Navigation

Table Of Contents

OSSEC Links

rules/50_sshd_rules.xml

Platforms: None

groups syslog,sshd,
rule-id-5700

SSHD messages grouped.

rule-id-5701

Possible attack on the ssh server

(or version gathering).

rule-id-5702

Reverse lookup error (bad ISP or attack).

rule-id-5703

Possible breakin attempt

(high number of reverse lookup errors).

rule-id-5704

Timeout while logging in (sshd).

rule-id-5705

Possible scan or breakin attempt

(high number of login timeouts).

rule-id-5706

SSH insecure connection attempt (scan).

rule-id-5707

OpenSSH challenge-response exploit.

rule-id-5709

Useless SSHD message without an user/ip and context.

rule-id-5710

Attempt to login using a non-existent user

rule-id-5711

Useless/Duplicated SSHD message without a user/ip.

rule-id-5712

SSHD brute force trying to get access to

the system.

rule-id-5713

Corrupted bytes on SSHD.

rule-id-5714

SSH CRC-32 Compensation attack

rule-id-5715

SSHD authentication success.

rule-id-5716

SSHD authentication failed.

rule-id-5717

SSHD configuration error (moduli).

rule-id-5718

Attempt to login using a denied user.

rule-id-5719

Multiple access attempts using a denied user.

rule-id-5720

Multiple SSHD authentication failures.

Full XML Output: rules/50_sshd_rules.xml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
 <!-- @(#) $Id: sshd_rules.xml,v 1.24 2010/05/18 11:49:23 dcid Exp $
   -  Official SSHD rules for OSSEC.
   -
   -  Copyright (C) 2009 Trend Micro Inc.
   -  All rights reserved.
   -
   -  This program is a free software; you can redistribute it
   -  and/or modify it under the terms of the GNU General Public
   -  License (version 2) as published by the FSF - Free Software
   -  Foundation.
   -
   -  License details: http://www.ossec.net/en/licensing.html
   -->


 <!-- SSHD messages -->
 <group name="syslog,sshd,">
   <rule id="5700" level="0" noalert="1">
     <decoded_as>sshd</decoded_as>
     <description>SSHD messages grouped.</description>
   </rule>

   <rule id="5701" level="8">
     <if_sid>5700</if_sid>
     <match>Bad protocol version identification</match>
     <description>Possible attack on the ssh server </description>
     <description>(or version gathering).</description>
   </rule>

   <rule id="5702" level="5">
     <if_sid>5700</if_sid>
     <match>^reverse mapping</match>
     <regex>failed - POSSIBLE BREAK</regex>
     <description>Reverse lookup error (bad ISP or attack).</description>
   </rule>

   <rule id="5703" level="10" frequency="4" timeframe="360">
     <if_matched_sid>5702</if_matched_sid>
     <description>Possible breakin attempt </description>
     <description>(high number of reverse lookup errors).</description>
   </rule>

   <rule id="5704" level="4">
     <if_sid>5700</if_sid>
     <match>fatal: Timeout before authentication for</match>
     <description>Timeout while logging in (sshd).</description>
   </rule>

   <rule id="5705" level="10" frequency="4" timeframe="360">
     <if_matched_sid>5704</if_matched_sid>
     <description>Possible scan or breakin attempt </description>
     <description>(high number of login timeouts).</description>
   </rule>

   <rule id="5706" level="6">
     <if_sid>5700</if_sid>
     <match>Did not receive identification string from</match>
     <description>SSH insecure connection attempt (scan).</description>
     <group>recon,</group>
   </rule>

   <rule id="5707" level="14">
     <if_sid>5700</if_sid>
     <match>fatal: buffer_get_string: bad string</match>
     <description>OpenSSH challenge-response exploit.</description>
     <group>exploit_attempt,</group>
   </rule>

   <rule id="5709" level="0">
     <if_sid>5700</if_sid>
     <match>error: Could not get shadow information for NOUSER|</match>
     <match>fatal: Read from socket failed: |error: ssh_msg_send: write|</match>
     <match>^syslogin_perform_logout: </match>
     <description>Useless SSHD message without an user/ip and context.</description>
   </rule>

   <rule id="5710" level="5">
     <if_sid>5700</if_sid>
     <match>illegal user|invalid user</match>
     <description>Attempt to login using a non-existent user</description>
     <group>invalid_login,authentication_failed,</group>
   </rule>

   <rule id="5711" level="0">
     <if_sid>5700</if_sid>
     <match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
     <match>input_userauth_request: invalid user|</match>
     <match>PAM: User not known to the underlying authentication module for illegal user</match>
     <description>Useless/Duplicated SSHD message without a user/ip.</description>
   </rule>

   <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
     <if_matched_sid>5710</if_matched_sid>
     <description>SSHD brute force trying to get access to </description>
     <description>the system.</description>
     <same_source_ip />
     <group>authentication_failures,</group>
   </rule>

   <rule id="5713" level="6">
     <if_sid>5700</if_sid>
     <match>Corrupted check bytes on</match>
     <description>Corrupted bytes on SSHD.</description>
   </rule>

   <rule id="5714" level="14" timeframe="120" frequency="1">
     <if_matched_sid>5713</if_matched_sid>
     <match>Local: crc32 compensation attack</match>
     <description>SSH CRC-32 Compensation attack</description>
     <info type="cve">2001-0144</info>
     <info type="link">http://www.securityfocus.com/bid/2347/info/</info>
     <group>exploit_attempt,</group>
   </rule>

   <rule id="5715" level="3">
     <if_sid>5700</if_sid>
     <match>^Accepted|authenticated.$</match>
     <description>SSHD authentication success.</description>
     <group>authentication_success,</group>
   </rule>

   <rule id="5716" level="5">
     <if_sid>5700</if_sid>
     <match>^Failed|^error: PAM: Authentication</match>
     <description>SSHD authentication failed.</description>
     <group>authentication_failed,</group>
   </rule>

   <rule id="5717" level="4">
     <if_sid>5700</if_sid>
     <match>error: Bad prime description in line</match>
     <description>SSHD configuration error (moduli).</description>
   </rule>

   <rule id="5718" level="5">
     <if_sid>5700</if_sid>
     <match>not allowed because</match>
     <description>Attempt to login using a denied user.</description>
     <group>invalid_login,</group>
   </rule>

   <rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
     <if_matched_sid>5718</if_matched_sid>
     <description>Multiple access attempts using a denied user.</description>
   </rule>

   <rule id="5720" level="10" frequency="6">
     <if_matched_sid>5716</if_matched_sid>
     <same_source_ip />
     <description>Multiple SSHD authentication failures.</description>
     <group>authentication_failures,</group>
   </rule>
 </group> <!-- SYSLOG, SSHD -->

 <!-- EOF -->

Navigation

© Copyright 2010, Lots of people. Created using Sphinx 1.0.7.