X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=contrib%2Fossec-testing%2Ftests%2Fsshd.ini;h=bde0b7d635aa125601049980bc67b87f57a1dfb2;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=e81c10c02a0f0c28c0d389d949de2c7fad53aaf7;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/contrib/ossec-testing/tests/sshd.ini b/contrib/ossec-testing/tests/sshd.ini index e81c10c..bde0b7d 100644 --- a/contrib/ossec-testing/tests/sshd.ini +++ b/contrib/ossec-testing/tests/sshd.ini @@ -56,6 +56,7 @@ decoder = sshd [ssh bad client public DH value] log 1 pass = Feb 4 23:05:57 someserver sshd[1234]: Disconnecting: bad client public DH value [preauth] +log 1 pass = Feb 4 23:05:57 someserver sshd[1234]: Disconnecting: bad client public DH value rule = 5747 alert = 6 @@ -63,6 +64,7 @@ decoder = sshd [ssh corrupted MAC on input] log 1 pass = Feb 14 14:34:15 someserver sshd[1234]: Corrupted MAC on input. [preauth] +log 2 pass = Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input. rule = 5748 alert = 6 @@ -70,7 +72,92 @@ decoder = sshd [ssh bad packet length] log 1 pass = Mar 4 13:34:59 someserver sshd[5396]: Bad packet length 4081586742. [preauth] +log 2 pass = Mar 4 13:34:59 someserver sshd[5396]: Bad packet length 4081586742. rule = 5749 alert = 4 decoder = sshd + +[ssh unable to negotiate] +log 1 pass = Mar 3 10:56:18 junction sshd[32065]: fatal: Unable to negotiate with 202.191.177.33 port 3579: no matching cipher found. Their offer: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [preauth] + +rule = 5753 +alert = 2 +decoder = sshd + +[ssh no matching key exchange] +log 1 pass = Sep 16 05:46:56 junction sshd[1961]: fatal: Unable to negotiate with 108.229.36.174: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] +log 2 pass = Apr 18 21:27:08 web2 sshd[23484]: fatal: Unable to negotiate a key exchange method [preauth] + +rule = 5752 +alert = 2 +decoder = sshd + +[invalid user] +log 1 pass = 2013-10-30T14:51:21.901728+01:00 srv sshd[12664]: Postponed keyboard-interactive for invalid user warez from 192.241.237.101 port 54197 ssh2 [preauth] +log 2 pass = 2013-10-30T14:51:24.140565+01:00 srv sshd[12664]: Failed keyboard-interactive/pam for invalid user warez from 192.241.237.101 port 54197 ssh2 +log 3 fail = 2013-10-30T14:51:24.139258+01:00 srv sshd[12664]: error: PAM: User not known to the underlying authentication module for illegal user warez from 192.241.237.101 +log 4 pass = 2013-10-30T14:51:30.267401+01:00 srv sshd[12671]: Invalid user opcione from 192.241.237.101 +log 5 fail = 2013-10-30T14:51:30.267906+01:00 srv sshd[12671]: input_userauth_request: invalid user opcione [preauth] + +rule = 5710 +alert = 5 +decoder = sshd + +[failed to create session] +log 1 pass = May 4 17:48:43 collectd sshd[15044]: pam_systemd(sshd:session): Failed to create session: Access denied + +rule = 5754 +alert = 1 +decoder = sshd + +[bad authorized_keys] +log 1 pass = May 4 18:30:04 collectd sshd[15191]: Authentication refused: bad ownership or modes for file /home/ansible/.ssh/authorized_keys + +rule = 5755 +alert = 2 +decoder = sshd + +[subsystem failed] +log 1 pass = May 5 05:00:38 junction sshd[28395]: subsystem request for netconf by user checker failed, subsystem not found + +rule = 5756 +alert = 0 +decoder = sshd + +[login failed] +log 1 pass = Aug 18 07:30:25 192.168.1.5 sshd[20247]: [ID 800047 auth.notice] Failed none for root from 192.168.1.1 port 36942 ssh2 + +rule = 5716 +alert = 5 +decoder = sshd + +[bad dns] +log 1 pass = Oct 20 12:33:07 ar-agent sshd[3433]: Address 192.168.18.54 maps to nmap.18.168.192.in-addr.arpa, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! + +rule = 5757 +alert = 0 +decoder = sshd + +[max auth attempts] +log 1 pass = Dec 27 03:23:51 r1 sshd[21183]: error: maximum authentication attempts exceeded for root from 183.106.179.x port 34100 ssh2 [preauth] +log 2 fail = Aug 31 10:19:36 hostname sshd[12079]: error: maximum authentication attempts exceeded for invalid user service from 202.188.45.36 port 37313 ssh2 [preauth] + +rule = 5758 +alert = 8 +decoder = sshd + +[bad protocol] +log 1 pass = Jun 28 19:35:39 xxx sshd[30255]: Bad protocol version identification '' from 188.18.81.21 port 60787 + +rule = 5701 +alert = 8 +decoder = sshd + +[blocked by tcpwrapper] +log 1 pass = Aug 30 18:12:54 hostname sshd[25350]: refused connect from 103.79.143.159 (103.79.143.159) + +rule = 2503 +alert = 5 +decoder = sshd +