projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / etc / rules / sshd_rules.xml
diff --git a/etc/rules/sshd_rules.xml b/etc/rules/sshd_rules.xml
old mode 100755 (executable)
new mode 100644 (file)
index f64bded..06d7dc9
--- a/etc/rules/sshd_rules.xml
+++ b/etc/rules/sshd_rules.xml
@@ -321,13 +321,18 @@
   <!-- http://www.gossamer-threads.com/lists/openssh/users/47438 -->
   <rule id="5747" level="6">
     <if_sid>5700</if_sid>
-    <match>bad client public DH value [preauth]$</match>
-    <description>ssh bad client public DH value [preauth]</description>
+    <match>bad client public DH value</match>
+    <description>ssh bad client public DH value</description>
   </rule>
 
+  <!-- log sample with context:
+       Nov 22 19:24:52 server sshd[4045]: Connection from 117.117.198.5 port 60304
+       Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input.
+       Nov 22 19:25:15 server sshd[4046]: Connection closed by 117.117.198.5
+  -->
   <rule id="5748" level="6">
     <if_sid>5700</if_sid>
-    <match>Corrupted MAC on input. [preauth]$</match>
+    <match>Corrupted MAC on input.</match>
     <description>ssh corrupted MAC on input</description>
   </rule>
 
@@ -337,6 +342,64 @@
     <description>ssh bad packet length</description>
   </rule>
 
+  <rule id="5750" level="0">
+    <decoded_as>sshd</decoded_as>
+    <if_sid>5700</if_sid>
+    <match>Unable to negotiate with |Unable to negotiate a key</match>
+    <description>sshd could not negotiate with client.</description>
+  </rule>
+
+  <rule id="5751" level="1">
+    <decoded_as>sshd</decoded_as>
+    <if_sid>5700</if_sid>
+    <match>no hostkey alg [preauth]</match>
+    <description>No hostkey alg.</description>
+  </rule>
+
+  <rule id="5752" level="2">
+    <if_sid>5750</if_sid>
+    <match>no matching key exchange method found.|Unable to negotiate a key exchange method</match>
+    <description>Client did not offer an acceptable key exchange method.</description>
+  </rule>
+
+  <rule id="5753" level="2">
+    <if_sid>5750</if_sid>
+    <match>no matching cipher found.</match>
+    <description>sshd could not negotiate with client, no matching cipher.</description>
+  </rule>
+
+  <rule id="5754" level="1">
+    <if_sid>5700</if_sid>
+    <match>Failed to create session: </match>
+    <description>sshd failed to create a session.</description>
+  </rule>
+
+  <rule id="5755" level="2">
+    <if_sid>5700</if_sid>
+    <match>bad ownership or modes for file</match>
+    <description>Authentication refused due to owner/permissions of authorized_keys.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="5756" level="0">
+    <if_sid>5700</if_sid>
+    <match> failed, subsystem not found$</match>
+    <description>sshd subsystem request failed.</description>
+  </rule>
+
+  <rule id="5757" level="0">
+    <decoded_as>sshd</decoded_as>
+    <match>but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$</match>
+    <description>Bad DNS mapping.</description>
+  </rule>
+
+  <rule id="5758" level="8">
+    <decoded_as>sshd</decoded_as>
+    <match>^error: maximum authentication attempts exceeded </match>
+    <description>Maximum authentication attempts exceeded.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
 </group> <!-- SYSLOG, SSHD -->
 
 <!-- EOF -->
ossec-hids