Detectionhightest

Suspicious Named Error

Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Tue Feb 20Updated Wed Oct 05c8e35e96-19ce-4f16-aeb6-fd5588dc5365linux

Log Source

Linuxsyslog

ProductLinux← raw: linux

Servicesyslog← raw: syslog

Detection Logic

detection:
    keywords:
        - ' dropping source port zero packet from '
        - ' denied AXFR from '
        - ' exiting (due to fatal error)'
    condition: keywords

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Rule Metadata

Rule ID

c8e35e96-19ce-4f16-aeb6-fd5588dc5365

Status

test

Level

high

Type

Detection

Created

Tue Feb 20

Modified

Wed Oct 05

Author

Florian Roth (Nextron Systems)

Path

rules/linux/builtin/syslog/lnx_syslog_susp_named.yml

Raw Tags

attack.initial-accessattack.t1190

View on GitHub