projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Imported Upstream version 2.7
[ossec-hids.git] / etc / rules / dropbear_rules.xml
diff --git a/etc/rules/dropbear_rules.xml b/etc/rules/dropbear_rules.xml
new file mode 100755 (executable)
index 0000000..8609234
--- /dev/null
+++ b/etc/rules/dropbear_rules.xml
@@ -0,0 +1,86 @@
+  <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+  -->
+
+
+
+<!-- Modify it at your will. -->
+
+<group name="syslog,sshd,dropbear">
+
+  <rule id="51000" level="0" noalert="1">
+    <decoded_as>dropbear</decoded_as>
+    <description>Grouping for dropbear rules.</description>
+  </rule>
+
+  <rule id="51001" level="1">
+    <if_sid>51000</if_sid>
+    <match>Failed to get kex value</match>
+    <description>Failed to get key exchange value</description>
+  </rule>
+
+  <rule id="51002" level="1">
+    <if_sid>51000</if_sid>
+    <match>Premature kexdh_init message received</match>
+    <description>Premature kexdh_init message</description>
+  </rule>
+
+  <rule id="51003" level="5">
+    <if_sid>51000</if_sid>
+    <match>bad password attempt for</match>
+    <description>Bad password attempt.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
+    <if_matched_sid>51003</if_matched_sid>
+    <same_source_ip />
+    <description>dropbear brute force attempt.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+  <rule id="51005" level="0">
+    <if_sid>51000</if_sid>
+    <regex>exit after auth \(\S+\): Disconnect received</regex>
+    <description>User disconnected.</description>
+  </rule>
+
+  <rule id="51006" level="2">
+    <if_sid>51000</if_sid>
+    <match>exit before auth</match>
+    <description>Client exited before authentication.</description>
+    <group>recon,</group>
+  </rule>
+
+  <rule id="51007" level="10" frequency="6" timeframe="120" ignore="60">
+    <if_matched_sid>51000</if_matched_sid>
+    <same_source_ip />
+    <description>dropbear brute force attempt.</description> 
+    <group>authentication_failures,</group>
+  </rule>
+
+
+  <rule id="51008" level="1">
+    <if_sid>51000</if_sid>
+    <match>Incompatible remote version</match>
+    <description>Incompatible remote version.</description>
+    <group>recon,</group>
+  </rule>
+  <rule id="51009" level="0">
+    <if_sid>51000</if_sid>
+    <match>password auth succeeded for</match>
+    <description>User successfully logged in using a password.</description>
+    <group>authentication_success,</group>
+  </rule>
+   
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->
ossec-hids