detection rulesuricata

ATTACK Docker create body binds host root filesystem

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataATTACK Docker create body binds host root filesystem

alert http any any -> $HOME_NET 2375 (msg:"ATTACK Docker create body binds host root filesystem"; \
  flow:to_server,established; \
  http.method; content:"POST"; \
  http.uri; content:"/containers/create"; \
  http.request_body; content:"\"Binds\""; content:"\"/:/"; distance:0; within:30; \
  classtype:attempted-admin; sid:1000231003; rev:2; \
  metadata:created_at 2026-05-28;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Ingress · TCP/2375 · SID 1000231003
Detects the classic `Binds: ["/:/host"]` or `Binds: ["/:/mnt"]` root-filesystem bind in a container-create body - the escape primitive behind most hostile create traffic.
2026-06-10