-<!-- @(#) $Id$
+<!-- @(#) $Id: sshd_rules.xml,v 1.22 2010/12/19 14:50:14 ddp Exp $
- Official SSHD rules for OSSEC.
-
- - Copyright (C) 2009 Trend Micro Inc.
+ - Copyright (C) 2009-2011 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
<if_sid>5700</if_sid>
<match>error: Could not get shadow information for NOUSER|</match>
<match>fatal: Read from socket failed: |error: ssh_msg_send: write|</match>
- <match>^syslogin_perform_logout: </match>
+ <match>^syslogin_perform_logout: |^pam_succeed_if(sshd:auth): error retrieving information about user|can't verify hostname: getaddrinfo</match>
<description>Useless SSHD message without an user/ip and context.</description>
</rule>
<if_sid>5700</if_sid>
<match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
<match>input_userauth_request: invalid user|</match>
- <match>PAM: User not known to the underlying authentication module for illegal user</match>
+ <match>PAM: User not known to the underlying authentication module for illegal user|</match>
+ <match>error retrieving information about user</match>
<description>Useless/Duplicated SSHD message without a user/ip.</description>
</rule>
<rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
<if_matched_sid>5718</if_matched_sid>
<description>Multiple access attempts using a denied user.</description>
+ <group>invalid_login,</group>
</rule>
<rule id="5720" level="10" frequency="6">
<description>Multiple SSHD authentication failures.</description>
<group>authentication_failures,</group>
</rule>
+
+ <rule id="5721" level="0">
+ <if_sid>5700</if_sid>
+ <match>Received disconnect from</match>
+ <description>System disconnected from sshd.</description>
+ </rule>
+
+ <rule id="5722" level="0">
+ <if_sid>5700</if_sid>
+ <match>Connection closed</match>
+ <description>ssh connection closed.</description>
+ </rule>
+
+ <rule id="5723" level="0">
+ <if_sid>5700</if_sid>
+ <match>error: buffer_get_bignum2_ret: negative numbers not supported</match>
+ <info>This maybe a bad key in authorized_keys.</info>
+ <description>SSHD key error.</description>
+ </rule>
+
+ <rule id="5724" level="0">
+ <if_sid>5700</if_sid>
+ <match>fatal: buffer_get_bignum2: buffer error</match>
+ <info>This error may relate to ssh key handling.</info>
+ <description>SSHD key error.</description>
+ </rule>
+
+ <rule id="5725" level="0">
+ <if_sid>5700</if_sid>
+ <match>fatal: Write failed: Host is down</match>
+ <description>Host ungracefully disconnected.</description>
+ </rule>
+
+ <rule id="5726" level="5">
+ <if_sid>5700</if_sid>
+ <match>error: PAM: Module is unknown for</match>
+ <description>Unknown PAM module, PAM misconfiguration.</description>
+ </rule>
+
+ <rule id="5727" level="0">
+ <if_sid>5700</if_sid>
+ <match>failed: Address already in use.</match>
+ <description>Attempt to start sshd when something already bound to the port.</description>
+ </rule>
+
+ <rule id="5728" level="4">
+ <if_sid>5700</if_sid>
+ <match>Authentication service cannot retrieve user credentials</match>
+ <info>May be related to PAM module errors.</info>
+ <description>Authentication services were not able to retrieve user credentials.</description>
+ <group>authentication_failed</group>
+ </rule>
+
+ <rule id="5729" level="0">
+ <if_sid>5700</if_sid>
+ <match>debug1: attempt</match>
+ <description>Debug message.</description>
+ </rule>
+
+ <rule id="5730" level="4">
+ <if_sid>5700</if_sid>
+ <regex>error: connect to \S+ port \d+ failed: Connection refused</regex>
+ <description>SSHD is not accepting connections.</description>
+ </rule>
+
+ <rule id="5731" level="6">
+ <if_sid>5700</if_sid>
+ <match>AKASSH_Version_Mapper1.</match>
+ <description>SSH Scanning.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="5732" level="0">
+ <if_sid>5700</if_sid>
+ <match>error: connect_to </match>
+ <description>Possible port forwarding failure.</description>
+ </rule>
+
+ <rule id="5733" level="0">
+ <if_sid>5700</if_sid>
+ <match>Invalid credentials</match>
+ <description>User entered incorrect password.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="5734" level="0">
+ <if_sid>5700</if_sid>
+ <match>Could not load host key</match>
+ <description>sshd could not load one or more host keys.</description>
+ <info>This may be related to an upgrade to OpenSSH.</info>
+ </rule>
+
+ <rule id="5735" level="0">
+ <if_sid>5700</if_sid>
+ <match>Write failed: Broken pipe</match>
+ <description>Failed write due to one host disappearing.</description>
+ </rule>
+
+ <rule id="5736" level="0">
+ <if_sid>5700</if_sid>
+ <match>^error: setsockopt SO_KEEPALIVE: Connection reset by peer$|</match>
