HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-5 Argument with Nonprintable Character Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
The user ID, group ID,
process ID, and parent
process ID of the process that
executed a privileged
setuid program with an
argument that contains a
nonprintable character
uid=<uid>, gid=<gid>,
pid=<pid>, ppid=<ppid>
StringAttackerargv[5]
The full path name of the
setuid program the attacker
executed with an argument
that contains a nonprintable
character and the program’s
type mode, uid, gid, inode,
and device number
file=<full pathname>,
type=<type>,
mode=<mode>,
uid=<uid>, gid=<gid>,
inode=<inode>,
device=<device>
StringTarget of attackargv[6]
Alert summaryPotential buffer overflow
detected
StringSummaryargv[7]
Detailed alert descriptionPotential buffer overflow
attack by process with pid
<pid> and ppid <ppid>
when executing
<program>(type= <type>,
inode=<inode>,
device=<device), invoked
as follows:
<argv[0]><argv[1]>
contains non-printable
characters.
StringDetailsargv[8]
The event that triggered the
alert.
nullStringEventargv[9]
NOTE: Table B-1 (page 194) in Appendix B for the definition of additional arguments,
that can be used to access specific alert information (for example, pid and ppid) without
parsing the string alert fields above.
Limitations
The Buffer Overflow template has the following limitations:
• The template does not detect whether a buffer overflow attack was successful. It
only detects that one might have been attempted.
• The template only reports exec-on-stack buffer overflow attacks on HP-UX 11i
when exec-on-stack protection is enabled.
Buffer Overflow Template 151