1 <!-- @(#) $Id: sshd_rules.xml,v 1.22 2010/12/19 14:50:14 ddp Exp $
2 - Official SSHD rules for OSSEC.
4 - Copyright (C) 2009-2011 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <!-- SSHD messages -->
17 <group name="syslog,sshd,">
18 <rule id="5700" level="0" noalert="1">
19 <decoded_as>sshd</decoded_as>
20 <description>SSHD messages grouped.</description>
23 <rule id="5701" level="8">
25 <match>Bad protocol version identification</match>
26 <description>Possible attack on the ssh server </description>
27 <description>(or version gathering).</description>
30 <rule id="5702" level="5">
32 <match>^reverse mapping</match>
33 <regex>failed - POSSIBLE BREAK</regex>
34 <description>Reverse lookup error (bad ISP or attack).</description>
37 <rule id="5703" level="10" frequency="4" timeframe="360">
38 <if_matched_sid>5702</if_matched_sid>
39 <description>Possible breakin attempt </description>
40 <description>(high number of reverse lookup errors).</description>
43 <rule id="5704" level="4">
45 <match>fatal: Timeout before authentication for</match>
46 <description>Timeout while logging in (sshd).</description>
49 <rule id="5705" level="10" frequency="4" timeframe="360">
50 <if_matched_sid>5704</if_matched_sid>
51 <description>Possible scan or breakin attempt </description>
52 <description>(high number of login timeouts).</description>
55 <rule id="5706" level="6">
57 <match>Did not receive identification string from</match>
58 <description>SSH insecure connection attempt (scan).</description>
62 <rule id="5707" level="14">
64 <match>fatal: buffer_get_string: bad string</match>
65 <description>OpenSSH challenge-response exploit.</description>
66 <group>exploit_attempt,</group>
69 <rule id="5709" level="0">
71 <match>error: Could not get shadow information for NOUSER|</match>
72 <match>fatal: Read from socket failed: |error: ssh_msg_send: write|</match>
73 <match>^syslogin_perform_logout: |^pam_succeed_if(sshd:auth): error retrieving information about user|can't verify hostname: getaddrinfo</match>
74 <description>Useless SSHD message without an user/ip and context.</description>
77 <rule id="5710" level="5">
79 <match>illegal user|invalid user</match>
80 <description>Attempt to login using a non-existent user</description>
81 <group>invalid_login,authentication_failed,</group>
84 <rule id="5711" level="0">
86 <match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
87 <match>input_userauth_request: invalid user|</match>
88 <match>PAM: User not known to the underlying authentication module for illegal user|</match>
89 <match>error retrieving information about user</match>
90 <description>Useless/Duplicated SSHD message without a user/ip.</description>
93 <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
94 <if_matched_sid>5710</if_matched_sid>
95 <description>SSHD brute force trying to get access to </description>
96 <description>the system.</description>
98 <group>authentication_failures,</group>
101 <rule id="5713" level="6">
102 <if_sid>5700</if_sid>
103 <match>Corrupted check bytes on</match>
104 <description>Corrupted bytes on SSHD.</description>
107 <rule id="5714" level="14" timeframe="120" frequency="1">
108 <if_matched_sid>5713</if_matched_sid>
109 <match>Local: crc32 compensation attack</match>
110 <description>SSH CRC-32 Compensation attack</description>
111 <info type="cve">2001-0144</info>
112 <info type="link">http://www.securityfocus.com/bid/2347/info/</info>
113 <group>exploit_attempt,</group>
116 <rule id="5715" level="3">
117 <if_sid>5700</if_sid>
118 <match>^Accepted|authenticated.$</match>
119 <description>SSHD authentication success.</description>
120 <group>authentication_success,</group>
123 <rule id="5716" level="5">
124 <if_sid>5700</if_sid>
125 <match>^Failed|^error: PAM: Authentication</match>
126 <description>SSHD authentication failed.</description>
127 <group>authentication_failed,</group>
130 <rule id="5717" level="4">
131 <if_sid>5700</if_sid>
132 <match>error: Bad prime description in line</match>
133 <description>SSHD configuration error (moduli).</description>
136 <rule id="5718" level="5">
137 <if_sid>5700</if_sid>
138 <match>not allowed because</match>
