Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework of #10768 - PR: Merge macos-sshd ruleset into sshd ruleset #11388

Merged
merged 10 commits into from Jan 17, 2022
Merged

Rework of #10768 - PR: Merge macos-sshd ruleset into sshd ruleset #11388

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
2c5553a
Rework of SSH decoders, rules and tests
fabamatic Dec 16, 2021
04a88c2
Update ruleset/rules/0095-sshd_rules.xml
fabamatic Jan 12, 2022
0fcaa77
Fixing PR requests
fabamatic Jan 12, 2022
104c3fd
Updated sshd rules file to provide right group tag order
72nomada Jan 13, 2022
bebd94d
Updated test_features test file to include copyright and formatting.
72nomada Jan 13, 2022
46571f1
Adding missing samples to new decoders
fabamatic Jan 13, 2022
8dbd5be
Removed 5763 and 5764 as they are redundant with 5718 and 5719
fabamatic Jan 13, 2022
90712e7
Removed commented decoders
fabamatic Jan 13, 2022
d40a057
Fixed error in ini file
fabamatic Jan 13, 2022
13f52ef
Fixed errors in labels
fabamatic Jan 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
113 changes: 54 additions & 59 deletions ruleset/decoders/0310-ssh_decoders.xml
View file
Open in desktop
@@ -1,59 +1,54 @@
<!--
- SSH decoders
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2021, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
Copyright (C) 2015-2021, Wazuh Inc.
-->


<!--
- Will extract username and srcip from the logs.
- Only add to the FTS if the login was successful
- If the login failed, just extract the username/srcip for correlation
- Examples:
- sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2
- sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2
- sshd[21405]: Accepted password for root from 192.1.1.1 port 6023 ssh2
- sshd[21487]: Failed password for root from 192.168.1.1 port 1045 ssh2
- sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2
- sshd[12675]: Failed password for invalid user lala11 from x.x.x.x ..
- sshd[12914]: Failed password for invalid user lala6 from ...
- sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
- sshd[11259]: Invalid user abc from 127.0.0.1
- "" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2
- sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,
- authenticated.
- sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!
- sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch
- failed - POSSIBLE BREAKIN ATTEMPT!
- sshd[3251]: User root not allowed because listed in DenyUsers
- [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
- [Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 51.124.44.34] [Level 4] [UID -2] [GID -2] [Host test2-emac]
- Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
Will extract username and srcip from the logs.
Only add to the FTS if the login was successful
If the login failed, just extract the username/srcip for correlation
Examples:
sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2
sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2
sshd[21405]: Accepted password for root from 192.1.1.1 port 6023 ssh2
sshd[21487]: Failed password for root from 192.168.1.1 port 1045 ssh2
sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2
sshd[12675]: Failed password for invalid user lala11 from x.x.x.x ..
sshd[12914]: Failed password for invalid user lala6 from ...
sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
sshd[11259]: Invalid user abc from 127.0.0.1
"" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2
sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,
authenticated.
sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!
sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch
failed - POSSIBLE BREAKIN ATTEMPT!
sshd[3251]: User root not allowed because listed in DenyUsers
[Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
[Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 51.124.44.34] [Level 4] [UID -2] [GID -2] [Host test2-emac]
Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
not allowed because not listed in AllowUsers
- sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
- Sep 4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
- Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
- Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
- Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
- Jun 9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
- Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
- Oct 8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
- Oct 8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
- Oct 8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
- Oct 8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
- Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
- Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
- Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
- Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
- Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
- Nov 9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
- Nov 2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
- Nov 2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
- Nov 6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
- Nov 9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
Sep 4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
Jun 9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
Oct 8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
Oct 8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
Oct 8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Oct 8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
Nov 9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
Nov 2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
Nov 2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
Nov 6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
Nov 9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
-->

