Nginx Core Dump
Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
Sigma rule (View on GitHub)
1title: Nginx Core Dump
2id: 59ec40bb-322e-40ab-808d-84fa690d7e56
3status: test
4description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
5references:
6 - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
7 - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
8author: Florian Roth (Nextron Systems)
9date: 2021-05-31
10modified: 2023-05-08
11tags:
12 - attack.impact
13 - attack.t1499.004
14logsource:
15 service: nginx
16detection:
17 keywords:
18 - 'exited on signal 6 (core dumped)'
19 condition: keywords
20falsepositives:
21 - Serious issues with a configuration or plugin
22level: high
References
-
Troubleshoot problems and track down bugs in an NGINX or F5 NGINX Plus deployment, with the debugging binary, debug logging, and core dumps.
Read More -
An off-by-one error in ngx_resolver_copy() while processing DNS responses allows a network attacker to write a dot character (‘.’, 0x2E) out of bounds in a heap allocated buffer.
Read More
Related rules
- Apache Segmentation Fault
- Audit CVE Event
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption