Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
97 lines (76 sloc) 15.9 KB
# Sagan openssh.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
# Not getting the source IP addresses that you'd expect? Then you probably
# have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll
# need to set that to "No" so Sagan can "find" the source IP addresses and
# port information.
# Failed password for root from 109.70.148.243 port 17298 ssh2
# error: PAM: Authentication failure for champ from 192.168.1.1
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/1]"; content: "Authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize; parse_src_ip: 1; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; sid: 5000015; rev:12;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001634; sid: 5001634; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [20/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001635; sid: 5001635; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [30/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001636; sid: 5001636; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [40/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001637; sid: 5001637; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [50/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001638; sid: 5001638; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [100/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001639; sid: 5001639; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001523; normalize; program: sshd; sid: 5001523; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/1]"; content: "authentication failure"; xbits: set, brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:12;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/5]"; content: "authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001628; sid: 5001628; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [20/5]"; content: "authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001629; sid: 5001629; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [30/5]"; content: "authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001630; sid: 5001630; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [40/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001631; sid: 5001631; rev:4;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [50/5]"; content: "authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001632; sid: 5001632; rev:7;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [100/5]"; content: "authentication failure"; xbits: set,brute_force,21600; classtype: unsuccessful-user;program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001633; sid: 5001633; rev:7;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001524; sid: 5001524; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root - Brute force [5/5]"; content: "Authentication failure for root"; xbits: set,brute_force,21600; classtype: unsuccessful-admin;program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:12;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; xbits: set,brute_force,21600; classtype: unsuccessful-admin;program: sshd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001525; sid: 5001525; rev:7;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000018; sid: 5000018; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Not executable shell - login attempt"; content: "is not executable"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000020; sid: 5000020; rev:4;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Message send write error"; content: "ssh_msg_send";classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000021; sid:5000021; rev:2;)
# General "illegal user"
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [Brute Force] [10/1]"; pcre: "/invalid user|illegal user/i"; xbits: set,brute_force,21600; classtype: attempted-user; program: sshd; normalize; parse_src_ip: 1; parse_port; after: track by_src, count 10, seconds 300; threshold:type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000022; sid: 5000022; rev:16;)
# Champ Clark (Quadrant Information Security) - Jan 27th 2010 - Out of band challenge - for more info see: http://sourceforge.net/projects/pamobc/
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Out-of-Band challenge failure"; content: "Failed auth"; content: "out-of-band challenge"; content: "pam_obc"; classtype: unsuccessful-user;program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000023; sid: 5000023; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Bad protocol version - possible attack"; content: "Bad protocol version identification"; parse_src_ip: 1; classtype: non-standard-protocol; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000068; sid: 5000068; rev:4;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT ( msg: "[OPENSSH] Timeout while logging in"; content:"Timeout before authentication" ;classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000069; sid: 5000069; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] No identification string - possible scan"; content:"Did not receive identification string"; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: network-scan; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000070; sid: 5000070; rev:5;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] OpenSSH challenge-response exploit"; content: "buffer_get_string: bad string"; classtype: exploit-attempt; program: sshd; parse_src_ip: 1; fwsam: src, 1 week; reference: url,wiki.quadrantsec.com/bin/view/Main/5000071; sid: 5000071; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Message without user-IP and context"; content: "Could not get shadow information for NOUSER"; classtype: misc-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000072; sid: 5000072; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Corrupted traffic"; content: "Corrupted check bytes on"; classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000073; sid: 5000073; rev:2;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] CRC32 compensation attack"; content: "crc32 compensation attack"; nocase; classtype: shellcode-detect; program: sshd; fwsam: src, 1 week; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000074; reference: url, http://www.securityfocus.com/bid/2347/info/; sid: 5000074; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] configuration error [moduli]"; content: "Bad prime description in line"; classtype: program-error; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000076; sid: 5000076; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Attempt to login using a denied user"; content: "not allowed because"; classtype: unsuccessful-user; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000077; sid:5000077; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] User logged into a disabled account"; pcre: "/accepted|authenticated/i"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; parse_src_ip: 1; parse_port; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000411; program: sshd; sid: 5000411; rev:4;)
# Failed password for root from 10.10.0.1 port 17298 ssh2
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password - Brute force [10/1]"; content: "Failed password"; program: sshd; normalize; xbits: set,brute_force,21600; classtype: unsuccessful-user; sid: 5001646; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001646; rev:8;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password"; content: "Failed password"; program: sshd; normalize; classtype: unsuccessful-user; sid: 5001647; reference: url,wiki.quadrantsec.com/bin/view/Main/5001647; rev:4;)
# AIX 5 has a tendency to log ssh connections via program: syslog :(
# syslog ssh: failed login attempt for UNKNOWN_USER from 10.1.1.4
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] SYSLOG Authentication failure - Brute force [5/1]"; content: "ssh|3a| failed login attempt"; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001954; program: syslog; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; sid: 5001954; rev:9;)
# Added by Robert Nunley - 02/20/2014 (rnunley@quadrantsec.com)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Fail2Ban SSH Suspicious Activity"; content: "Fail2Ban"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001974; parse_src_ip: 1; sid: 5001974; rev:1;)