HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
File Reference Modification
Table A-7 lists the alert properties that the File Reference Modification template
generates and forwards to a response program when the file reference in a privileged
program is modified unexpectedly.
Table A-7 File Reference Modification Alert Properties
DescriptionAlert Value/FormatAlert
Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to
template.
1IntegerTemplate codeargv[1]
Version of the template.3IntegerVersionargv[2]
Alert severity.1IntegerSeverityargv[3]
UTC time in number of
seconds since epoch
when an unexpected file
reference was detected.
<secs>IntegerUTC Timeargv[4]
The user ID, group ID,
process ID, and parent
process ID of the process,
if known, that modified
a privileged program’s
file reference. All values
are set to -1 if the
attacker is not known.
uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>
StringAttackerargv[5]
The full path name of the
file whose reference was
modified, and the file’s
type, mode, uid, gid,
inode, and device
number
file=<full pathname>,
type=<type>, mode=<mode>,
uid=<uid>, gid=<gid>,
inode=<inode>, device=<device>
StringTarget of Attackargv[6]
Alert summaryFile reference changeStringSummaryargv[7]
154 Templates and Alerts