HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
NOTE: See Table B-1 (page 194) in Appendix B for the definition of additional
arguments that can be used to access specific alert information (for example, pid and
ppid) without parsing the string alert fields.
Unusual Argument Length
Table A-4 lists the alert properties that the Buffer Overflow template generates, and
forwards to a response program setuid when a privileged setuid program is invoked
with an argument equal to or greater than the unusual_arg_len property value.
Table A-4 Unusual Argument Length Alert Properties
DescriptionAlert Value/FormatAlert
Field
Type
Alert FieldResponse Program
Argument
Unique code assigned to
template
0IntegerTemplate codeargv[1]
Version of the template3IntegerVersionargv[2]
Alert severity1IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when a privileged setuid
program was run with an
unusual program length
<secs>IntegerUTC Timeargv[4]
The user ID, group ID,
process ID, and parent
process ID of the process
that executed a privileged
setuid program with an
unusually long argument
length
uid=<uid>, gid=<gid>,
pid=<pid>, ppid=<ppid>
StringAttackerargv[5]
The full path name of the
setuid program the
attacker executed with an
unusually long argument
length and the program’s
type, mode, uid, gid,
inode, and device number
file=<full pathname>,
type=<type>,
mode=<mode>, uid=<uid>,
gid=<gid>, inode=<inode>,
device=<device>
StringTarget of
Attack
argv[6]
Alert summaryPotential Buffer overflow
detected
StringSummaryargv[7]
Buffer Overflow Template 149