HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

101

102

103

104

105

106

107

108

109

110

A Templates and Alerts

This appendix describes the detection templates that constitute the surveillance groups. It also

describes the alerts that are passed to the System Manager and to the response programs by the

HIDS agent. This appendix addresses the following topics:

• “Alert Summary” (page 103)

• “Limitations” (page 107)

• “Template Property Types” (page 107)

• “Buffer Overflow Template” (page 113)

• “Race Condition Template” (page 117)

• “Modification of files/directories Template” (page 121)

• “Changes to Log File Template” (page 126)

• “Creation and Modification of setuid/setgid File Template” (page 130)

• “Creation of World-Writable File Template” (page 133)

• “Modification of Another User’s File Template” (page 136)

• “Login/Logout Template” (page 139)

• “Repeated Failed Logins Template” (page 143)

• “Repeated Failed su Commands Template” (page 146)

• “Log File Monitoring Template” (page 147)

Alert Summary

Table 11 lists the attack detected, the alert severity, and the detection template that generates the

alert, for each alert.

Table 11 Detection Templates

Detection TemplateAlert SeverityAttackAlert

Buffer Overflow Template1A process attempted to execute on

its stack, perhaps as part of a

stack buffer overflow attack.

Buffer overflow detected

Buffer Overflow Template1Potential buffer overflow of a

privileged program using an

unusually long program argument,

or using an argument that contains

a non-printable character.

Potential buffer overflow

detected

Race Condition Template1A file reference for a privileged

program was modified.

File reference change

Race Condition Template1A privileged setuid script was

executed using a symbolic link.

Race condition attack

Race Condition Template2A privileged setuid script was

executed, but not necessarily using

a symbolic link.

Potential race condition

attack

Modification of

files/directories Template

2The following operations were

either unsuccessfully or successfully

performed on a read-only file:

• Truncation

• Deletion

• Renaming

File system modification or

potential modification

Alert Summary 103