Templates and Alerts

Login/Logout Template

Because the login name (ut_user in a utmp structure) is not available for a logout event, the template retrieves the login name from the wtmp[s] log. If the log has been cleared, the template will create a logout alert that does not contain the user name, only the device on which the logout occurred.

The template will generate alerts for ftp logins without the remote host IP address on 11i version 1.0 unless the wu-ftp 2.6.1 patch is installed.

The host address filtering provided by this template is subject to IP spoofing.

172

Appendix A

Page 184
Image 184
HP Host Intrusion Detection System (HIDS) manual 172