HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Table 14 Unusual Argument Length Alert Properties (continued)

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse Program

Argument

The user ID, group ID, process

ID, and parent process ID of

the process that executed a

privileged setuid program

with an unusually long

argument length

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

The full path name of the

setuid program the attacker

executed with an unusually

long argument length and the

program’s type, mode, uid,

gid, inode, and device

number

file=<full pathname>,

type=<type>,

mode=<mode>, uid=<uid>,

gid=<gid>, inode=<inode>,

device=<device>

StringTarget of Attackargv[6]

Alert summaryPotential Buffer overflow detectedStringSummaryargv[7]

Detailed alert descriptionPotential buffer overflow attack

by process with pid <pid> and

ppid <ppid> when

executing<program>

(type=<type>, inode=<inode>,

device=<device), invoked as

follows: <argv[0> <argv[1].

Length of the longest argument is

<value>, which surpasses the

longest expected argument length

of <unusual_arg_len>. Total

length of argument is <value>.

StringDetailsargv[8]

The event that triggered the

alert

nullStringEventargv[9]

NOTE: See Table 41 (page 152) for the definition of additional arguments that can be used to

access specific alert information (for example, pid and ppid) without parsing the string alert fields.

Argument with Nonprintable Character

Table A-5 lists the alert properties the Buffer Overflow template generates, and forwards to a

response program when a privileged setuid program was invoked with an argument that contains

a nonprintable character.

Table 15 Argument with Nonprintable Character Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse Program

Argument

Unique code assigned to template0IntegerTemplate codeargv[1]

Template Version<version>IntegerVersionargv[2]

Alert severity1IntegerSeverityargv[3]

UTC time in number of seconds

since the epoch when a

privileged setuid program was

run with an argument that

contains a nonprintable character

<secs>IntegerUTC timeargv[4]

116 Templates and Alerts