<decoder name="sshd">
Expand Down Expand Up @@ -146,14 +141,14 @@
</decoder>

<!--
Jul 12 16:10:26 cloud sshd[14486]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 112.98.69.104 port 3533
Jul 12 16:10:41 cloud sshd[14530]: Bad protocol version identification 'GET http://check2.zennolab.com/proxy.php HTTP/1.1' from 46.182.129.46 port 60866
Jul 12 16:11:31 cloud sshd[14582]: Bad protocol version identification 'GET http://www.msftncsi.com/ncsi.txt HTTP/1.1' from 88.244.115.169 port 62240
Jul 12 16:12:15 cloud sshd[14662]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 118.76.116.187 port 54513
e.g. OpenSSH > 7.2:
Sep 4 21:13:05 example sshd[12853]: Did not receive identification string from 192.168.0.1 port 33021
e.g. OpenSSH <= 7.2:
Sep 4 21:14:25 example sshd[18368]: Did not receive identification string from 192.168.0.1
Jul 12 16:10:26 cloud sshd[14486]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 112.98.69.104 port 3533
Jul 12 16:10:41 cloud sshd[14530]: Bad protocol version identification 'GET http://check2.zennolab.com/proxy.php HTTP/1.1' from 46.182.129.46 port 60866
Jul 12 16:11:31 cloud sshd[14582]: Bad protocol version identification 'GET http://www.msftncsi.com/ncsi.txt HTTP/1.1' from 88.244.115.169 port 62240
Jul 12 16:12:15 cloud sshd[14662]: Bad protocol version identification 'GET http://m.search.yahoo.com/ HTTP/1.1' from 118.76.116.187 port 54513
e.g. OpenSSH > 7.2:
Sep 4 21:13:05 example sshd[12853]: Did not receive identification string from 192.168.0.1 port 33021
e.g. OpenSSH <= 7.2:
Sep 4 21:14:25 example sshd[18368]: Did not receive identification string from 192.168.0.1
-->

<decoder name="ssh-scan2">
Expand Down Expand Up @@ -266,4 +261,4 @@ Sep 4 21:14:25 example sshd[18368]: Did not receive identification string from
<parent>sshd</parent>
<regex>for (\S+) from (\S+)</regex>
<order>srcuser, srcip</order>
</decoder>
</decoder>
33 changes: 19 additions & 14 deletions ruleset/rules/0095-sshd_rules.xml
View file
Open in desktop
@@ -1,10 +1,9 @@
<!--
- SSH rules
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2021, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
Copyright (C) 2015-2021, Wazuh Inc.
-->

<!--
SSH rules ID: 5700 - 5764
-->

<group name="syslog,sshd,">
nmkoremblum marked this conversation as resolved.
Show resolved Hide resolved
Expand Down Expand Up @@ -111,7 +110,7 @@
<rule id="5712" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>5710</if_matched_sid>
<description>sshd: brute force trying to get access to </description>
<description>the system.</description>
<description>the system. Non existent user.</description>
nmkoremblum marked this conversation as resolved.
Show resolved Hide resolved
nmkoremblum marked this conversation as resolved.
Show resolved Hide resolved
<mitre>
<id>T1110</id>
</mitre>
Expand All @@ -128,12 +127,12 @@
<rule id="5714" level="14" timeframe="120" frequency="3">
<if_matched_sid>5713</if_matched_sid>
<match>Local: crc32 compensation attack</match>
<info type="cve">2001-0144</info>
<info type="link">http://www.securityfocus.com/bid/2347/info/</info>
<description>sshd: SSH CRC-32 Compensation attack</description>
<mitre>
<id>T1210</id>
</mitre>
<info type="cve">2001-0144</info>
<info type="link">http://www.securityfocus.com/bid/2347/info/</info>
<group>exploit_attempt,pci_dss_11.4,pci_dss_6.2,gpg13_4.12,gdpr_IV_35.7.d,nist_800_53_SI.4,nist_800_53_SI.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Expand Down Expand Up @@ -375,11 +374,6 @@
<description>sshd: bad client public DH value</description>
</rule>

<!-- log sample with context:
Nov 22 19:24:52 server sshd[4045]: Connection from 117.117.198.5 port 60304
Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input.
Nov 22 19:25:15 server sshd[4046]: Connection closed by 117.117.198.5
-->
<rule id="5748" level="6">
<if_sid>5700</if_sid>
<match>Corrupted MAC on input.</match>
Expand Down Expand Up @@ -493,4 +487,15 @@
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

<rule id="5765" level="10" frequency="8" timeframe="120" ignore="60">
<if_matched_sid>5760</if_matched_sid>
<description>sshd: brute force trying to get access to </description>
<description>the system. Authenthication failed.</description>
nmkoremblum marked this conversation as resolved.
Show resolved Hide resolved
fabamatic marked this conversation as resolved.
Show resolved Hide resolved
<same_source_ip />
<group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
nmkoremblum marked this conversation as resolved.
Show resolved Hide resolved
<mitre>
<id>T1110</id>
</mitre>
</rule>

</group>