1<!-- @(#) $Id: sshd_rules.xml,v 1.22 2010/12/19 14:50:14 ddp Exp $ 2 - Official SSHD rules for OSSEC. 3 - 4 - Copyright (C) 2009-2011 Trend Micro Inc. 5 - All rights reserved. 6 - 7 - This program is a free software; you can redistribute it 8 - and/or modify it under the terms of the GNU General Public 9 - License (version 2) as published by the FSF - Free Software 10 - Foundation. 11 - 12 - License details: http://www.ossec.net/en/licensing.html 13 --> 14 15 16<!-- SSHD messages --> 17<group name="syslog,sshd,"> 18 <rule id="5700" level="0" noalert="1"> 19 <decoded_as>sshd</decoded_as> 20 <description>SSHD messages grouped.</description> 21 </rule> 22 23 <rule id="5701" level="8"> 24 <if_sid>5700</if_sid> 25 <pcre2>Bad protocol version identification|error: Protocol major versions differ</pcre2> 26 <description>Possible attack on the ssh server </description> 27 <description>(or version gathering).</description> 28 </rule> 29 30 <rule id="5702" level="5"> 31 <if_sid>5700</if_sid> 32 <pcre2>^reverse mapping.*failed - POSSIBLE BREAK</pcre2> 33 <description>Reverse lookup error (bad ISP or attack).</description> 34 </rule> 35 36 <rule id="5703" level="10" frequency="4" timeframe="360"> 37 <if_matched_sid>5702</if_matched_sid> 38 <description>Possible breakin attempt </description> 39 <description>(high number of reverse lookup errors).</description> 40 </rule> 41 42 <rule id="5704" level="4"> 43 <if_sid>5700</if_sid> 44 <pcre2>fatal: Timeout before authentication for</pcre2> 45 <description>Timeout while logging in (sshd).</description> 46 </rule> 47 48 <rule id="5705" level="10" frequency="4" timeframe="360"> 49 <if_matched_sid>5704</if_matched_sid> 50 <description>Possible scan or breakin attempt </description> 51 <description>(high number of login timeouts).</description> 52 </rule> 53 54 <rule id="5706" level="6"> 55 <if_sid>5700</if_sid> 56 <pcre2>Did not receive identification string from</pcre2> 57 <description>SSH insecure connection attempt (scan).</description> 58 <group>recon,</group> 59 </rule> 60 61 <rule id="5707" level="14"> 62 <if_sid>5700</if_sid> 63 <pcre2>fatal: buffer_get_string: bad string</pcre2> 64 <description>OpenSSH challenge-response exploit.</description> 65 <group>exploit_attempt,</group> 66 </rule> 67 68 <rule id="5709" level="0"> 69 <if_sid>5700</if_sid> 70 <pcre2>error: Could not get shadow information for NOUSER|</pcre2> 71 <pcre2>fatal: Read from socket failed: |error: ssh_msg_send: write|</pcre2> 72 <pcre2>^syslogin_perform_logout: |^pam_succeed_if\(sshd:auth\): error retrieving information about user|can't verify hostname: getaddrinfo</pcre2> 73 <description>Useless SSHD message without an user/ip and context.</description> 74 </rule> 75 76 <rule id="5710" level="5"> 77 <if_sid>5700</if_sid> 78 <pcre2>illegal user|invalid user</pcre2> 79 <description>Attempt to login using a non-existent user</description> 80 <group>invalid_login,authentication_failed,</group> 81 </rule> 82 83 <rule id="5711" level="0"> 84 <if_sid>5700</if_sid> 85 <pcre2>authentication failure; logname= uid=0 euid=0 tty=ssh|</pcre2> 86 <pcre2>input_userauth_request: invalid user|</pcre2> 87 <pcre2>PAM: User not known to the underlying authentication module for illegal user|</pcre2> 88 <pcre2>error retrieving information about user</pcre2> 89 <description>Useless/Duplicated SSHD message without a user/ip.