Suspicious Log Entries
Detects suspicious log entries in Linux log files
Sigma rule (View on GitHub)
1title: Suspicious Log Entries
2id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
3status: test
4description: Detects suspicious log entries in Linux log files
5references:
6 - https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
7author: Florian Roth (Nextron Systems)
8date: 2017-03-25
9modified: 2021-11-27
10tags:
11 - attack.impact
12logsource:
13 product: linux
14detection:
15 keywords:
16 # Generic suspicious log lines
17 - 'entered promiscuous mode'
18 # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
19 - 'Deactivating service'
20 - 'Oversized packet received from'
21 - 'imuxsock begins to drop messages'
22 condition: keywords
23falsepositives:
24 - Unknown
25level: medium
References
-
ossec-hids/etc/rules/syslog_rules.xml at f6502012b7380208db81f82311ad4a1994d39905 · ossec/ossec-hids
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. - os...
Read More
Related rules
- Azure Container Registry Created or Deleted
- Azure Kubernetes Cluster Created or Deleted
- Azure Kubernetes Network Policy Change
- Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
- Azure Kubernetes Secret or Config Object Access