Templates and Alerts

Buffer Overflow Template

Unusual Argument Length

This template generates and forwards the following alert to a response program setuid when a privileged program was invoked with an argument equal to or greater than the unusual_arg_len property value:

Table A-4

Unusual Argument Length Alert Properties

 

 

 

 

 

 

 

 

Response

 

Alert

 

 

 

Program

Alert Field

Field

Alert Value/Format

Description

 

Argument

 

Type

 

 

 

 

 

 

 

 

 

argv[1]

Template

Integer

0

Unique code

 

 

code

 

 

assigned to template

 

 

 

 

 

 

 

argv[2]

Version

Integer

2

Version of the

 

 

 

 

 

template

 

 

 

 

 

 

 

argv[3]

Severity

Integer

1

Critical severity

 

 

 

 

 

 

 

argv[4]

UTC Time

Integer

<secs>

UTC time in number

 

 

 

 

 

of seconds since

 

 

 

 

 

epoch when a

 

 

 

 

 

privileged setuid

 

 

 

 

 

program was run

 

 

 

 

 

with an unusual

 

 

 

 

 

program length.

 

 

 

 

 

 

 

argv[5]

Attacker

String

“uid=<uid>, gid=<gid>,

The user ID, group

 

 

 

 

pid=<pid>, ppid=<ppid>”

ID, process ID, and

 

 

 

 

 

parent process ID of

 

 

 

 

 

the process that

 

 

 

 

 

executed a privileged

 

 

 

 

 

setuid program with

 

 

 

 

 

an unusually long

 

 

 

 

 

argument length

 

 

 

 

 

 

 

argv[6]

Target of

String

“file=<full pathname>,

The full pathname of

 

 

Attack

 

mode=<mode>,uid=<uid>,gid=<g

the setuid program

 

 

 

 

the attacker

 

 

 

 

id>,

 

 

 

 

executed with an

 

 

 

 

 

 

 

 

 

inode=<inode>,device=<device>”

unusually long

 

 

 

 

 

argument length and

 

 

 

 

 

the program’s mode,

 

 

 

 

 

uid, gid, inode, and

 

 

 

 

 

device number

 

 

 

 

 

 

 

argv[7]

Summary

String

“Potential Buffer overflow

Alert summary

 

 

 

 

detected.”

 

 

 

 

 

 

 

Appendix A

137

Page 149
Image 149
HP Host Intrusion Detection System (HIDS) manual Table A-4 Unusual Argument Length Alert Properties