_watch,

pathnames_to_not_watch, pathnames_X, programs_X) are interpreted as UNIX

regular expressions. For a description of regular expressions and pattern matching

notations, see regexp( 5). To match a specific file, use the anchor characters ^ and $ (for

example, ^/etc/passwd$). To match any file in a particular directory, use the ^ anchor

character and a trailing backslash (for example,^/stand/).

NOTE: You must correctly specify path names using regular expressions. For instance,

if the regular expression /var/t.* is changed to /var/t*, then the new regular

expression matches any path name that contains the substring /var/, because the *

operator matches 0 or more occurrences of the t character. Similarly, if the regular

expression ^/opt/ is changed to /opt, the new regular expression is significantly

different and much more encompassing. The regular expression /opt matches any

path name that contains the /opt substring, including those path names that do not

start with /opt, such as /dir1/opt2/file1.

The following examples illustrate the UNIX regular expressions:

• The regular expression /home matches any file that contains /home in its path

name, such as /dir1/home, /dir1/hometown, /dir1/home2, and

/home2/file1.

• The regular expression ^/home matches any file with a path name that starts with

/home, such as /hometown,/home/file1, and/home2/file2.

• The regular expression ^/home/ matches any file under the /home directory, such

as /home/file1 and /home/dir1/file2.

• The regular expression ^/home$ exactly matches the /home directory or file.

• The regular expression /.rhosts matches any file on the system that contains a

slash followed by any character that is then followed by rhosts, such as

/dir1/arhosts, /1rhosts, /.rhosts, and /home/<user>/.rhosts.

138 Templates and Alerts