HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

A Templates and Alerts
This appendix describes the detection templates that constitute the surveillance groups. It also
describes the alerts that are passed to the System Manager and to the response programs by the
HIDS agent. This appendix addresses the following topics:
Alert Summary” (page 102)
“Limitations (page 105)
“Template Property Types (page 106)
“Buffer Overflow Template (page 111)
“Race Condition Template (page 115)
“Modification of files/directories Template (page 119)
“Changes to Log File Template (page 124)
“Creation and Modification of setuid/setgid File Template (page 128)
“Creation of World-Writable File Template (page 131)
“Modification of Another User’s File Template (page 133)
“Login/Logout Template (page 137)
“Repeated Failed Logins Template (page 141)
“Repeated Failed su Commands Template (page 143)
“Log File Monitoring Template (page 145)
Alert Summary
Table 11 lists the attack detected, the alert severity, and the detection template that generates the
alert, for each alert.
Table 11 Detection Templates
Detection TemplateAlert SeverityAttackAlert
???1A process attempted to execute on
its stack, perhaps as part of a
stack buffer overflow attack.
Buffer overflow detected
Buffer Overflow Template1Potential buffer overflow of a
privileged program using an
Potential buffer overflow
detected
unusually long program argument,
or using an argument that contains
a non-printable character.
???1A file reference for a privileged
program was modified.
File reference change
???1A privileged setuid script was
executed using a symbolic link.
Race condition attack
Race Condition Template2A privileged setuid script was
executed, but not necessarily using
a symbolic link.
Potential race condition
attack
???2The following operations were
either unsuccessfully or successfully
performed on a read-only file:
File system modification or
potential modification
Truncation
Deletion
Renaming
102 Templates and Alerts