frack113
74fc1c74ec
chore: 🧹 Remove redundant modified field chore: 🧹 Use Mitre tags instead of url chore: 🧹 Use permalink for github file reference chore: 🧹 Order emerging-threats Exploits rules
30 lines
1.7 KiB
YAML
30 lines
1.7 KiB
YAML
title: Buffer Overflow Attempts
|
|
id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
|
|
status: test
|
|
description: Detects buffer overflow attempts in Unix system log files
|
|
references:
|
|
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml # OSSEC attack detection rules​:contentReference[oaicite:6]{index=6}​:contentReference[oaicite:7]{index=7}
|
|
- https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html # Exec stack syslog message (noexec_user_stack)​:contentReference[oaicite:8]{index=8}
|
|
- https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802 # WU-FTPD exploit "0bin0sh" analysis​:contentReference[oaicite:9]{index=9}
|
|
- https://blu.org/mhonarc/discuss/2001/04/msg00285.php # RPC.statd exploit attempt log example​:contentReference[oaicite:10]{index=10}
|
|
- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/ # Stack smashing protector alert example​:contentReference[oaicite:11]{index=11}
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2017-03-01
|
|
modified: 2025-03-17
|
|
tags:
|
|
- attack.t1068
|
|
- attack.privilege-escalation
|
|
logsource:
|
|
product: linux
|
|
detection:
|
|
keywords:
|
|
- 'attempt to execute code on stack by'
|
|
- '0bin0sh1'
|
|
# - 'rpc.statd[\d+]: gethostbyname error for' # it's an expensive regex and produces questionable results
|
|
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' # this can cause false positives in Base64 encoded data
|
|
- 'stack smashing detected'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Base64 encoded data in log entries
|
|
level: high
|