HP-UX Host Intrusion Detection System Version 4.2 Administration Guide
Disable Remote Networking
If you have determined that an intrusion is originating from a remote location, the following
script disables networking on the system.
IMPORTANT: This script requires privileges and must not be installed as a setuid privileged
script. This script is for illustration purposes only. For instructions on safely writing a privileged
response program, see “Writing Privileged Response Programs” (page 167).
NOTE: The agent cannot make new connections to the HP-UX HIDS System Manager, and you
must log in to the system at the console. Any existing connection remains open, but new
connections handled by inetd are refused.
Example B-5 Disabling Remote Networking
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
# Disable networking on the system as an extreme response
# to a remotely launched intrusion. RECIPIENT="root"
# If there is a file modification alert if [ $1 = "2" ]
# then
# And if the target of the attack is the password file if
# [ ${17} = "/etc/passwd" ]; then echo "Critical
intrusion: halting
# networking n$8" \ | /usr/bin/mailx -s "$7" ${RECIPIENT}
# /sbin/init.d/inetd stop fi fi
174 Automated Response for Alerts