Detectionhightest
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Wed Mar 01Updated Mon Mar 1718b042f0-2ecd-4b6e-9f8d-aa7a7e7de781linux
Log Source
Linux
ProductLinux← raw: linux
Detection Logic
Detection Logic1 selector
detection:
keywords:
- 'attempt to execute code on stack by'
- '0bin0sh1'
# - 'rpc.statd[\d+]: gethostbyname error for' # it's an expensive regex and produces questionable results
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' # this can cause false positives in Base64 encoded data
- 'stack smashing detected'
condition: keywordsFalse Positives
Base64 encoded data in log entries
MITRE ATT&CK
Rule Metadata
Rule ID
18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
Status
test
Level
high
Type
Detection
Created
Wed Mar 01
Modified
Mon Mar 17
Path
rules/linux/builtin/lnx_buffer_overflows.yml
Raw Tags
attack.t1068attack.privilege-escalation