1 <!-- @(#) $Id: sshd_rules.xml,v 1.22 2009/11/09 20:18:52 dcid Exp $
2 - Official SSHD rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <!-- SSHD messages -->
17 <group name="syslog,sshd,">
18 <rule id="5700" level="0" noalert="1">
19 <decoded_as>sshd</decoded_as>
20 <description>SSHD messages grouped.</description>
23 <rule id="5701" level="8">
25 <match>Bad protocol version identification</match>
26 <description>Possible attack on the ssh server </description>
27 <description>(or version gathering).</description>
30 <rule id="5702" level="5">
32 <match>^reverse mapping</match>
33 <regex>failed - POSSIBLE BREAK</regex>
34 <description>Reverse lookup error (bad ISP or attack).</description>
37 <rule id="5703" level="10" frequency="4" timeframe="360">
38 <if_matched_sid>5702</if_matched_sid>
39 <description>Possible breakin attempt </description>
40 <description>(high number of reverse lookup errors).</description>
43 <rule id="5704" level="4">
45 <match>fatal: Timeout before authentication for</match>
46 <description>Timeout while logging in (sshd).</description>
49 <rule id="5705" level="10" frequency="4" timeframe="360">
50 <if_matched_sid>5704</if_matched_sid>
51 <description>Possible scan or breakin attempt </description>
52 <description>(high number of login timeouts).</description>
55 <rule id="5706" level="6">
57 <match>Did not receive identification string from</match>
58 <description>SSH insecure connection attempt (scan).</description>
62 <rule id="5707" level="14">
64 <match>fatal: buffer_get_string: bad string</match>
65 <description>OpenSSH challenge-response exploit.</description>
66 <group>exploit_attempt,</group>
69 <rule id="5709" level="0">
71 <match>error: Could not get shadow information for NOUSER|</match>
72 <match>fatal: Read from socket failed: |error: ssh_msg_send: write</match>
73 <description>Useless SSHD message without an user/ip and context.</description>
76 <rule id="5710" level="5">
78 <match>illegal user|invalid user</match>
79 <description>Attempt to login using a non-existent user</description>
80 <group>invalid_login,authentication_failed,</group>
83 <rule id="5711" level="0">
85 <match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
86 <match>input_userauth_request: invalid user|</match>
87 <match>PAM: User not known to the underlying authentication module for illegal user</match>
88 <description>Useless/Duplicated SSHD message without a user/ip.</description>
91 <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
92 <if_matched_sid>5710</if_matched_sid>
93 <description>SSHD brute force trying to get access to </description>
94 <description>the system.</description>
96 <group>authentication_failures,</group>
99 <rule id="5713" level="6">
100 <if_sid>5700</if_sid>
101 <match>Corrupted check bytes on</match>
102 <description>Corrupted bytes on SSHD.</description>
105 <rule id="5714" level="14" timeframe="120" frequency="1">
106 <if_matched_sid>5713</if_matched_sid>
107 <match>Local: crc32 compensation attack</match>
108 <description>SSH CRC-32 Compensation attack</description>
110 <info>http://www.securityfocus.com/bid/2347/info/</info>
111 <group>exploit_attempt,</group>
114 <rule id="5715" level="3">
115 <if_sid>5700</if_sid>
116 <match>^Accepted|authenticated.$</match>
117 <description>SSHD authentication success.</description>
118 <group>authentication_success,</group>
121 <rule id="5716" level="5">
122 <if_sid>5700</if_sid>
123 <match>^Failed|^error: PAM: Authentication</match>
124 <description>SSHD authentication failed.</description>
125 <group>authentication_failed,</group>
128 <rule id="5717" level="4">
129 <if_sid>5700</if_sid>
130 <match>error: Bad prime description in line</match>
131 <description>SSHD configuration error (moduli).</description>
134 <rule id="5718" level="5">
135 <if_sid>5700</if_sid>
136 <match>not allowed because</match>
137 <description>Attempt to login using a denied user.</description>
138 <group>invalid_login,</group>
141 <rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
142 <if_matched_sid>5718</if_matched_sid>
143 <description>Multiple access attempts using a denied user.</description>
146 <rule id="5720" level="10" frequency="6">
147 <if_matched_sid>5716</if_matched_sid>
149 <description>Multiple SSHD authentication failures.</description>
150 <group>authentication_failures,</group>
152 </group> <!-- SYSLOG, SSHD -->