SigmaHQ/rules/linux/lnx_shell_susp_log_entries.yml

title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
status: experimental
description: Detects suspicious log entries in Linux log files
author: Florian Roth
date: 2017/03/25
logsource:
    product: linux
detection:
    keywords:
        - entered promiscuous mode
        - Deactivating service
        - Oversized packet received from
        - imuxsock begins to drop messages
    condition: keywords
falsepositives:
    - Unknown
level: medium
tags:
    - attack.impact
Rules: Linux commands and log entries of interest 2017-03-25 18:59:45 +00:00			`title: Suspicious Log Entries`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`status: experimental`
Rules: Linux commands and log entries of interest 2017-03-25 18:59:45 +00:00			`description: Detects suspicious log entries in Linux log files`
			`author: Florian Roth`
fix: fixed missing date fields in other files 2020-01-30 14:32:39 +00:00			`date: 2017/03/25`
Rules: Linux commands and log entries of interest 2017-03-25 18:59:45 +00:00			`logsource:`
			`product: linux`
			`detection:`
			`keywords:`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`- entered promiscuous mode`
			`- Deactivating service`
			`- Oversized packet received from`
			`- imuxsock begins to drop messages`
Rules: Linux commands and log entries of interest 2017-03-25 18:59:45 +00:00			`condition: keywords`
			`falsepositives:`
			`- Unknown`
Linux Generic Rules 2017-05-02 18:32:38 +00:00			`level: medium`
$frack113$ add missing tags 2021-09-07 16:16:46 +00:00			`tags:`
			`- attack.impact`