Anomaly detection for Nginx

Aug 21, 2020 ·

Detecting suspicious error log events which lead to potential security threats

Sigma rule (View on GitHub)

 1title: Anomaly detection for Nginx
 2id: e95462df-c49a-4598-b789-b3953a9f29d7
 3status: experimental
 4description: Detecting suspicious error log events which lead to potential security threats
 5author: Loginsoft Research Unit
 6references:
 7    - Internal Research
 8date: 2020/07/24
 9logsource:
10  product: nginx
11  category: webserver
12  service: error
13detection:
14    keywords:
15      - 'http alloc large header buffer'
16      - 'the \"*\" size must be equal to or greater than \"*\"'
17      - 'http large header free:'
18      - 'http large header alloc:'
19      - 'http large header copy:'
20      - 'client sent too long URI'
21      - 'unsafe URI \"*\" was detected'
22      - 'client sent invalid \"Destination\" header:'
23      - 'SSL renegotiation *'
24      - '\"*\" mp4 atom too large:*'
25      - 'client sent invalid chunked body'
26      - 'state buffer overflow: * bytes required'
27      - 'buffer overflow'     
28    condition: keywords
29falsepositives:
30  - Unknown
31level: critical```

References

Internal Research

Read More