</description> 90 </rule> 91 92 <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> 93 <if_matched_sid>5710</if_matched_sid> 94 <description>SSHD brute force trying to get access to </description> 95 <description>the system.</description> 96 <same_source_ip /> 97 <group>authentication_failures,</group> 98 </rule> 99 100 <rule id="5713" level="6"> 101 <if_sid>5700</if_sid> 102 <pcre2>Corrupted check bytes on</pcre2> 103 <description>Corrupted bytes on SSHD.</description> 104 </rule> 105 106 <rule id="5714" level="14" timeframe="120" frequency="1"> 107 <if_matched_sid>5713</if_matched_sid> 108 <pcre2>Local: crc32 compensation attack</pcre2> 109 <description>SSH CRC-32 Compensation attack</description> 110 <info type="cve">2001-0144</info> 111 <info type="link">http://www.securityfocus.com/bid/2347/info/</info> 112 <group>exploit_attempt,</group> 113 </rule> 114 115 <rule id="5715" level="3"> 116 <if_sid>5700</if_sid> 117 <pcre2>^Accepted|authenticated\.$</pcre2> 118 <description>SSHD authentication success.</description> 119 <group>authentication_success,</group> 120 </rule> 121 122 <rule id="5716" level="5"> 123 <if_sid>5700</if_sid> 124 <pcre2>^Failed|^error: PAM: Authentication</pcre2> 125 <description>SSHD authentication failed.</description> 126 <group>authentication_failed,</group> 127 </rule> 128 129 <rule id="5717" level="4"> 130 <if_sid>5700</if_sid> 131 <pcre2>error: Bad prime description in line</pcre2> 132 <description>SSHD configuration error (moduli).</description> 133 </rule> 134 135 <rule id="5718" level="5"> 136 <if_sid>5700</if_sid> 137 <pcre2>not allowed because</pcre2> 138 <description>Attempt to login using a denied user.</description> 139 <group>invalid_login,</group> 140 </rule> 141 142 <rule id="5719" level="10" frequency="6" timeframe="120" ignore="60"> 143 <if_matched_sid>5718</if_matched_sid> 144 <description>Multiple access attempts using a denied user.</description> 145 <group>invalid_login,</group> 146 </rule> 147 148 <rule id="5720" level="10" frequency="6"> 149 <if_matched_sid>5716</if_matched_sid> 150 <same_source_ip /> 151 <description>Multiple SSHD authentication failures.</description> 152 <group>authentication_failures,</group> 153 </rule> 154 155 <rule id="5721" level="0"> 156 <if_sid>5700</if_sid> 157 <pcre2>Received disconnect from</pcre2> 158 <description>System disconnected from sshd.</description> 159 </rule> 160 161 <rule id="5722" level="0"> 162 <if_sid>5700</if_sid> 163 <pcre2>Connection closed</pcre2> 164 <description>ssh connection closed.</description> 165 </rule> 166 167 <rule id="5723" level="0"> 168 <if_sid>5700</if_sid> 169 <pcre2>error: buffer_get_bignum2_ret: negative numbers not supported</pcre2> 170 <info>This maybe a bad key in authorized_keys.</info> 171 <description>SSHD key error.</description> 172 </rule> 173 174 <rule id="5724" level="0"> 175 <if_sid>5700</if_sid> 176 <pcre2>fatal: buffer_get_bignum2: buffer error</pcre2> 177 <info>This error may relate to ssh key handling.</info> 178 <description>SSHD key error.</description> 179 </rule> 180 181 <rule id="5725" level="0"> 182 <if_sid>5700</if_sid> 183 <pcre2>fatal: Write failed: Host is down</pcre2> 184 <description>Host ungracefully disconnected.</description> 185 </rule> 186 187 <rule id="5726" level="5"> 188 <if_sid>5700</if_sid> 189 <pcre2>error: PAM: Module is unknown for</pcre2> 190 <description>Unknown PAM module, PAM misconfiguration.</description> 191 </rule> 192 193 <rule id="5727" level="0"> 194 <if_sid>5700</if_sid> 195 <pcre2>failed: Address already in use\.