New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ssh recon #323
Ssh recon #323
Conversation
This is a frequently signature of repeated SSH exploit probing and should be tagged with recon to enable timeframe correlation and active response
Hi @kravietz, First of all, sorry for being late in answering you. We are going to review your PR and evaluate if we're going to include it in our project. Thank you very much for contributing to us. Juan Pablo Sáez. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @kravietz
First of all, thank you so much for your contribution to the Ruleset project.
I have two brief questions about your rules:
- How did you check that the rules 5136 and 5137 work?
I have the following log examples:
Jun 4 08:18:01 lopezziur-S551LN mdadm: /dev/sdd is identified as a member of /dev/md0, slot 3.
Oct 19 19:24:33 r5452 mdadm: added /dev/sda to /dev/md0 as 0
Sep 29 10:42:00 lpezz mdadm: Fail event detected on md device /dev/md0, component device /dev/sdg1
And these match Openvas decoders:
Sep 29 10:42:00 lpezz mdadm: Fail event detected on md device /dev/md0, component device /dev/sdg1
**Phase 1: Completed pre-decoding.
full event: 'Sep 29 10:42:00 lpezz mdadm: Fail event detected on md device /dev/md0, component device /dev/sdg1'
timestamp: 'Sep 29 10:42:00'
hostname: 'lpezz'
program_name: 'mdadm'
log: 'Fail event detected on md device /dev/md0, component device /dev/sdg1'
**Phase 2: Completed decoding.
decoder: 'openvasmd'
**Phase 3: Completed filtering (rules).
Rule id: '87608'
Level: '0'
Description: 'OpenVAS (openvasmd) messages grouped.'
The problem is the following decoder:
<decoder name="openvasmd">
<program_name>^md</program_name>
</decoder>
Modifying the previous decoder I checked your rules works. Could you modify the openvasmd decoder to following?
<decoder name="openvasmd">
<program_name>^md$</program_name>
</decoder>
- Rule 5138 not match the following logs:
Sep 30 08:13:56 oak kernel: [ 123.559134] ata2.00: failed command: READ FPDMA QUEUED
Jun 4 08:18:01 lopezziur-S551LN kernel: [ 3624.763777] ata1.00: failed command: WRITE FPDMA QUEUED
Could you solve it?
we will pleasure to merge it as soon you add these changes.
Kind regards, Eva
@Lopuiz great, thanks for looking into this PR! I have fixed the rules/decoders you mentioned, and added some more fixes as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello,
Thank you for all.
we will merge it as soon as possible
Regards, Eva
No description provided.