Manualshelf

HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
141142143144145146147148149150
ip_filters Contains a list of triplets {ip_address, mask,severity}.Filters
login alerts and determines the alert’s severity based on which
remote host or network the login was made from. If a login’s
remote host IP address matches one of the triplet’s IP addresses
qualified by the triplet’s network mask, then the alert severity is
set to the corresponding triplet’s severity. A severity level of 0
indicates that an alert for a login event with a matching remote IP
address is filtered except for root and ids users. If a login event’s
remote host IP address does not match any triplet, then a severe
alert (severity=2) is generated for users in priv_user_listand
a moderate alert (severity=3) is generated for all other users. If the
ip_address is a host IPv4 address, the value of the mask must be
set to 255.255.255.255. If the ip_address is a host IPv6 address, the
value of the mask should be set to /128. Host address filtering is
only applied to those login events that are not filtered out by the
users_to_ignore and users_to_monitor template
properties.
priv_user_list
A high severity alert is generated when a user with a user ID or
user name in this list logs in or logs out.
Alerts generated by this template
See “Login/Logout” (page 149) and “Successful su Detected” (page 150) for more information
about the alerts generated by the Login/Logout template.
Login/Logout
Table A-23 lists the alert properties the Login/Logout template generates and forwards to a
response program when a successful login or logout occurs.
Table A-23 Login/Logout Alert Properties
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
Unique code assigned to
template
7IntegerTemplate
code
argv[1]
Template version<version>IntegerVersionargv[2]
Alert severity2 for users listed in the
priv_user_list property, and 1 if
specified by an ip filter property.
IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when a successful login,
logout, or su event
occured.
<secs>
IntegerUTC Timeargv[4]
Name or IP address of the
host from which the user
attempted to log in.
<fully qualified host name>
<IP address>
StringAttackerargv[5]
Login name that the user
attempted to log in as.
<username>
StringTargetargv[6]
Alert summaryStart of a successful login session or
end of a login session
StringSummaryargv[7]
Login/Logout Template 149