Skip to main content

Exploit Detection

Endpoints have a wide array of built in tools that can be used to detect possibly malicious/suspicious/erroneous traffic. These tools are off by default, but can be enabled for an endpoint via the exploit_detection field.

The configurable fields for ED (exploit detection) include:

  • hashes: set one or more hash types to match against. a complete list can be found here. If ED is enabled but this field is unset, then the default list is used.
  • error_text: set one or more error text matchers to match against. a complete list can be found here. If ED is enabled but this field is unset, then the default list is used.
  • measure_entropy: set if the shannon entropy of the payload should be calculated. boolean, enabled by default when ED is enabled.
  • detect_non_ascii: set if leaksignal should check for non-ascii bytes in the payload. boolean, enabled by default when ED is enabled.

example policy that uses the default ED features:

categories: {}
endpoints:
  - exploit_detection: {}

For cases like hashes and error_text, they actually generate categories and endpoint configurations internally for the corresponding matchers. The categories cant be overridden, but the endpoint configurations can!

In this example, we override the default behavior of the GrubPbkdf2Sha512 and Mysql141 hash matchers used in ED.

categories: {}
endpoints:
  - config:
      ls_hash:GrubPbkdf2Sha512:
        action: !redact "REDACTED"
      ls_hash:Mysql141:
        content_types: text
    exploit_detection: {}