Techniques
Sample rules
Linux PF_ALG Registration Outside of Boot Window
- source: splunk
- technicques:
Description
The following analytic detects when the AF_ALG kernel crypto socket interface being loaded more than 300 seconds after system boot, which is a primary kernel-level indicator of Copy Fail (CVE-2026-31431) exploitation activity on Debian and Ubuntu family systems. The AF_ALG interface is required by the exploit to access the vulnerable authencesn crypto code path, and on systems where it is not auto-loaded at boot, its on-demand registration by an unprivileged process is a strong indicator of exploitation in progress.
Detection logic
sourcetype="linux_messages_syslog" "NET: Registered PF_ALG protocol family"
| rex field=_raw "kernel: \[\s*(?<uptime_seconds>[\d\.]+)\]"
| eval uptime_seconds=tonumber(uptime_seconds)
| where uptime_seconds > 300
| eval uptime_readable=tostring(round(uptime_seconds/60,1)) . " minutes after boot"
| rename host as dest
| table _time dest uptime_seconds uptime_readable _raw
| sort -uptime_seconds
| `linux_pf_alg_registration_outside_of_boot_window_filter`