+++ /dev/null
- <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
- -->
-
-
-
-<!-- Modify it at your will. -->
-
-<group name="syslog,sshd,dropbear">
-
- <rule id="51000" level="0" noalert="1">
- <decoded_as>dropbear</decoded_as>
- <description>Grouping for dropbear rules.</description>
- </rule>
-
- <rule id="51001" level="1">
- <if_sid>51000</if_sid>
- <match>Failed to get kex value</match>
- <description>Failed to get key exchange value</description>
- </rule>
-
- <rule id="51002" level="1">
- <if_sid>51000</if_sid>
- <match>Premature kexdh_init message received</match>
- <description>Premature kexdh_init message</description>
- </rule>
-
- <rule id="51003" level="5">
- <if_sid>51000</if_sid>
- <match>bad password attempt for</match>
- <description>Bad password attempt.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="51093" level="5">
- <if_sid>51000</if_sid>
- <match>attempt for nonexistent user</match>
- <description>Bad password attempt for non existent user.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_group>authentication_failed</if_matched_group>
- <same_source_ip />
- <description>dropbear brute force attempt.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="51005" level="0">
- <if_sid>51000</if_sid>
- <regex>exit after auth \(\S+\): Disconnect received</regex>
- <description>User disconnected.</description>
- </rule>
-
- <rule id="51006" level="2">
- <if_sid>51000</if_sid>
- <match>exit before auth</match>
- <description>Client exited before authentication.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="51007" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>51000</if_matched_sid>
- <same_source_ip />
- <description>dropbear brute force attempt.</description>
- <group>authentication_failures,</group>
- </rule>
-
-
- <rule id="51008" level="1">
- <if_sid>51000</if_sid>
- <match>Incompatible remote version</match>
- <description>Incompatible remote version.</description>
- <group>recon,</group>
- </rule>
-
- <rule id="51009" level="0">
- <if_sid>51000</if_sid>
- <match>password auth succeeded for</match>
- <description>User successfully logged in using a password.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="51010" level="0">
- <if_sid>51000</if_sid>
- <match>Pubkey auth succeeded</match>
- <description>User successfully logged in using a public key.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="51011" level="1">
- <decoded_as>dropbear</decoded_as>
- <if_sid>1002</if_sid>
- <match>Error listening: Address already in use</match>
- <description>Dropbear cannot listen on port.</description>
- </rule>
-
-
-</group> <!-- SYSLOG,LOCAL -->
-
-
-<!-- EOF -->