1 <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
2 - This program is a free software; you can redistribute it
3 - and/or modify it under the terms of the GNU General Public
4 - License (version 2) as published by the FSF - Free Software
7 - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
12 <!-- Modify it at your will. -->
14 <group name="syslog,sshd,dropbear">
16 <rule id="51000" level="0" noalert="1">
17 <decoded_as>dropbear</decoded_as>
18 <description>Grouping for dropbear rules.</description>
21 <rule id="51001" level="1">
22 <if_sid>51000</if_sid>
23 <match>Failed to get kex value</match>
24 <description>Failed to get key exchange value</description>
27 <rule id="51002" level="1">
28 <if_sid>51000</if_sid>
29 <match>Premature kexdh_init message received</match>
30 <description>Premature kexdh_init message</description>
33 <rule id="51003" level="5">
34 <if_sid>51000</if_sid>
35 <match>bad password attempt for</match>
36 <description>Bad password attempt.</description>
37 <group>authentication_failed,</group>
40 <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
41 <if_matched_sid>51003</if_matched_sid>
43 <description>dropbear brute force attempt.</description>
44 <group>authentication_failures,</group>
47 <rule id="51005" level="0">
48 <if_sid>51000</if_sid>
49 <regex>exit after auth \(\S+\): Disconnect received</regex>
50 <description>User disconnected.</description>
53 <rule id="51006" level="2">
54 <if_sid>51000</if_sid>
55 <match>exit before auth</match>
56 <description>Client exited before authentication.</description>
60 <rule id="51007" level="10" frequency="6" timeframe="120" ignore="60">
61 <if_matched_sid>51000</if_matched_sid>
63 <description>dropbear brute force attempt.</description>
64 <group>authentication_failures,</group>
68 <rule id="51008" level="1">
69 <if_sid>51000</if_sid>
70 <match>Incompatible remote version</match>
71 <description>Incompatible remote version.</description>
75 <rule id="51009" level="0">
76 <if_sid>51000</if_sid>
77 <match>password auth succeeded for</match>
78 <description>User successfully logged in using a password.</description>
79 <group>authentication_success,</group>
83 </group> <!-- SYSLOG,LOCAL -->