Buffer Overflow Attempts

calendar Apr 7, 2025 · attack.t1068 attack.privilege-escalation  ·
Share on: linkedin copy

Detects buffer overflow attempts in Unix system log files

Sigma rule (View on GitHub)

 1title: Buffer Overflow Attempts
 2id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
 3status: test
 4description: Detects buffer overflow attempts in Unix system log files
 5references:
 6    - https://github.com/ossec/ossec-hids/blob/1ecffb1b88/etc/rules/attack_rules.xml  # OSSEC attack detection rules​:contentReference[oaicite:6]{index=6}​:contentReference[oaicite:7]{index=7}
 7    - https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html  # Exec stack syslog message (noexec_user_stack)​:contentReference[oaicite:8]{index=8}
 8    - https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802  # WU-FTPD exploit "0bin0sh" analysis​:contentReference[oaicite:9]{index=9}
 9    - https://blu.org/mhonarc/discuss/2001/04/msg00285.php  # RPC.statd exploit attempt log example​:contentReference[oaicite:10]{index=10}
10    - https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/  # Stack smashing protector alert example​:contentReference[oaicite:11]{index=11}
11author: Florian Roth (Nextron Systems)
12date: 2017-03-01
13modified: 2025-03-17
14tags:
15    - attack.t1068
16    - attack.privilege-escalation
17logsource:
18    product: linux
19detection:
20    keywords:
21        - 'attempt to execute code on stack by'
22        - '0bin0sh1'
23        # - 'rpc.statd[\d+]: gethostbyname error for'  # it's an expensive regex and produces questionable results
24        - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'  # this can cause false positives in Base64 encoded data
25        - 'stack smashing detected'
26    condition: keywords
27falsepositives:
28    - Base64 encoded data in log entries
29level: high
yaml

References

Related rules

to-top