HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Alerts generated by this template
The following alerts are generated by the Buffer Overflow template:
• “Execute on Stack” (page 148)
• “Unusual Argument Length” (page 149)
• “Argument with Nonprintable Character” (page 150)
Execute on Stack
Table A-3 lists the alerts that this template generates and forwards to a response program
when an execute-on-stack condition is detected by the HP-UX 11i kernel.
Table A-3 Execute on Stack Alert Properties
DescriptionAlert Value/FormatAlert
Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to the
template
0IntegerTemplate
code
argv[1]
Version of the template2IntegerVersionargv[2]
Alert severity1IntegerSeverityargv[3]
UTC time in number of seconds
since epoch when
execute-on-stack was detected
<secs>IntegerUTC Timeargv[4]
The user ID, group ID, process
ID, and parent process ID of the
process that attempted to execute
on its stack
uid=<uid>, gid=<gid>,
pid=<pid>, ppid=<ppid>
StringAttackerargv[5]
The full pathname of the program
the attacker was running when
attempting to execute off the
stack and the program’s type,
mode, uid, gid, inode, and device
number
program=<full pathname>,
type=<type>,
mode=<mode>,
uid=<uid>,gid=<gid>,
inode=<inode>,device=<device>
StringTarget of
Attack
argv[6]
Alert summaryBuffer overflow detectedStringSummaryargv[7]
Detailed alert descriptionBuffer overflow detected by
kernel for process with pid
<pid> and ppid <ppid>
when executing
<program>(type= <type>,
inode=<inode>,
device=<device), invoked
with <args>
StringDetailsargv[8]
The event that triggered the alert.nullStringEventargv[9]
148 Templates and Alerts