</pcre2> 196 <description>Attempt to start sshd when something already bound to the port.</description> 197 </rule> 198 199 <rule id="5728" level="4"> 200 <if_sid>5700</if_sid> 201 <pcre2>Authentication service cannot retrieve user credentials</pcre2> 202 <info>May be related to PAM module errors.</info> 203 <description>Authentication services were not able to retrieve user credentials.</description> 204 <group>authentication_failed</group> 205 </rule> 206 207 <rule id="5729" level="0"> 208 <if_sid>5700</if_sid> 209 <pcre2>debug1: attempt</pcre2> 210 <description>Debug message.</description> 211 </rule> 212 213 <rule id="5730" level="4"> 214 <if_sid>5700</if_sid> 215 <pcre2>error: connect to \S+ port \d+ failed: Connection refused</pcre2> 216 <description>SSHD is not accepting connections.</description> 217 </rule> 218 219 <rule id="5731" level="6"> 220 <if_sid>5700</if_sid> 221 <pcre2>AKASSH_Version_Mapper1\.</pcre2> 222 <description>SSH Scanning.</description> 223 <group>recon,</group> 224 </rule> 225 226 <rule id="5732" level="0"> 227 <if_sid>5700</if_sid> 228 <pcre2>error: connect_to </pcre2> 229 <description>Possible port forwarding failure.</description> 230 </rule> 231 232 <rule id="5733" level="0"> 233 <if_sid>5700</if_sid> 234 <pcre2>Invalid credentials</pcre2> 235 <description>User entered incorrect password.</description> 236 <group>authentication_failures,</group> 237 </rule> 238 239 <rule id="5734" level="0"> 240 <if_sid>5700</if_sid> 241 <pcre2>Could not load host key</pcre2> 242 <description>sshd could not load one or more host keys.</description> 243 <info>This may be related to an upgrade to OpenSSH.</info> 244 </rule> 245 246 <rule id="5735" level="0"> 247 <if_sid>5700</if_sid> 248 <pcre2>Write failed: Broken pipe</pcre2> 249 <description>Failed write due to one host disappearing.</description> 250 </rule> 251 252 <rule id="5736" level="0"> 253 <if_sid>5700</if_sid> 254 <pcre2>^error: setsockopt SO_KEEPALIVE: Connection reset by peer$|</pcre2> 255 <pcre2>^error: accept: Software caused connection abort$</pcre2> 256 <description>Connection reset or aborted.</description> 257 </rule> 258 259 <rule id="5737" level="5"> 260 <if_sid>5700</if_sid> 261 <pcre2>^fatal: Cannot bind any address\.$</pcre2> 262 <description>sshd cannot bind to configured address.</description> 263 </rule> 264 265 <rule id="5738" level="5"> 266 <if_sid>5700</if_sid> 267 <pcre2>set_loginuid failed opening loginuid$</pcre2> 268 <description>pam_loginuid could not open loginuid.</description> 269 <group>authentication_failed,</group> 270 </rule> 271 272 <rule id="5739" level="4"> 273 <if_sid>5700</if_sid> 274 <pcre2>^error: Could not stat AuthorizedKeysCommand</pcre2> 275 <description>SSHD configuration error (AuthorizedKeysCommand)</description> 276 </rule> 277 278 <rule id="5740" level="4"> 279 <if_sid>5700</if_sid> 280 <pcre2>Connection reset by peer$</pcre2> 281 <description>ssh connection reset by peer</description> 282 </rule> 283 284 <rule id="5741" level="4"> 285 <if_sid>5700</if_sid> 286 <pcre2>Connection refused$</pcre2> 287 <description>ssh connection refused</description> 288 </rule> 289 290 <rule id="5742" level="4"> 291 <if_sid>5700</if_sid> 292 <pcre2>Connection timed out$</pcre2> 293 <description>ssh connection timed out</description> 294 </rule> 295 296 <rule id="5743" level="4"> 297 <if_sid>5700</if_sid> 298 <pcre2>No route to host$</pcre2> 299 <description>ssh no route to host</description> 300 </rule> 301 302 <rule id="5744" level="4"> 303 <if_sid>5700</if_sid> 304 <pcre2>failure direct-tcpip$</pcre2> 305 <description>ssh port forwarding issue</description> 306 </rule> 307 308 <rule id="5745" level="4"> 309 <if_sid>5700</if_sid> 310 <pcre2>Transport endpoint is not connected$</pcre2> 311 <description>ssh transport endpoint is not connected</description> 312 </rule> 313 314 <rule id="5746" level="4"> 315 <if_sid>5700</if_sid> 316 <pcre2>get_remote_port failed$</pcre2> 317 <description>ssh get_remote_port failed</description> 318 </rule> 319 320 <!-- http://www.gossamer-threads.com/lists/openssh/users/47438 --> 321 <rule id="5747" level="6"> 322 <if_sid>5700</if_sid> 323 <pcre2>bad client public DH value</pcre2> 324 <description>ssh bad client public DH value</description> 325 </rule> 326 327 <!-- log sample with context: 328 Nov 22 19:24:52 server sshd[4045]: Connection from 117.117.198.5 port 60304 329 Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input. 330 Nov 22 19:25:15 server sshd[4046]: Connection closed by 117.117.198.5 331 --> 332 <rule id="5748" level="6"> 333 <if_sid>5700</if_sid> 334 <pcre2>Corrupted MAC on input\.</pcre2> 335 <description>ssh corrupted MAC on input</description> 336 </rule> 337 338 <rule id="5749" level="4"> 339 <if_sid>5700</if_sid> 340 <pcre2>^Bad packet length</pcre2> 341 <description>ssh bad packet length</description> 342 </rule> 343 344 <rule id="5750" level="0"> 345 <decoded_as>sshd</decoded_as> 346 <if_sid>5700</if_sid> 347 <pcre2>Unable to negotiate with |Unable to negotiate a key</pcre2> 348 <description>sshd could not negotiate with client.</description> 349 </rule> 350 351 <rule id="5751" level="1"> 352 <decoded_as>sshd</decoded_as> 353 <if_sid>5700</if_sid> 354 <pcre2>no hostkey alg \[preauth\]</pcre2> 355 <description>No hostkey alg.</description> 356 </rule> 357 358 <rule id="5752" level="2"> 359 <if_sid>5750</if_sid> 360 <pcre2>no matching key exchange method found\.|Unable to negotiate a key exchange method</pcre2> 361 <description>Client did not offer an acceptable key exchange method.</description> 362 </rule> 363 364 <rule id="5753" level="2"> 365 <if_sid>5750</if_sid> 366 <pcre2>no matching cipher found\.</pcre2> 367 <description>sshd could not negotiate with client, no matching cipher.</description> 368 </rule> 369 370 <rule id="5754" level="1"> 371 <if_sid>5700</if_sid> 372 <pcre2>Failed to create session: </pcre2> 373 <description>sshd failed to create a session.</description> 374 </rule> 375 376 <rule id="5755" level="2"> 377 <if_sid>5700</if_sid> 378 <pcre2>bad ownership or modes for file</pcre2> 379 <description>Authentication refused due to owner/permissions of authorized_keys.</description> 380 <group>authentication_failed,</group> 381 </rule> 382 383 <rule id="5756" level="0"> 384 <if_sid>5700</if_sid> 385 <pcre2> failed, subsystem not found$</pcre2> 386 <description>sshd subsystem request failed.</description> 387 </rule> 388 389 <rule id="5757" level="0"> 390 <decoded_as>sshd</decoded_as> 391 <pcre2>but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$</pcre2> 392 <description>Bad DNS mapping.</description> 393 </rule> 394 395 <rule id="5758" level="8"> 396 <decoded_as>sshd</decoded_as> 397 <pcre2>^error: maximum authentication attempts exceeded </pcre2> 398 <description>Maximum authentication attempts exceeded.</description> 399 <group>authentication_failed,</group> 400 </rule> 401 402</group> <!-- SYSLOG, SSHD --> 403 404<!-- EOF --> 405