Add Sigma rule for CVE-2024-38063 IPv6 memory corruption detection

[zenzue]

add rule for contribute

Summary of the Pull Request

This pull request introduces a new Sigma rule designed to detect exploitation attempts associated with CVE-2024-38063. The rule identifies specific network traffic patterns that may indicate an attempt to exploit memory corruption vulnerabilities in systems using IPv6.

Changelog

new: CVE-2024-38063_ipv6_memory_corruption_detection.yml - Adds a rule for detecting suspicious IPv6 packet patterns that may indicate exploitation of CVE-2024-38063.

Example Log Event

{
    "protocol": "IPv6",
    "events": {
        "FragmentationEvent": true,
        "AnomalousIPv6OptionHeaderEvent": true
    },
    "packet_length": "1337",
    "src_ip": "2001:db8::1",
    "dst_ip": "2001:db8::2",
    "info": "Detected packet with potentially malicious fragmentation and option headers"
}

Fixed Issues

https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/cve-2024-38063-disabling-ipv6-binding-fix-or-not/td-p/4220374

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @zenzue 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[nasbench]

Which product is this?

[zenzue]

ah sorry 4 my bad
i got it from trend_micro_xdr
but can work with other network monitoring products
that why i do not add as

logsource:
    category: network_traffic
    product: trend_micro_xdr

[nasbench]

Can you give me another example from another product. Else this would be a specific rule to trend micro XDR with its own specific field.

Because for this rule to be used, the fields needs to be mapped based on the logsource and then converted using a backend.

Aren't the name of the events unique to TrendMicro convention

I need at least 1 other product that has this coverage for this rule to make sense for "everybody else".

[nasbench]

@zenzue ping

[zenzue]

Sorry, in this station i am working as a volunteer for rescue in our country about Flooding places. I will update it soon ... best.

…

On Mon, Sep 23, 2024 at 12:00 AM Nasreddine Bencherchali < ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In rules-emerging-threats/2024/Exploits/CVE-2024-38063/CVE-2024-38063_ipv6_memory_corruption_detection.yml <#4988 (comment)>: > + category: network_traffic + product: network_monitoring @zenzue <https://github.com/zenzue> ping — Reply to this email directly, view it on GitHub <#4988 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AETA5LFEDHKJAWWXIE5E3Z3ZX35DPAVCNFSM6AAAAABNH3O6KKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDGMRQHA4TGNJTHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>