HIDS开源策略列表

告警ID 告警名 描述 告警类型 数据类型 等级
hidden_module_detect Hidden kernel module Hidden Kernel Module Detected 后门驻留 Hooks critical
bruteforce_single_source_detect Bruteforce from single-source Bruteforce from single source address 暴力破解 Log Monitor medium
bruteforce_multi_source_detect Bruteforce from multi-sources Bruteforce from multiple source addresses 暴力破解 Log Monitor medium
bruteforce_success_detect Bruteforce success Bruteforce login attempt ended with succesful password login 暴力破解 Log Monitor critical
binary_file_hijack_detect1 Binary file hijack Common binary file hijacking, file creation detection 变形木马 execve medium
binary_file_hijack_detect2 Binary file hijack Common binary file Hijacking, file renaming detection 变形木马 execve critical
binary_file_hijack_detect3 Binary file hijack Common binary file hijacking, file linkage detection 变形木马 execve critical
user_credential_escalation_detect User credential escalation Non-root user escalate to root privilege 提权攻击 Log Monitor medium
privilege_escalation_suid_sgid_detect_1 User credential escalation Non-root user escalete privilege with suid/sgid 提权攻击 Log Monitor medium
privilege_escalation_suid_sgid_detect_2 User credential escalation Non-root user escalete privilege with suid/sgid 提权攻击 execve medium
reverse_shell_detect_basic Reverse shell Reverse Shell With Connection 代码执行 execve critical
reverse_shell_detect_argv Reverse shell Reverse-shell-like argv during execution 代码执行 execve high
reverse_shell_detect_exec Reverse shell Reverse shell with exec 代码执行 execve high
reverse_shell_detect_pipe Reverse shell Reverse shell with pipe 代码执行 execve high
reverse_shell_detect_perl Reverse shell Reverse shell with Perl 代码执行 execve high
reverse_shell_detect_python Reverse shell Reverse shell with Python 代码执行 execve high
bind_shell_awk_detect Bind shell with awk Suspecious bind shell with awk 代码执行 execve high
pipe_shell_detect Double-piped reverse shell Double-piped reverse shell 代码执行 execve high
suspicious_rce_from_consul_service_detect Suspecious RCE like behavior Suspecious RCE like behaviors from Consul service 试探入侵 execve high
suspicious_rce_from_mysql_service_detect Suspecious RCE like behavior Suspecious RCE like behaviors from mysql service 试探入侵 execve high
dnslog_detect1 Suspecious query to dnslog Suspecious dnslog like query on hosts 试探入侵 execve high
dnslog_detect2 Suspecious query to dnslog Suspecious dnslog like query on hosts 试探入侵 execve high
container_escape_mount_drive_detect Container escape with mounted drive Unnecessary behavior inside contianer, mount drive 提权攻击 execve high
container_escape_usermode_helper_detect Container escape with usermodehelper Suspecious contianer escape with usermode helper 提权攻击 execve high
signature_scan_maliciou_files_detect Malicious files Detected abnormal files with maliciou singnature 静态扫描 execve high