HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

pathnames_to_not_watch

Path names of files that can be safely ignored for

modification, regardless of which program

modifies them.

pathnames_X, programs_X

Use these properties to filter out alerts generated

when a particular program modifies a particular

file other than appending. See “Type II: Path

Names/Programs Pairs” (page 141) for a detailed

description of these property pairs.

Alerts generated by this template

Append-Only File Being Modified

Table A-12 lists the alert properties this template generates and forwards to a response

program when a file is modified in a way other than being appended to.

Table A-12 Append-Only File Being Modified Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

Unique code assigned

to template

3IntegerTemplate

code

argv[1]

Template version3IntegerVersionargv[2]

Alert Severity2IntegerSeverityargv[3]

UTC time in number of

seconds since the epoch

when file was modified

<secs>IntegerUTC timeargv[4]

The user ID, group ID,

process ID, and parent

process ID of the

process that modified

the file

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

The full path name of

the file that was

modified and the file’s

type, mode, uid, gid,

inode, and device

number.

file=<full pathname>,

type=<type>, mode=<mode>,

uid=<uid>, gid=<gid>,

inode=<inode>,

device=<device>

StringTarget of

attack

argv[6]

Alert summaryAppend-only file modified or

potentially modified

StringSummaryargv[7]

164 Templates and Alerts