HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-4 Unusual Argument Length Alert Properties (continued)
DescriptionAlert Value/FormatAlert
Field
Type
Alert FieldResponse Program
Argument
Detailed alert descriptionPotential buffer overflow
attack by process with pid
<pid> and ppid <ppid> when
executing<program>
(type=<type>, inode=<inode>,
device=<device), invoked as
follows: <argv[0> <argv[1].
Length of the longest
argument is <value>, which
surpasses the longest
expected argument length of
<unusual_arg_len>. Total
length of argument is
<value>.
StringDetailsargv[8]
The event that triggered
the alert
nullStringEventargv[9]
NOTE: See Table B-1 (page 194) for the definition of additional arguments that can be
used to access specific alert information (for example, pid and ppid) without parsing
the string alert fields.
Argument with Nonprintable Character
Table A-5 lists the alert properties the Buffer Overflow template generates, and forwards
to a response program when a privileged setuid program was invoked with an
argument that contains a nonprintable character.
Table A-5 Argument with Nonprintable Character Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to
template
0IntegerTemplate codeargv[1]
Template Version3IntegerVersionargv[2]
Alert severity1IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when a privileged setuid
program was run with an
argument that contains a
nonprintable character
<secs>IntegerUTC timeargv[4]
150 Templates and Alerts