HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Table 14 Unusual Argument Length Alert Properties (continued)

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse Program

Argument

was run with an unusual

program length

The user ID, group ID, process

ID, and parent process ID of

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

the process that executed a

privileged setuid program

with an unusually long

argument length

The full path name of the

setuid program the attacker

file=<full pathname>,

type=<type>,

StringTarget of Attackargv[6]

executed with an unusually

mode=<mode>, uid=<uid>,

long argument length and the

gid=<gid>, inode=<inode>,

program’s type, mode, uid,

gid, inode, and device

number

device=<device>

Alert summaryPotential Buffer overflow detectedStringSummaryargv[7]

Detailed alert descriptionPotential buffer overflow attack

by process with pid <pid> and

StringDetailsargv[8]

ppid <ppid> when

executing<program>

(type=<type>, inode=<inode>,

device=<device), invoked as

follows: <argv[0> <argv[1].

Length of the longest argument is

<value>, which surpasses the

longest expected argument length

of <unusual_arg_len>. Total

length of argument is <value>.

The event that triggered the

alert

nullStringEventargv[9]

NOTE: See Table 41 (page 150) for the definition of additional arguments that can be used to

access specific alert information (for example, pid and ppid) without parsing the string alert fields.

Argument with Nonprintable Character

Table A-5 lists the alert properties the Buffer Overflow template generates, and forwards to a

response program when a privileged setuid program was invoked with an argument that contains

a nonprintable character.

Table 15 Argument with Nonprintable Character Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse Program

Argument

Unique code assigned to template0IntegerTemplate codeargv[1]

Template Version<version>IntegerVersionargv[2]

Alert severity1IntegerSeverityargv[3]

UTC time in number of seconds

since the epoch when a

<secs>IntegerUTC timeargv[4]

privileged setuid program was

run with an argument that

contains a nonprintable character

114 Templates and Alerts