detection rulesuricata

ATTACK Docker create body uses chroot for host-namespace escape

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataATTACK Docker create body uses chroot for host-namespace escape

alert http any any -> $HOME_NET 2375 (msg:"ATTACK Docker create body uses chroot for host-namespace escape"; \
  flow:to_server,established; \
  http.method; content:"POST"; \
  http.uri; content:"/containers/create"; \
  http.request_body; content:"\"chroot\""; content:"\"/host\""; distance:0; within:40; \
  classtype:attempted-admin; sid:1000231004; rev:2; \
  metadata:created_at 2026-05-28;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Ingress · TCP/2375 · SID 1000231004
Detects `Cmd: ["chroot","/host",...]` or `Cmd: ["chroot","/mnt",...]` host-escape command shapes in the create body.
2026-06-10