wazuh · davidjiglesias · Jan 17, 2022 · Dec 16, 2021 · Jan 12, 2022 · Jan 12, 2022
diff --git a/ruleset/decoders/0310-ssh_decoders.xml b/ruleset/decoders/0310-ssh_decoders.xml
@@ -1,59 +1,54 @@
 <!--
-  -  SSH decoders
-  -  Author: Daniel Cid.
-  -  Updated by Wazuh, Inc.
-  -  Copyright (C) 2015-2021, Wazuh Inc.
-  -  Copyright (C) 2009 Trend Micro Inc.
-  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+  Copyright (C) 2015-2021, Wazuh Inc.
 -->
 
 
 <!--
-  -  Will extract username and srcip from the logs.
-  -  Only add to the FTS if the login was successful
-  -  If the login failed, just extract the username/srcip for correlation
-  -  Examples:
-  -  sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2
-  -  sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2
-  -  sshd[21405]: Accepted password for root from 192.1.1.1 port 6023 ssh2
-  -  sshd[21487]: Failed password for root from 192.168.1.1 port 1045 ssh2
-  -  sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2
-  -  sshd[12675]: Failed password for invalid user lala11 from x.x.x.x ..
-  -  sshd[12914]: Failed password for invalid user lala6 from ...
-  -  sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
-  -  sshd[11259]: Invalid user abc from 127.0.0.1
-  -  "" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2
-  -  sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,
-  -  authenticated.
-  -  sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!
-  -  sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch
-  -  failed - POSSIBLE BREAKIN ATTEMPT!
-  -  sshd[3251]: User root not allowed because listed in DenyUsers
-  -  [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
-  -  [Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 51.124.44.34] [Level 4] [UID -2] [GID -2] [Host test2-emac]
-  -  Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
+  Will extract username and srcip from the logs.
+  Only add to the FTS if the login was successful
+  If the login failed, just extract the username/srcip for correlation
+  Examples:
+    sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2
+    sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2
+    sshd[21405]: Accepted password for root from 192.1.1.1 port 6023 ssh2
+    sshd[21487]: Failed password for root from 192.168.1.1 port 1045 ssh2
+    sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2
+    sshd[12675]: Failed password for invalid user lala11 from x.x.x.x ..
+    sshd[12914]: Failed password for invalid user lala6 from ...
+    sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
+    sshd[11259]: Invalid user abc from 127.0.0.1
+    "" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2
+    sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,
+    authenticated.
+    sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!
+    sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch
+    failed - POSSIBLE BREAKIN ATTEMPT!
+    sshd[3251]: User root not allowed because listed in DenyUsers
+    [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
+    [Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 51.124.44.34] [Level 4] [UID -2] [GID -2] [Host test2-emac]
+    Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
   not allowed because not listed in AllowUsers
-  -  sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1.  Don't panic.
-  -  Sep  4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
-  -  Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
-  -  Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
-  -  Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
-  -  Jun  9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1.  Don't panic.
-  -  Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
-  -  Oct  8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
-  -  Oct  8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
-  -  Oct  8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
-  -  Oct  8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
-  -  Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
-  -  Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
-  -  Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
-  -  Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
-  -  Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
-  -  Nov  9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
-  -  Nov  2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
-  -  Nov  2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
-  -  Nov  6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
-  -  Nov  9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
+    sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1.  Don't panic.
+    Sep  4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
+    Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
+    Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
+    Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
+    Jun  9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1.  Don't panic.
+    Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
+    Oct  8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
+    Oct  8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
+    Oct  8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
+    Oct  8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
+    Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
+    Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
+    Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
+    Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
+    Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
+    Nov  9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
+    Nov  2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
+    Nov  2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
+    Nov  6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
+    Nov  9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
   -->
 
