Templates and Alerts
Template Property Types
if the file’s owner’s UID is 16, and the effective UID of the modifying process is 2 then no alarm is triggered.
Type V: Network Triplets
The values for this property type consist of network information triplets. The members of a triplet are as follows:
•IP address: An IP address. For IPv4 the address must be in standard dot notation; for IPv6, in colon notation.
•Network mask: The network mask value qualifies the value in the IP address field to an individual host address or a network address. A value of 255.255.255.255 means the value in the IP address field is an individual host address; otherwise, it is a network address. The network mask follows the notational requirements for IP addresses.
•Severity code: An integer representing a severity level (0=No Alert, 1=critical,
2=severe, 3=moderate), where a severity level of 0 specifies that no alert should be generated for a matching {IP address, Network Mask, 0} triplet.
The following template configuration command line gives an example for this type of property value:
ip_filters 192.168.0.2, 255.255.255.255, 1 \
192.168.20.0, 255.255.255.0, 0
Type VI: Time Strings
Time strings are strings that represent time intervals. Each time string has the following syntax:
integer [units]
The integer component is a positive integer, representing a time interval. The units component, when present, indicates the time units that integer is expressed in. The following units are supported:
•s:Seconds
•m: Minutes
•h: Hours
•d: Days
•w: Weeks
When the units component is not present, the integer component is assumed to be in units of seconds. For example, the following lines in the template configuration file:
fail_interval 23
warning_interval 10m
fail_interval 1h
warning_interval 23s
contain time strings representing values of 23 seconds, 10 minutes, 1 hour and 23 seconds; the s component in the last line is redundant, but can be used for clarity.
132 | Appendix A |
