Suspicious Log Entries
Detects suspicious log entries in Linux log files
Sigma rule (View on GitHub)
1title: Suspicious Log Entries
2id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
3status: test
4description: Detects suspicious log entries in Linux log files
5references:
6 - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
7author: Florian Roth (Nextron Systems)
8date: 2017/03/25
9modified: 2021/11/27
10tags:
11 - attack.impact
12logsource:
13 product: linux
14detection:
15 keywords:
16 # Generic suspicious log lines
17 - 'entered promiscuous mode'
18 # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
19 - 'Deactivating service'
20 - 'Oversized packet received from'
21 - 'imuxsock begins to drop messages'
22 condition: keywords
23falsepositives:
24 - Unknown
25level: medium
References
Related rules
- Application Uninstalled
- Deletion of Volume Shadow Copies via WMI with PowerShell
- Important Scheduled Task Deleted
- Locked Workstation
- Sensitive File Access Via Volume Shadow Copy Backup