Nginx Core Dump

Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.

Sigma rule (View on GitHub)

 1title: Nginx Core Dump
 2id: 59ec40bb-322e-40ab-808d-84fa690d7e56
 3status: test
 4description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
 5references:
 6    - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
 7    - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
 8author: Florian Roth (Nextron Systems)
 9date: 2021/05/31
10modified: 2023/05/08
11tags:
12    - attack.impact
13    - attack.t1499.004
14logsource:
15    service: nginx
16detection:
17    keywords:
18        - 'exited on signal 6 (core dumped)'
19    condition: keywords
20falsepositives:
21    - Serious issues with a configuration or plugin
22level: high

References

Related rules

to-top