--- /dev/null
+ <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ -->
+
+
+
+<!-- Modify it at your will. -->
+
+<group name="syslog,sshd,dropbear">
+
+ <rule id="51000" level="0" noalert="1">
+ <decoded_as>dropbear</decoded_as>
+ <description>Grouping for dropbear rules.</description>
+ </rule>
+
+ <rule id="51001" level="1">
+ <if_sid>51000</if_sid>
+ <match>Failed to get kex value</match>
+ <description>Failed to get key exchange value</description>
+ </rule>
+
+ <rule id="51002" level="1">
+ <if_sid>51000</if_sid>
+ <match>Premature kexdh_init message received</match>
+ <description>Premature kexdh_init message</description>
+ </rule>
+
+ <rule id="51003" level="5">
+ <if_sid>51000</if_sid>
+ <match>bad password attempt for</match>
+ <description>Bad password attempt.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="51093" level="5">
+ <if_sid>51000</if_sid>
+ <match>attempt for nonexistent user</match>
+ <description>Bad password attempt for non existent user.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
+ <if_matched_group>authentication_failed</if_matched_group>
+ <same_source_ip />
+ <description>dropbear brute force attempt.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="51005" level="0">
+ <if_sid>51000</if_sid>
+ <regex>exit after auth \(\S+\): Disconnect received</regex>
+ <description>User disconnected.</description>
+ </rule>
+
+ <rule id="51006" level="2">
+ <if_sid>51000</if_sid>
+ <match>exit before auth</match>
+ <description>Client exited before authentication.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="51007" level="10" frequency="6" timeframe="120" ignore="60">
+ <if_matched_sid>51000</if_matched_sid>
+ <same_source_ip />
+ <description>dropbear brute force attempt.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+
+ <rule id="51008" level="1">
+ <if_sid>51000</if_sid>
+ <match>Incompatible remote version</match>
+ <description>Incompatible remote version.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="51009" level="0">
+ <if_sid>51000</if_sid>
+ <match>password auth succeeded for</match>
+ <description>User successfully logged in using a password.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="51010" level="0">
+ <if_sid>51000</if_sid>
+ <match>Pubkey auth succeeded</match>
+ <description>User successfully logged in using a public key.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="51011" level="1">
+ <decoded_as>dropbear</decoded_as>
+ <if_sid>1002</if_sid>
+ <match>Error listening: Address already in use</match>
+ <description>Dropbear cannot listen on port.</description>
+ </rule>
+
+
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->