LoFP LoFP / af_alg can be legitimately loaded after boot by on-demand luks volume mounts, ipsec vpn clients establishing tunnels, or openssl deployments with the afalg engine enabled, making this signal most reliable on dedicated server infrastructure where these operations are handled at boot time.

Techniques

Sample rules

Linux PF_ALG Registration Outside of Boot Window

Description

The following analytic detects when the AF_ALG kernel crypto socket interface being loaded more than 300 seconds after system boot, which is a primary kernel-level indicator of Copy Fail (CVE-2026-31431) exploitation activity on Debian and Ubuntu family systems. The AF_ALG interface is required by the exploit to access the vulnerable authencesn crypto code path, and on systems where it is not auto-loaded at boot, its on-demand registration by an unprivileged process is a strong indicator of exploitation in progress.

Detection logic

sourcetype="linux_messages_syslog" "NET: Registered PF_ALG protocol family"

| rex field=_raw "kernel: \[\s*(?<uptime_seconds>[\d\.]+)\]"

| eval uptime_seconds=tonumber(uptime_seconds)

| where uptime_seconds > 300

| eval uptime_readable=tostring(round(uptime_seconds/60,1)) . " minutes after boot"

| rename host as dest

| table _time dest uptime_seconds uptime_readable _raw

| sort -uptime_seconds

| `linux_pf_alg_registration_outside_of_boot_window_filter`