HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
to be generated, and duplicate alerts that occur within 30
seconds are not reported. It is not an uncommon occurrence
for a user to mistype a password when attempting to log in.
By modifying the values, you can customize this template to
local user behavior.
priv_user_list
A high severity alert is generated when a user with a user
ID or user name in this list fails to login.
Alerts generated by this template
Failed Login Attempts
Table A-23 lists the alert properties this template generates and forwards to a response
program when repeated failed logins are detected.
Table A-23 Failed Login Attempts Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to
template
8IntegerTemplate
code
argv[1]
Template version3IntegerVersionargv[2]
Alert severity2 for users listed in the
priv_user_list property;
3 for all other users.
IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when
<max_failed_login>
number of failed logins
were detected for a
particular target login
account
<secs>
IntegerUTC Timeargv[4]
Name or IP address of
the host from which the
user logged in or out.
<fully qualified host
name> <IP Address>
StringAttackerargv[5]
Name of the user who
logged in or out.
<username>
StringTargetargv[6]
Alert summaryFailed login attemptsStringSummaryargv[7]
Detailed alert descriptionMore than
<max_failed_login> failed
logins by user <username>
(REMOTE: <fully qualified host
name> <IP address>)
StringDetailsargv[8]
186 Templates and Alerts