<!-- http://www.gossamer-threads.com/lists/openssh/users/47438 -->
<rule id="5747" level="6">
<if_sid>5700</if_sid>
- <match>bad client public DH value [preauth]$</match>
- <description>ssh bad client public DH value [preauth]</description>
+ <match>bad client public DH value</match>
+ <description>ssh bad client public DH value</description>
</rule>
+ <!-- log sample with context:
+ Nov 22 19:24:52 server sshd[4045]: Connection from 117.117.198.5 port 60304
+ Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input.
+ Nov 22 19:25:15 server sshd[4046]: Connection closed by 117.117.198.5
+ -->
<rule id="5748" level="6">
<if_sid>5700</if_sid>
- <match>Corrupted MAC on input. [preauth]$</match>
+ <match>Corrupted MAC on input.</match>
<description>ssh corrupted MAC on input</description>
</rule>
<description>ssh bad packet length</description>
</rule>
+ <rule id="5750" level="0">
+ <decoded_as>sshd</decoded_as>
+ <if_sid>5700</if_sid>
+ <match>Unable to negotiate with |Unable to negotiate a key</match>
+ <description>sshd could not negotiate with client.</description>
+ </rule>
+
+ <rule id="5751" level="1">
+ <decoded_as>sshd</decoded_as>
+ <if_sid>5700</if_sid>
+ <match>no hostkey alg [preauth]</match>
+ <description>No hostkey alg.</description>
+ </rule>
+
+ <rule id="5752" level="2">
+ <if_sid>5750</if_sid>
+ <match>no matching key exchange method found.|Unable to negotiate a key exchange method</match>
+ <description>Client did not offer an acceptable key exchange method.</description>
+ </rule>
+
+ <rule id="5753" level="2">
+ <if_sid>5750</if_sid>
+ <match>no matching cipher found.</match>
+ <description>sshd could not negotiate with client, no matching cipher.</description>
+ </rule>
+
+ <rule id="5754" level="1">
+ <if_sid>5700</if_sid>
+ <match>Failed to create session: </match>
+ <description>sshd failed to create a session.</description>
+ </rule>
+
+ <rule id="5755" level="2">
+ <if_sid>5700</if_sid>
+ <match>bad ownership or modes for file</match>
+ <description>Authentication refused due to owner/permissions of authorized_keys.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="5756" level="0">
+ <if_sid>5700</if_sid>
+ <match> failed, subsystem not found$</match>
+ <description>sshd subsystem request failed.</description>
+ </rule>
+
+ <rule id="5757" level="0">
+ <decoded_as>sshd</decoded_as>
+ <match>but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$</match>
+ <description>Bad DNS mapping.</description>
+ </rule>
+
+ <rule id="5758" level="8">
+ <decoded_as>sshd</decoded_as>
+ <match>^error: maximum authentication attempts exceeded </match>
+ <description>Maximum authentication attempts exceeded.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
</group> <!-- SYSLOG, SSHD -->
<!-- EOF -->