new upstream release (3.3.0); modify package compatibility for Stretch

[ossec-hids.git] / etc / rules / dropbear_rules.xml

diff --git a/etc/rules/dropbear_rules.xml b/etc/rules/dropbear_rules.xml
old mode 100755 (executable)
new mode 100644 (file)
index 8609234..813dfd0
--- a/etc/rules/dropbear_rules.xml
+++ b/etc/rules/dropbear_rules.xml
@@ -37,8 +37,15 @@
     <group>authentication_failed,</group>
   </rule>
 
+  <rule id="51093" level="5">
+    <if_sid>51000</if_sid>
+    <match>attempt for nonexistent user</match>
+    <description>Bad password attempt for non existent user.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
   <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
-    <if_matched_sid>51003</if_matched_sid>
+    <if_matched_group>authentication_failed</if_matched_group>
     <same_source_ip />
     <description>dropbear brute force attempt.</description>
     <group>authentication_failures,</group>
@@ -78,6 +85,20 @@
     <description>User successfully logged in using a password.</description>
     <group>authentication_success,</group>
   </rule>
+
+  <rule id="51010" level="0">
+    <if_sid>51000</if_sid>
+    <match>Pubkey auth succeeded</match>
+    <description>User successfully logged in using a public key.</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="51011" level="1">
+    <decoded_as>dropbear</decoded_as>
+    <if_sid>1002</if_sid>
+    <match>Error listening: Address already in use</match>
+    <description>Dropbear cannot listen on port.</description>
+  </rule>      
  
    
 </group> <!-- SYSLOG,LOCAL -->