Rule: Linux: buffer overflows

Author: Florian Roth

rules/linux/lnx_buffer_overflows.yml

@@ -0,0 +1,15 @@
+title: Buffer Overflow Attempts
+description: Detects buffer overflow attempts in Linux system log files
+reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+logsource:
+    product: linux
+detection:
+    keywords:
+        - 'attempt to execute code on stack by'
+        - 'FTP LOGIN FROM .* 0bin0sh'
+        - 'rpc.statd[\d+]: gethostbyname error for'
+        - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
+    condition: keywords
+falsepositives:
+    - Unkown
+level: high

rules/web/web_webshell_keyword.yml

@@ -13,3 +13,4 @@ falsepositives:
     - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
     - User searches in search boxes of the respective website
 level: high
+