sigmamediumHunting

Suspicious Log Entries

Detects suspicious log entries in Linux log files

Detection Query

keywords:
  - entered promiscuous mode
  - Deactivating service
  - Oversized packet received from
  - imuxsock begins to drop messages
condition: keywords

Author

Florian Roth (Nextron Systems)

Created

2017-03-25

Data Sources

linux

Platforms

linux

References

https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml

Tags

attack.impact

Raw Content

title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
status: test
description: Detects suspicious log entries in Linux log files
references:
    - https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-25
modified: 2021-11-27
tags:
    - attack.impact
logsource:
    product: linux
detection:
    keywords:
        # Generic suspicious log lines
        - 'entered promiscuous mode'
        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
        - 'Deactivating service'
        - 'Oversized packet received from'
        - 'imuxsock begins to drop messages'
    condition: keywords
falsepositives:
    - Unknown
level: medium