Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious VSFTPD Error Messages

Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Wed Jul 05Updated Sat Nov 27377f33a1-4b36-4ee1-acee-1dbe4b43cfbelinux
Log Source
Linuxvsftpd
ProductLinux← raw: linux
Servicevsftpd← raw: vsftpd
Detection Logic
Detection Logic1 selector
detection:
    keywords:
        - 'Connection refused: too many sessions for this address.'
        - 'Connection refused: tcp_wrappers denial.'
        - 'Bad HTTP verb.'
        - 'port and pasv both active'
        - 'pasv and port both active'
        - 'Transfer done (but failed to open directory).'
        - 'Could not set file modification time.'
        - 'bug: pid active in ptrace_sandbox_free'
        - 'PTRACE_SETOPTIONS failure'
        - 'weird status:'
        - 'couldn''t handle sandbox event'
        - 'syscall * out of bounds'
        - 'syscall not permitted:'
        - 'syscall validate failed:'
        - 'Input line too long.'
        - 'poor buffer accounting in str_netfd_alloc'
        - 'vsf_sysutil_read_loop'
    condition: keywords
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
Status
test
Level
medium
Type
Detection
Created
Wed Jul 05
Modified
Sat Nov 27
Author
Florian Roth (Nextron Systems)
Path
rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml
Raw Tags
attack.initial-accessattack.t1190
View on GitHub