Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ssh recon #323

Merged
merged 9 commits into from Aug 22, 2019
Merged

Ssh recon #323

merged 9 commits into from Aug 22, 2019

Conversation

kravietz
Copy link
Contributor

No description provided.

@kravietz
rules to detect untrusted kernel modules being loaded
94c979c
@kravietz
rndg failure
398f2a9
@kravietz
add RAID and disk failure patterns
0ed79b3
@kravietz
Add recon group to 5701 Bad protocol version identification
b3ecd31 
This is a frequently signature of repeated SSH exploit probing
and should be tagged with recon to enable timeframe correlation
and active response
@Zenidd
Copy link
Contributor

Zenidd commented May 24, 2019

Hi @kravietz,

First of all, sorry for being late in answering you.

We are going to review your PR and evaluate if we're going to include it in our project. Thank you very much for contributing to us.



Best regards,

Juan Pablo Sáez.

@Lopuiz Lopuiz self-assigned this Jun 11, 2019
@Lopuiz Lopuiz self-requested a review June 11, 2019 09:10
Lopuiz
Lopuiz reviewed Jun 11, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @kravietz

First of all, thank you so much for your contribution to the Ruleset project.

I have two brief questions about your rules:

  1. How did you check that the rules 5136 and 5137 work?

I have the following log examples:

Jun 4 08:18:01 lopezziur-S551LN mdadm: /dev/sdd is identified as a member of /dev/md0, slot 3.
Oct 19 19:24:33 r5452 mdadm: added /dev/sda to /dev/md0 as 0
Sep 29 10:42:00 lpezz mdadm: Fail event detected on md device /dev/md0, component device /dev/sdg1

And these match Openvas decoders:

Sep 29 10:42:00 lpezz mdadm: Fail event detected on md device /dev/md0, component device /dev/sdg1


**Phase 1: Completed pre-decoding.
       full event: 'Sep 29 10:42:00 lpezz mdadm: Fail event detected on md device /dev/md0, component device /dev/sdg1'
       timestamp: 'Sep 29 10:42:00'
       hostname: 'lpezz'
       program_name: 'mdadm'
       log: 'Fail event detected on md device /dev/md0, component device /dev/sdg1'

**Phase 2: Completed decoding.
       decoder: 'openvasmd'

**Phase 3: Completed filtering (rules).
       Rule id: '87608'
       Level: '0'
       Description: 'OpenVAS (openvasmd) messages grouped.'

The problem is the following decoder:

<decoder name="openvasmd">
  <program_name>^md</program_name>
</decoder>

Modifying the previous decoder I checked your rules works. Could you modify the openvasmd decoder to following?

<decoder name="openvasmd">
  <program_name>^md$</program_name>
</decoder>
  1. Rule 5138 not match the following logs:

Sep 30 08:13:56 oak kernel: [ 123.559134] ata2.00: failed command: READ FPDMA QUEUED
Jun 4 08:18:01 lopezziur-S551LN kernel: [ 3624.763777] ata1.00: failed command: WRITE FPDMA QUEUED

Could you solve it?

we will pleasure to merge it as soon you add these changes.

Kind regards, Eva

@kravietz
Copy link
Contributor Author

@Lopuiz great, thanks for looking into this PR! I have fixed the rules/decoders you mentioned, and added some more fixes as well.

Lopuiz
Lopuiz approved these changes Jun 12, 2019
View reviewed changes
Copy link
Contributor

@Lopuiz Lopuiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,

Thank you for all.
we will merge it as soon as possible

Regards, Eva

@Lopuiz Lopuiz changed the base branch from master to 3.10 June 18, 2019 07:36
@Lopuiz Lopuiz mentioned this pull request Jun 18, 2019
Open
@Lopuiz Lopuiz requested a review from bah07 June 21, 2019 10:54
@Lopuiz Lopuiz added this to In progress in Wazuh 3.10.0 via automation Aug 13, 2019
@Lopuiz Lopuiz moved this from In progress to Reviewer approved in Wazuh 3.10.0 Aug 13, 2019
@chemamartinez chemamartinez merged commit ff643c3 into wazuh:3.10 Aug 22, 2019
Wazuh 3.10.0 automation moved this from Review approved to Done Aug 22, 2019
@Lopuiz Lopuiz mentioned this pull request Aug 29, 2019
Closed
@iasdeoupxe iasdeoupxe mentioned this pull request Aug 31, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lopuiz Lopuiz Lopuiz approved these changes

@bah07 bah07 Awaiting requested review from bah07

Assignees

@bah07 bah07

@Lopuiz Lopuiz

Labels
community
Projects
No open projects
Wazuh 3.10.0
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kravietz @Zenidd @Lopuiz @bah07 @chemamartinez