Can OSSEC detect buffer overflow attacks?

Question

I am trying to detect buffer overflow by using OSSEC (a HIDS software) as mentioned in OSSEC rules example and OSSEC book.

How can I configure OSSEC for detect a simple buffer overflow example as the following:

#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
    char buffer[100];
    strcpy(buffer, argv[1]);
    printf("Done!\n");
}

I think default settings include alerting on bofs and program crashes — Soufiane Tahiri
– Soufiane Tahiri, Commented May 22, 2017 at 11:52

schroeder · Accepted Answer · 2020-10-01 10:50:56Z

2

Bear in mind that OSSEC is a log-based HIDS. Knowing that, it is clear that OSSEC will be able to react only if someone (eg.: a daemon) adds a log that matches some Buffer Overflow rule.

See the official code example that you've mentioned.

edited Oct 1, 2020 at 10:50

schroeder♦

134k55 gold badges309 silver badges357 bronze badges

answered Jul 13, 2017 at 17:10

alacerda

1256 bronze badges

Add a comment |

atdre · Accepted Answer · 2017-08-12 19:01:45Z

1

If you are looking for detection of stage-one attacks (shellcode in a process) there is EMET, WDEG aka EMET II (for Windows) and Lotan (cross-platform).

Leviathan Security has posted on Lotan at least twice here:

EMET has been capable of similar through the 3.0 Notifier or the 5.5 Event-Log mechanisms.

answered Aug 12, 2017 at 19:01

atdre

19.2k6 gold badges63 silver badges111 bronze badges

youtube.com/watch?v=YLgycMCPo4c

atdre
– atdre

2017-09-27 00:23:55 +00:00
Commented Sep 27, 2017 at 0:23

Add a comment |

Stack Exchange Network

Can OSSEC detect buffer overflow attacks?

2 Answers 2

You must log in to answer this question.

Linked

Hot Network Questions

Can OSSEC detect buffer overflow attacks?

2 Answers 2

You must log in to answer this question.

Linked

Related

Hot Network Questions