rules/linux/builtin/lnx_buffer_overflows.yml

title: Buffer Overflow Attempts
id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
status: test
description: Detects buffer overflow attempts in Unix system log files
references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml  # OSSEC attack detection rules&#8203;:contentReference[oaicite:6]{index=6}&#8203;:contentReference[oaicite:7]{index=7}
    - https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html  # Exec stack syslog message (noexec_user_stack)&#8203;:contentReference[oaicite:8]{index=8}
    - https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802  # WU-FTPD exploit "0bin0sh" analysis&#8203;:contentReference[oaicite:9]{index=9}
    - https://blu.org/mhonarc/discuss/2001/04/msg00285.php  # RPC.statd exploit attempt log example&#8203;:contentReference[oaicite:10]{index=10}
    - https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/  # Stack smashing protector alert example&#8203;:contentReference[oaicite:11]{index=11}
author: Florian Roth (Nextron Systems)
date: 2017-03-01
modified: 2025-03-17
tags:
    - attack.t1068
    - attack.privilege-escalation
logsource:
    product: linux
detection:
    keywords:
        - 'attempt to execute code on stack by'
        - '0bin0sh1'
        # - 'rpc.statd[\d+]: gethostbyname error for'  # it's an expensive regex and produces questionable results
        - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'  # this can cause false positives in Base64 encoded data
        - 'stack smashing detected'
    condition: keywords
falsepositives:
    - Base64 encoded data in log entries
level: high
Rule: Linux: buffer overflows 2017-03-01 08:38:33 +01:00			`title: Buffer Overflow Attempts`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781`
Merge PR #5237 from @Neo23x0 - Update `Buffer Overflow Attempts` 2025-04-07 11:08:55 +02:00			`status: test`
Update lnx_buffer_overflows.yml 2018-08-25 00:20:34 +02:00			`description: Detects buffer overflow attempts in Unix system log files`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
$frack113$ Merge PR #5451 from @frack113 - chore: cleanup metadata 2025-06-04 13:33:36 +02:00			`- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml # OSSEC attack detection rules:contentReference[oaicite:6]{index=6}:contentReference[oaicite:7]{index=7}`
Merge PR #5237 from @Neo23x0 - Update `Buffer Overflow Attempts` 2025-04-07 11:08:55 +02:00			`- https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html # Exec stack syslog message (noexec_user_stack):contentReference[oaicite:8]{index=8}`
			`- https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802 # WU-FTPD exploit "0bin0sh" analysis:contentReference[oaicite:9]{index=9}`
			`- https://blu.org/mhonarc/discuss/2001/04/msg00285.php # RPC.statd exploit attempt log example:contentReference[oaicite:10]{index=10}`
			`- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/ # Stack smashing protector alert example:contentReference[oaicite:11]{index=11}`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2017-03-01`
Merge PR #5237 from @Neo23x0 - Update `Buffer Overflow Attempts` 2025-04-07 11:08:55 +02:00			`modified: 2025-03-17`
$frack113$ Order yaml field 2022-10-25 08:53:44 +02:00			`tags:`
			`- attack.t1068`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.privilege-escalation`
Rule: Linux: buffer overflows 2017-03-01 08:38:33 +01:00			`logsource:`
fix: product unix > linux 2022-03-24 11:40:51 +01:00			`product: linux`
Rule: Linux: buffer overflows 2017-03-01 08:38:33 +01:00			`detection:`
			`keywords:`
			`- 'attempt to execute code on stack by'`
Merge PR #5237 from @Neo23x0 - Update `Buffer Overflow Attempts` 2025-04-07 11:08:55 +02:00			`- '0bin0sh1'`
			`# - 'rpc.statd[\d+]: gethostbyname error for' # it's an expensive regex and produces questionable results`
			`- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' # this can cause false positives in Base64 encoded data`
			`- 'stack smashing detected'`
Rule: Linux: buffer overflows 2017-03-01 08:38:33 +01:00			`condition: keywords`
			`falsepositives:`
Merge PR #5237 from @Neo23x0 - Update `Buffer Overflow Attempts` 2025-04-07 11:08:55 +02:00			`- Base64 encoded data in log entries`
Rule: Linux: buffer overflows 2017-03-01 08:38:33 +01:00			`level: high`