Can OSSEC detect buffer overflow attacks?

Question

I am trying to detect buffer overflow by using OSSEC (a HIDS software) as mentioned in OSSEC rules example and OSSEC book.

How can I configure OSSEC for detect a simple buffer overflow example as the following:

#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
    char buffer[100];
    strcpy(buffer, argv[1]);
    printf("Done!\n");
}

I think default settings include alerting on bofs and program crashes — Soufiane Tahiri, May 22 '17 at 11:52

score 2 · Answer 1 · edited Oct 01 '20 at 10:50

2

Bear in mind that OSSEC is a log-based HIDS. Knowing that, it is clear that OSSEC will be able to react only if someone (eg.: a daemon) adds a log that matches some Buffer Overflow rule.

See the official code example that you've mentioned.

edited Oct 01 '20 at 10:50

schroeder

123,438
55
284
319

answered Jul 13 '17 at 17:10

alacerda

125
6

score 1 · Answer 2 · answered Aug 12 '17 at 19:01

If you are looking for detection of stage-one attacks (shellcode in a process) there is EMET, WDEG aka EMET II (for Windows) and Lotan (cross-platform).

Leviathan Security has posted on Lotan at least twice here:

EMET has been capable of similar through the 3.0 Notifier or the 5.5 Event-Log mechanisms.

https://www.youtube.com/watch?v=YLgycMCPo4c – atdre Sep 27 '17 at 00:23 — atdre, Sep 27 '17 at 00:23

Can OSSEC detect buffer overflow attacks?

2 Answers2