HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Table 41 Additional Arguments Passed to Response Programs for Kernel Template Alerts

(continued)

DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse

Program

Argument

Owner of the attack program (uid)<uid>IntegerAttack Program

Owner

argv[27]

Group of the attack program (gid)<gid>IntegerAttack Program

Group

argv[28]

Inode number of the attack program<inode>IntegerAttack Program

Inode

argv[29]

Device number of the attack program<device>IntegerAttack Program

Device

argv[30]

Number of arguments passed to the

attack program (for example, argc)

<argc>IntegerAttack Program

Argument Count

argv[31]

Program arguments of the attack

program (first 1024 characters)

<argv[0]> <argv[1]>

...

StringAttack Program

Arguments

argv[32]

Name of the pty on which the

attacker is connected to (for example,

<pty>StringAttacker

pseudo-tty

argv[33]

pts/ta). Set to an empty string if it is

not known.

Full host name of remote host from

which the attacker has logged in. Set

<hostname>StringAttacker

hostname

argv[34]

to localhost name or to an empty

string if the local host is not known.

IP address (in Ipv4 or IPv6 string

notation) of the remote host from

<A.B.C.D> (IPv4) or

<X:X:X:....>

(IPv6)

StringAttacker IP

address

argv[35]

which the attacker logged in. Set to

an empty string if the address is not

known.

Table 42 lists the additional arguments that are passed to response programs for suppressed

alerts.

Table 42 Additional Arguments Passed to Response Programs for Suppressed Alerts

DescriptionAlert Value/ FormatAlert Field TypeAlert Field

Response Program

Argument

Number of duplicate

alerts that were

suppressed.

<number of

suppressed

alerts>

IntegerNumber of

suppressed alerts

argv[36]

Time elapsed when

duplicate alerts were

suppressed

<time unit>IntegerUnit of time (can be

seconds, minutes,

hours, or days). The

default is seconds.

argv[37]

Table 43 lists the additional arguments that are passed to response programs while attempting

the modification of files that belong to Modification of files/directories template,

Changes to Log File template, and Modification of Another User’s File

template.

How Automated Response Works in HP-UX HIDS 151