+ <match>^error: accept: Software caused connection abort$</match>
+ <description>Connection reset or aborted.</description>
+ </rule>
+
+ <rule id="5737" level="5">
+ <if_sid>5700</if_sid>
+ <match>^fatal: Cannot bind any address.$</match>
+ <description>sshd cannot bind to configured address.</description>
+ </rule>
+
+ <rule id="5738" level="5">
+ <if_sid>5700</if_sid>
+ <match>set_loginuid failed opening loginuid$</match>
+ <description>pam_loginuid could not open loginuid.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="5739" level="4">
+ <if_sid>5700</if_sid>
+ <match>^error: Could not stat AuthorizedKeysCommand</match>
+ <description>SSHD configuration error (AuthorizedKeysCommand)</description>
+ </rule>
+
+ <rule id="5740" level="4">
+ <if_sid>5700</if_sid>
+ <match>Connection reset by peer$</match>
+ <description>ssh connection reset by peer</description>
+ </rule>
+
+ <rule id="5741" level="4">
+ <if_sid>5700</if_sid>
+ <match>Connection refused$</match>
+ <description>ssh connection refused</description>
+ </rule>
+
+ <rule id="5742" level="4">
+ <if_sid>5700</if_sid>
+ <match>Connection timed out$</match>
+ <description>ssh connection timed out</description>
+ </rule>
+
+ <rule id="5743" level="4">
+ <if_sid>5700</if_sid>
+ <match>No route to host$</match>
+ <description>ssh no route to host</description>
+ </rule>
+
+ <rule id="5744" level="4">
+ <if_sid>5700</if_sid>
+ <match>failure direct-tcpip$</match>
+ <description>ssh port forwarding issue</description>
+ </rule>
+
+ <rule id="5745" level="4">
+ <if_sid>5700</if_sid>
+ <match>Transport endpoint is not connected$</match>
+ <description>ssh transport endpoint is not connected</description>
+ </rule>
+
+ <rule id="5746" level="4">
+ <if_sid>5700</if_sid>
+ <match>get_remote_port failed$</match>
+ <description>ssh get_remote_port failed</description>
+ </rule>
+
+ <!-- http://www.gossamer-threads.com/lists/openssh/users/47438 -->
+ <rule id="5747" level="6">
+ <if_sid>5700</if_sid>
+ <match>bad client public DH value</match>
+ <description>ssh bad client public DH value</description>
+ </rule>
+
+ <!-- log sample with context:
+ Nov 22 19:24:52 server sshd[4045]: Connection from 117.117.198.5 port 60304
+ Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input.
+ Nov 22 19:25:15 server sshd[4046]: Connection closed by 117.117.198.5
+ -->
+ <rule id="5748" level="6">
+ <if_sid>5700</if_sid>
+ <match>Corrupted MAC on input.</match>
+ <description>ssh corrupted MAC on input</description>
+ </rule>
+
+ <rule id="5749" level="4">
+ <if_sid>5700</if_sid>
+ <match>^Bad packet length</match>
+ <description>ssh bad packet length</description>
+ </rule>
+
+ <rule id="5750" level="0">
+ <decoded_as>sshd</decoded_as>
+ <if_sid>5700</if_sid>
+ <match>Unable to negotiate with |Unable to negotiate a key</match>
+ <description>sshd could not negotiate with client.</description>
+ </rule>
+
+ <rule id="5751" level="1">
+ <decoded_as>sshd</decoded_as>
+ <if_sid>5700</if_sid>
+ <match>no hostkey alg [preauth]</match>
+ <description>No hostkey alg.</description>
+ </rule>
+
+ <rule id="5752" level="2">
+ <if_sid>5750</if_sid>
+ <match>no matching key exchange method found.|Unable to negotiate a key exchange method</match>
+ <description>Client did not offer an acceptable key exchange method.</description>
+ </rule>
+
+ <rule id="5753" level="2">
+ <if_sid>5750</if_sid>
+ <match>no matching cipher found.</match>
+ <description>sshd could not negotiate with client, no matching cipher.</description>
+ </rule>
+
+ <rule id="5754" level="1">
+ <if_sid>5700</if_sid>
+ <match>Failed to create session: </match>
+ <description>sshd failed to create a session.</description>
+ </rule>
+
+ <rule id="5755" level="2">
+ <if_sid>5700</if_sid>
+ <match>bad ownership or modes for file</match>
+ <description>Authentication refused due to owner/permissions of authorized_keys.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="5756" level="0">
+ <if_sid>5700</if_sid>
+ <match> failed, subsystem not found$</match>
+ <description>sshd subsystem request failed.</description>
+ </rule>
+
+ <rule id="5757" level="0">
+ <decoded_as>sshd</decoded_as>
+ <match>but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$</match>
+ <description>Bad DNS mapping.</description>
+ </rule>
+
+ <rule id="5758" level="8">
+ <decoded_as>sshd</decoded_as>
+ <match>^error: maximum authentication attempts exceeded </match>
+ <description>Maximum authentication attempts exceeded.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
</group> <!-- SYSLOG, SSHD -->
<!-- EOF -->
projects / ossec-hids.git / blobdiff