X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fdropbear_rules.xml;fp=etc%2Frules%2Fdropbear_rules.xml;h=8609234b15982c7b705b877e368b14cab13a2f3e;hb=ff0e686ac67bbd82b60c277eb324910dbc60f65f;hp=0000000000000000000000000000000000000000;hpb=33a81e69474ae91ecec4e991debe59e26bb330fd;p=ossec-hids.git

diff --git a/etc/rules/dropbear_rules.xml b/etc/rules/dropbear_rules.xml
new file mode 100755
index 0000000..8609234
--- /dev/null
+++ b/etc/rules/dropbear_rules.xml
@@ -0,0 +1,86 @@
+  <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+  -->
+
+
+
+<!-- Modify it at your will. -->
+
+<group name="syslog,sshd,dropbear">
+
+  <rule id="51000" level="0" noalert="1">
+    <decoded_as>dropbear</decoded_as>
+    <description>Grouping for dropbear rules.</description>
+  </rule>
+
+  <rule id="51001" level="1">
+    <if_sid>51000</if_sid>
+    <match>Failed to get kex value</match>
+    <description>Failed to get key exchange value</description>
+  </rule>
+
+  <rule id="51002" level="1">
+    <if_sid>51000</if_sid>
+    <match>Premature kexdh_init message received</match>
+    <description>Premature kexdh_init message</description>
+  </rule>
+
+  <rule id="51003" level="5">
+    <if_sid>51000</if_sid>
+    <match>bad password attempt for</match>
+    <description>Bad password attempt.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
+    <if_matched_sid>51003</if_matched_sid>
+    <same_source_ip />
+    <description>dropbear brute force attempt.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+  <rule id="51005" level="0">
+    <if_sid>51000</if_sid>
+    <regex>exit after auth \(\S+\): Disconnect received</regex>
+    <description>User disconnected.</description>
+  </rule>
+
+  <rule id="51006" level="2">
+    <if_sid>51000</if_sid>
+    <match>exit before auth</match>
+    <description>Client exited before authentication.</description>
+    <group>recon,</group>
+  </rule>
+
+  <rule id="51007" level="10" frequency="6" timeframe="120" ignore="60">
+    <if_matched_sid>51000</if_matched_sid>
+    <same_source_ip />
+    <description>dropbear brute force attempt.</description> 
+    <group>authentication_failures,</group>
+  </rule>
+
+
+  <rule id="51008" level="1">
+    <if_sid>51000</if_sid>
+    <match>Incompatible remote version</match>
+    <description>Incompatible remote version.</description>
+    <group>recon,</group>
+  </rule>
+ 
+  <rule id="51009" level="0">
+    <if_sid>51000</if_sid>
+    <match>password auth succeeded for</match>
+    <description>User successfully logged in using a password.</description>
+    <group>authentication_success,</group>
+  </rule>
+ 
+   
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->