Suspicious Log Entries

calendar Jan 29, 2024 · attack.impact  ·
Share on: linkedin copy

Detects suspicious log entries in Linux log files

Sigma rule (View on GitHub)

 1title: Suspicious Log Entries
 2id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 3status: test
 4description: Detects suspicious log entries in Linux log files
 5references:
 6    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
 7author: Florian Roth (Nextron Systems)
 8date: 2017/03/25
 9modified: 2021/11/27
10tags:
11    - attack.impact
12logsource:
13    product: linux
14detection:
15    keywords:
16        # Generic suspicious log lines
17        - 'entered promiscuous mode'
18        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
19        - 'Deactivating service'
20        - 'Oversized packet received from'
21        - 'imuxsock begins to drop messages'
22    condition: keywords
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top