Potential Buffer Overflow Attack Detected

edit

Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.

Rule type: threshold

Rule indices:

  • .alerts-security.*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Tactic: Initial Access
  • Use Case: Vulnerability
  • Rule Type: Higher-Order Rule

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Setup

This rule leverages alert data from other prebuilt detection rules to function correctly.

Dependent Elastic Detection Rule Enablement

As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled: - Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)

Rule query

edit
kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal

Framework: MITRE ATT&CKTM