FILELESS ATTACKS
BUFFER ERROR
-
Code: 35
-
Brief Description: Buffer Error
-
Sample log message:
-
CEF format
Jul 17 16:28:42 10.16.8.144 CEF: 1|Virsec Security Platform|Virsec|1.3.0|35|Buffer Error|10|EventId=VS-BFER-071720-A00006|Application_Name=DivByZeroException 1.0 Server_Name=redhat7 Incident_Level=ATTACK Incident_Category=FILE_LESS Incident_Type=Buffer Error Incident_Timestamp=17 Jul 2020 08:29:11 PM UTC Destination Module Start Address=0x00007f4b70c96000 Source Module Start Address=0x00007f4b70c96000 Destination Memory Address=0x00007f4b70c97b51 Process ID=8352 Source Memory Address=0x00007f4b70ca0fee Destination Module Name=ld-linux-x86-64.so.2 Thread ID=8352 Source Module Name=ld-linux-x86-64.so.2 pid=8352 description=Buffer Error category=Fileless Attack eventTime=2020-07-17 16:28:32 tid=8352
-
CEF - Fixed Key Definition format
Sep 8 22:29:05 10.16.8.184 CEF: 1|Virsec Security Platform|Virsec|1.4.0|35|Buffer Error|10|EventId=VS-BFER-090920-A00007|Application_Name=RHEL67_Nginx_gitlab_187 1.4.0 Server_Name=rhel6 Incident_Level=ATTACK Incident_Category=FILE_LESS Incident_Type=Buffer Error Incident_Timestamp=09 Sep 2020 02:30:21 AM UTC Source Module Start Address=0x0000000000400000 Destination Module Name=libpthread.so.0 Destination Memory Address=0x0000003b1b80f790 Source Memory Address=0x000000000041c522 Action=/opt/virsec/ArmasProbe//iae-bin2.0/scripts/restart.sh /opt/virsec/ArmasProbe/iae-bin2.0/state/app_nginx.cmd root Source Module Name=nginx Destination Module Start Address=0x0000003b1b800000 Thread ID=674 Process ID=674 pid=674 description=Buffer Error category=Fileless Attack eventTime=2020-09-09T02:29:35.423+05:00 tid=674
-