Templates and Alerts
Buffer Overflow Template
Unusual Argument Length
This template generates and forwards the following alert to a response program setuid when a privileged program was invoked with an argument equal to or greater than the unusual_arg_len property value:
Table | Unusual Argument Length Alert Properties |
| |||
|
|
|
|
|
|
| Response |
| Alert |
|
|
| Program | Alert Field | Field | Alert Value/Format | Description |
| Argument |
| Type |
|
|
|
|
|
|
|
|
| argv[1] | Template | Integer | 0 | Unique code |
|
| code |
|
| assigned to template |
|
|
|
|
|
|
| argv[2] | Version | Integer | 2 | Version of the |
|
|
|
|
| template |
|
|
|
|
|
|
| argv[3] | Severity | Integer | 1 | Critical severity |
|
|
|
|
|
|
| argv[4] | UTC Time | Integer | <secs> | UTC time in number |
|
|
|
|
| of seconds since |
|
|
|
|
| epoch when a |
|
|
|
|
| privileged setuid |
|
|
|
|
| program was run |
|
|
|
|
| with an unusual |
|
|
|
|
| program length. |
|
|
|
|
|
|
| argv[5] | Attacker | String | “uid=<uid>, gid=<gid>, | The user ID, group |
|
|
|
| pid=<pid>, ppid=<ppid>” | ID, process ID, and |
|
|
|
|
| parent process ID of |
|
|
|
|
| the process that |
|
|
|
|
| executed a privileged |
|
|
|
|
| setuid program with |
|
|
|
|
| an unusually long |
|
|
|
|
| argument length |
|
|
|
|
|
|
| argv[6] | Target of | String | “file=<full pathname>, | The full pathname of |
|
| Attack |
| mode=<mode>,uid=<uid>,gid=<g | the setuid program |
|
|
|
| the attacker | |
|
|
|
| id>, | |
|
|
|
| executed with an | |
|
|
|
|
| |
|
|
|
| inode=<inode>,device=<device>” | unusually long |
|
|
|
|
| argument length and |
|
|
|
|
| the program’s mode, |
|
|
|
|
| uid, gid, inode, and |
|
|
|
|
| device number |
|
|
|
|
|
|
| argv[7] | Summary | String | “Potential Buffer overflow | Alert summary |
|
|
|
| detected.” |
|
|
|
|
|
|
|
Appendix A | 137 |