Anomaly detection for Nginx

Aug 21, 2020 ·
Detecting suspicious error log events which lead to potential security threats
Sigma rule (View on GitHub)

 1title: Anomaly detection for Nginx
 2id: d5fb7b2c-fbd9-4398-97c0-c2be507cbe5a
 3status: experimental
 4description: Detecting suspicious error log events which lead to potential security threats
 5author: Loginsoft Research Unit
 6references:
 7    - Internal Research
 8date: 2020/07/24
 9logsource:
10  product: nginx
11  category: webserver
12  service: error
13detection:
14    keywords:
15      - 'http invalid header:'
16      - 'client sent invalid header:'
17      - 'client sent invalid userid cookie \"*\"'
18      - 'client * sent invalid \"Host\" header \"*\", URL: \"*\"'
19      - 'zero size buf'
20      - 'zero size buf in writer'
21      - '\"*\" must be less than the size of all \"*\" minus one buffer'
22      - 'client sent invalid \"Host\" header'
23      - 'client sent invalid \"Content-Length\" header'
24      - 'rt signal queue overflow recovered'
25      - 'auth http server sent invalid response'
26      - 'memcached sent invalid key in response \"*\" for key \"*\"'
27      - 'memcached sent invalid trailer'
28      - 'http charset invalid utf'
29      - 'client sent invalid \"Overwrite\" header:'
30      - 'client sent invalid header line: \"*\"'
31      - 'client sent too large request'
32      - 'upstream sent invalid header'
33      - '\"*\" mp4 * atom too large'
34      - 'escaped URI: \"*\"'
35      - 'spdy state buffer overflow: * bytes required'
36      - 'client intended to send body data larger than declared'
37      - 'receive buffer overrun'
38      - 'no * for ssl_client_verify'
39      - 'request reference counter overflow while processing'
40      - 'http2 preread buffer overflow'
41      - 'client SSL certificate verify error: (*:*)'
42      - 'client violated connection flow control: received DATA frame length *, available window'
43      - 'client violated flow control for stream *: received DATA frame length *, available window'
44      - 'client sent invalid :path header: \"*\"'
45      - 'upstream sent too large http2 frame:'
46      - 'upstream sent headers frame with invalid length:'
47      - 'upstream sent invalid http2 table index:'
48      - 'upstream sent invalid http2 dynamic table size update:'
49      - 'upstream sent too large http2 header name length'
50      - 'upstream sent too large http2 header value length'
51      - 'header is too large'
52      - 'client sent invalid :scheme header: \"*\"'
53      - 'client sent invalid host in request line'
54      - 'negative size buf in output t:* r:* f:* * *-* * *-*'
55      - 'negative size buf in chain writer t:* r:* f:* * *-* * *-*'
56      - 'negative size buf in writer t:* r:* f:* * *-* * *-*'
57      - 'unexpected \"-\" symbol after \"*\" parameter in \"*\" SSI command'
58      - 'too large mp4 * samples size in \"*\"'
59      - 'too large chunk offset in \"*\"'
60      - 'no OCSP responder URL in certificate'
61      - 'empty host in OCSP responder in certificate'
62    condition: keywords
63falsepositives:
64  - Unknown
65level: high```
References

Internal Research

Read More