Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Nginx Core Dump

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Mon May 31Updated Mon May 0859ec40bb-322e-40ab-808d-84fa690d7e56web
Log Source
nginx
Servicenginx← raw: nginx
Detection Logic
Detection Logic1 selector
detection:
    keywords:
        - 'exited on signal 6 (core dumped)'
    condition: keywords
False Positives

Serious issues with a configuration or plugin

References
1
Resolving title…
docs.nginx.com
2
Resolving title…
x41-dsec.de
MITRE ATT&CK
Rule Metadata
Rule ID
59ec40bb-322e-40ab-808d-84fa690d7e56
Status
test
Level
high
Type
Detection
Created
Mon May 31
Modified
Mon May 08
Author
Florian Roth (Nextron Systems)
Path
rules/web/product/nginx/web_nginx_core_dump.yml
Raw Tags
attack.impactattack.t1499.004
View on GitHub