title: Suspicious Log Entries
description: Detects suspicious log entries in Linux log files
author: Florian Roth
logsource:
    product: linux
detection:
    keywords:
        # Generic suspicious log lines
        - 'entered promiscuous mode'
        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
        - 'Deactivating service'
        - 'Oversized packet received from'  
        - 'imuxsock begins to drop messages'      
    condition: keywords
falsepositives:
    - Unknown
level: medium