139 <description>Attempt to login using a denied user.</description>
140 <group>invalid_login,</group>
143 <rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
144 <if_matched_sid>5718</if_matched_sid>
145 <description>Multiple access attempts using a denied user.</description>
146 <group>invalid_login,</group>
149 <rule id="5720" level="10" frequency="6">
150 <if_matched_sid>5716</if_matched_sid>
152 <description>Multiple SSHD authentication failures.</description>
153 <group>authentication_failures,</group>
156 <rule id="5721" level="0">
157 <if_sid>5700</if_sid>
158 <match>Received disconnect from</match>
159 <description>System disconnected from sshd.</description>
162 <rule id="5722" level="0">
163 <if_sid>5700</if_sid>
164 <match>Connection closed</match>
165 <description>ssh connection closed.</description>
168 <rule id="5723" level="0">
169 <if_sid>5700</if_sid>
170 <match>error: buffer_get_bignum2_ret: negative numbers not supported</match>
171 <info>This maybe a bad key in authorized_keys.</info>
172 <description>SSHD key error.</description>
175 <rule id="5724" level="0">
176 <if_sid>5700</if_sid>
177 <match>fatal: buffer_get_bignum2: buffer error</match>
178 <info>This error may relate to ssh key handling.</info>
179 <description>SSHD key error.</description>
182 <rule id="5725" level="0">
183 <if_sid>5700</if_sid>
184 <match>fatal: Write failed: Host is down</match>
185 <description>Host ungracefully disconnected.</description>
188 <rule id="5726" level="5">
189 <if_sid>5700</if_sid>
190 <match>error: PAM: Module is unknown for</match>
191 <description>Unknown PAM module, PAM misconfiguration.</description>
194 <rule id="5727" level="0">
195 <if_sid>5700</if_sid>
196 <match>failed: Address already in use.</match>
197 <description>Attempt to start sshd when something already bound to the port.</description>
200 <rule id="5728" level="4">
201 <if_sid>5700</if_sid>
202 <match>Authentication service cannot retrieve user credentials</match>
203 <info>May be related to PAM module errors.</info>
204 <description>Authentication services were not able to retrieve user credentials.</description>
205 <group>authentication_failed</group>
208 <rule id="5729" level="0">
209 <if_sid>5700</if_sid>
210 <match>debug1: attempt</match>
211 <description>Debug message.</description>
214 <rule id="5730" level="4">
215 <if_sid>5700</if_sid>
216 <regex>error: connect to \S+ port \d+ failed: Connection refused</regex>
217 <description>SSHD is not accepting connections.</description>
220 <rule id="5731" level="6">
221 <if_sid>5700</if_sid>
222 <match>AKASSH_Version_Mapper1.</match>
223 <description>SSH Scanning.</description>
224 <group>recon,</group>
227 <rule id="5732" level="0">
228 <if_sid>5700</if_sid>
229 <match>error: connect_to </match>
230 <description>Possible port forwarding failure.</description>
233 <rule id="5733" level="0">
234 <if_sid>5700</if_sid>
235 <match>Invalid credentials</match>
236 <description>User entered incorrect password.</description>
237 <group>authentication_failures,</group>
240 <rule id="5734" level="0">
241 <if_sid>5700</if_sid>
242 <match>Could not load host key</match>
243 <description>sshd could not load one or more host keys.</description>
244 <info>This may be related to an upgrade to OpenSSH.</info>
247 <rule id="5735" level="0">
248 <if_sid>5700</if_sid>
249 <match>Write failed: Broken pipe</match>
250 <description>Failed write due to one host disappearing.</description>
253 <rule id="5736" level="0">
254 <if_sid>5700</if_sid>
255 <match>^error: setsockopt SO_KEEPALIVE: Connection reset by peer$|</match>
256 <match>^error: accept: Software caused connection abort$</match>
257 <description>Connection reset or aborted.</description>
260 <rule id="5737" level="5">
261 <if_sid>5700</if_sid>
262 <match>^fatal: Cannot bind any address.$</match>
263 <description>sshd cannot bind to configured address.</description>
266 <rule id="5738" level="5">
267 <if_sid>5700</if_sid>
268 <match>set_loginuid failed opening loginuid$</match>
269 <description>pam_loginuid could not open loginuid.</description>
270 <group>authentication_failed,</group>
273 </group> <!-- SYSLOG, SSHD -->