SigmaHQ/rules/linux/lnx_buffer_overflows.yml
2018-08-25 00:20:34 +02:00

17 lines
505 B
YAML

title: Buffer Overflow Attempts
description: Detects buffer overflow attempts in Unix system log files
references:
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
logsource:
product: unix
detection:
keywords:
- 'attempt to execute code on stack by'
- 'FTP LOGIN FROM .* 0bin0sh'
- 'rpc.statd[\d+]: gethostbyname error for'
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
condition: keywords
falsepositives:
- Unkown
level: high