HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Table 13 Execute on Stack Alert Properties

DescriptionAlert Value/FormatAlert

Field

Type

Alert FieldResponse

Program

Argument

Unique code assigned to the template0IntegerTemplate codeargv[1]

Version of the template<version>IntegerVersionargv[2]

Alert severity1IntegerSeverityargv[3]

UTC time in number of seconds since

epoch when execute-on-stack was

detected

<secs>IntegerUTC Timeargv[4]

The user ID, group ID, process ID, and

parent process ID of the process that

attempted to execute on its stack

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

The full pathname of the program the

attacker was running when attempting

to execute off the stack and the

program’s type, mode, uid, gid,

inode, and device number

program=<full pathname>,

type=<type>, mode=<mode>,

uid=<uid>,gid=<gid>,

inode=<inode>,device=<device>

StringTarget of Attackargv[6]

Alert summaryBuffer overflow detectedStringSummaryargv[7]

Detailed alert descriptionBuffer overflow detected by

kernel for process with pid

<pid> and ppid <ppid> when

executing <program>(type=

<type>, inode=<inode>,

device=<device), invoked with

<args>

StringDetailsargv[8]

The event that triggered the alert.nullStringEventargv[9]

NOTE: See Table 41 (page 152) in Appendix B for the definition of additional arguments that

can be used to access specific alert information (for example, pid and ppid) without parsing the

string alert fields.

Unusual Argument Length

Table A-4 lists the alert properties that the Buffer Overflow template generates, and forwards to a

response program setuid when a privileged setuid program is invoked with an argument

equal to or greater than the unusual_arg_len property value.

Table 14 Unusual Argument Length Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse Program

Argument

Unique code assigned to

template

0IntegerTemplate codeargv[1]

Version of the template<version>IntegerVersionargv[2]

Alert severity1IntegerSeverityargv[3]

UTC time in number of

seconds since the epoch when

a privileged setuid program

was run with an unusual

program length

<secs>IntegerUTC Timeargv[4]

Buffer Overflow Template 115