 <decoder name="sshd">
@@ -146,14 +141,14 @@
 </decoder>
 
 <!--
-Jul 12 16:10:26 cloud sshd[14486]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 112.98.69.104 port 3533
-Jul 12 16:10:41 cloud sshd[14530]: Bad protocol version identification 'GET http://check2.zennolab.com/proxy.php HTTP/1.1' from 46.182.129.46 port 60866
-Jul 12 16:11:31 cloud sshd[14582]: Bad protocol version identification 'GET http://www.msftncsi.com/ncsi.txt HTTP/1.1' from 88.244.115.169 port 62240
-Jul 12 16:12:15 cloud sshd[14662]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 118.76.116.187 port 54513
-e.g. OpenSSH > 7.2:
-Sep  4 21:13:05 example sshd[12853]: Did not receive identification string from 192.168.0.1 port 33021
-e.g. OpenSSH <= 7.2:
-Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from 192.168.0.1
+  Jul 12 16:10:26 cloud sshd[14486]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 112.98.69.104 port 3533
+  Jul 12 16:10:41 cloud sshd[14530]: Bad protocol version identification 'GET http://check2.zennolab.com/proxy.php HTTP/1.1' from 46.182.129.46 port 60866
+  Jul 12 16:11:31 cloud sshd[14582]: Bad protocol version identification 'GET http://www.msftncsi.com/ncsi.txt HTTP/1.1' from 88.244.115.169 port 62240
+  Jul 12 16:12:15 cloud sshd[14662]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 118.76.116.187 port 54513
+  e.g. OpenSSH > 7.2:
+    Sep  4 21:13:05 example sshd[12853]: Did not receive identification string from 192.168.0.1 port 33021
+  e.g. OpenSSH <= 7.2:
+    Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from 192.168.0.1
 -->
 
 <decoder name="ssh-scan2">
@@ -184,22 +179,6 @@ Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from
   <order>srcip</order>
 </decoder>
 
-<!--XXX
-<decoder name="ssh-pam">
-  <parent>sshd</parent>
-  <prematch>PAM: Module</prematch>
-  <regex>for (\S+) from (\S+)$</regex>
-  <order>user, srcip</order>
-</decoder>
-
-<decoder name="ssh-connect-to">
-  <parent>sshd</parent>
-  <prematch>connect_to</prematch>
-  <regex>connect_to: (\S+) port (\d+):</regex>
-  <order>dstip,dstport</order>
-</decoder>
--->
-
 <decoder name="sshd-ldap">
   <parent>sshd</parent>
   <prematch>^pam_ldap: </prematch>
@@ -221,15 +200,6 @@ Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from
   <order>srcip, user</order>
 </decoder>
 
-<!--
-<decoder name="sshd-invalid">
-  <parent>sshd</parent>
-  <prematch>^input_user_auth_request: </prematch>
-  <regex offset="after_prematch"> user (\S+)</regex>
-  <order>user</order>
-</decoder>
--->
-
 <decoder name="sshd-exceed">
   <parent>sshd</parent>
   <prematch> exceeded for </prematch>
@@ -238,6 +208,7 @@ Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from
 </decoder>
 
 <!-- Reverse lookup error -->
+<!-- 2020-03-25 09:01:30.852002-0700  localhost sshd[11885]: Address 192.168.33.1 maps to hostname, but this does not map back to the address. -->
 <decoder name="sshd-rmap">
   <parent>sshd</parent>
   <prematch>but this does not map back</prematch>
@@ -246,6 +217,7 @@ Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from
 </decoder>
 
 <!-- connection reset -->
+<!-- 2020-03-25 08:23:20.933154-0700  localhost sshd[9265]: Connection reset by authenticating user user 192.168.33.1 port 51772 [preauth] -->
 <decoder name="sshd-reset">
   <parent>sshd</parent>
   <prematch>Connection reset</prematch>
@@ -254,6 +226,7 @@ Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from
 </decoder>
 
 <!-- Dissconected from user -->
+<!-- 2020-03-24 08:38:47.230409-0700  localhost sshd[2531]: Disconnected from user user 172.18.1.100 port 43042 -->
 <decoder name="sshd-disconnect">
   <parent>sshd</parent>
   <prematch>Disconnected from user </prematch>
@@ -266,4 +239,4 @@ Sep  4 21:14:25 example sshd[18368]: Did not receive identification string from
   <parent>sshd</parent>
   <regex>for (\S+) from (\S+)</regex>
   <order>srcuser, srcip</order>
-</decoder>
+</decoder>