[New Rule] Potential Buffer Overflow Attack Detected #3312
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aegrah
requested review from
w0rk3r,
DefSecSentinel,
imays11 and
eric-forte-elastic
imays11
approved these changes
Dec 19, 2023
w0rk3r
reviewed
Jan 4, 2024
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
|
|
||
| [rule.threshold] | ||
| field = ["event.kind"] |
There was a problem hiding this comment.
We may want to limit this somehow, by host.id maybe? If not, this would be triggered by unrelated activities in different systems on the same env
There was a problem hiding this comment.
@w0rk3r I added the host.id field to the threshold, making it match on similar event.kind and host.id values.
| For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). | ||
| - Click "Save and Continue". | ||
| - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. | ||
| For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). |
There was a problem hiding this comment.
May require a few line additions post review from @approksiu
https://docs.google.com/document/d/1J4ClwoAkhcP4BDTw94Bwb3nC_6kXsl5pu99Um8Ddt58/edit?pli=1
We need to mention the dependent Detection rule that needs to be enabled for this threshold rule to fire.
|
@approksiu would you mind giving this setup guide a double check? |
w0rk3r
approved these changes
Jan 22, 2024
Aegrah
commented
Jan 22, 2024
rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
Outdated
Show resolved
Hide resolved
Aegrah
commented
Jan 22, 2024
rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
Outdated
Show resolved
Hide resolved
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rule] Potential Buffer Overflow Attack * Added timestamp_override * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml * Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 48d8b65)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a
threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short
time interval could indicate application exploitation attempts.
Detection
This rule leverages the alert data from the "Segfault Detected" pre-built rule (https://github.com/elastic/detection-rules/blob/main/rules_building_block/execution_linux_segfault.toml).