1 |
1 |
#####
|
2 |
2 |
#
|
3 |
3 |
# Copyright (C) 2002,2004 Nicolas Delon <nicolas@prelude-ids.org>
|
|
4 |
# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
|
4 |
5 |
# All Rights Reserved
|
5 |
6 |
#
|
6 |
7 |
# This program is free software; you can redistribute it and/or modify
|
7 |
|
# it under the terms of the GNU General Public License as published by
|
|
8 |
# it under the terms of the GNU General Public License as published by
|
8 |
9 |
# the Free Software Foundation; either version 2, or (at your option)
|
9 |
10 |
# any later version.
|
10 |
11 |
#
|
... | ... | |
24 |
25 |
###################
|
25 |
26 |
|
26 |
27 |
#LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
|
27 |
|
regex=Accepted (\S+) for root from ([\d\.]+) port (\d+); \
|
|
28 |
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2
|
|
29 |
regex=Accepted (\S+) for root from (\S+) port (\d+); \
|
28 |
30 |
classification.text=Admin login successful; \
|
29 |
|
id=1900; \
|
|
31 |
id=1908; \
|
30 |
32 |
revision=2; \
|
31 |
33 |
analyzer(0).name=sshd; \
|
32 |
34 |
analyzer(0).manufacturer=OpenSSH; \
|
33 |
35 |
analyzer(0).class=Remote Login; \
|
34 |
|
assessment.impact.severity=low; \
|
|
36 |
assessment.impact.severity=medium; \
|
35 |
37 |
assessment.impact.completion=succeeded; \
|
36 |
38 |
assessment.impact.type=admin; \
|
37 |
|
assessment.impact.description=Root logged in from $2:$3 using the $1 method; \
|
38 |
|
source(0).node.address(0).category=ipv4-addr; \
|
|
39 |
assessment.impact.description=Root logged in from $2 port $3 using the $1 method; \
|
39 |
40 |
source(0).node.address(0).address=$2; \
|
40 |
41 |
source(0).service.port=$3; \
|
41 |
42 |
source(0).service.iana_protocol_name=tcp; \
|
... | ... | |
52 |
53 |
additional_data(0).data=$1; \
|
53 |
54 |
last;
|
54 |
55 |
|
|
56 |
|
|
57 |
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2
|
|
58 |
regex=Accepted (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
|
|
59 |
classification.text=User login successful; \
|
|
60 |
id=1909; \
|
|
61 |
revision=2; \
|
|
62 |
analyzer(0).name=sshd; \
|
|
63 |
analyzer(0).manufacturer=OpenSSH; \
|
|
64 |
analyzer(0).class=Remote Login; \
|
|
65 |
assessment.impact.severity=low; \
|
|
66 |
assessment.impact.completion=succeeded; \
|
|
67 |
assessment.impact.type=user; \
|
|
68 |
assessment.impact.description=$2 logged in from $3 port $4 using the $1 method; \
|
|
69 |
source(0).node.address(0).address=$3; \
|
|
70 |
source(0).service.port=$4; \
|
|
71 |
source(0).service.iana_protocol_name=tcp; \
|
|
72 |
source(0).service.iana_protocol_number=6; \
|
|
73 |
target(0).service.port=22; \
|
|
74 |
target(0).service.name=ssh; \
|
|
75 |
target(0).service.iana_protocol_name=tcp; \
|
|
76 |
target(0).service.iana_protocol_number=6; \
|
|
77 |
target(0).user.category=os-device; \
|
|
78 |
target(0).user.user_id(0).type=target-user; \
|
|
79 |
target(0).user.user_id(0).name=$2; \
|
|
80 |
additional_data(0).type=string; \
|
|
81 |
additional_data(0).meaning=Authentication method; \
|
|
82 |
additional_data(0).data=$1; \
|
|
83 |
last;
|
|
84 |
|
|
85 |
|
55 |
86 |
#LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
|
56 |
|
regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
|
|
87 |
regex=Accepted (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
|
57 |
88 |
classification.text=User login successful; \
|
58 |
89 |
id=1901; \
|
59 |
90 |
revision=2; \
|
... | ... | |
64 |
95 |
assessment.impact.completion=succeeded; \
|
65 |
96 |
assessment.impact.type=user; \
|
66 |
97 |
assessment.impact.description=User $2 logged in from $3:$4 using the $1 method; \
|
67 |
|
source(0).node.address(0).category=ipv4-addr; \
|
68 |
98 |
source(0).node.address(0).address=$3; \
|
69 |
99 |
source(0).service.port=$4; \
|
70 |
100 |
source(0).service.iana_protocol_name=tcp; \
|
... | ... | |
86 |
116 |
################
|
87 |
117 |
|
88 |
118 |
#LOG:Dec 9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
|
89 |
|
regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
|
|
119 |
regex=Failed (\S+) for root from (\S+) port (\d+); \
|
90 |
120 |
classification.text=Admin login failed; \
|
91 |
121 |
id=1902; \
|
92 |
122 |
revision=2; \
|
... | ... | |
97 |
127 |
assessment.impact.completion=failed; \
|
98 |
128 |
assessment.impact.type=admin; \
|
99 |
129 |
assessment.impact.description=Someone tried to login as root from $2:$3 using the $1 method; \
|
100 |
|
source(0).node.address(0).category=ipv4-addr; \
|
101 |
130 |
source(0).node.address(0).address=$2; \
|
102 |
131 |
source(0).service.port=$3; \
|
103 |
132 |
source(0).service.iana_protocol_name=tcp; \
|
... | ... | |
115 |
144 |
last
|
116 |
145 |
|
117 |
146 |
#LOG:Dec 9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
|
118 |
|
regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
|
|
147 |
regex=Failed (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
|
119 |
148 |
classification.text=User login failed; \
|
120 |
149 |
id=1903; \
|
121 |
150 |
revision=2; \
|
... | ... | |
126 |
155 |
assessment.impact.completion=failed; \
|
127 |
156 |
assessment.impact.type=user; \
|
128 |
157 |
assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
|
129 |
|
source(0).node.address(0).category=ipv4-addr; \
|
130 |
158 |
source(0).node.address(0).address=$3; \
|
131 |
159 |
source(0).service.port=$4; \
|
132 |
160 |
source(0).service.iana_protocol_name=tcp; \
|
... | ... | |
149 |
177 |
|
150 |
178 |
#LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134
|
151 |
179 |
|
152 |
|
regex=(Illegal|Invalid) user (\S+) from ([\d\.]+); \
|
|
180 |
regex=(Illegal|Invalid) user (\S+) from (\S+); \
|
153 |
181 |
classification.text=User login failed with an invalid user; \
|
154 |
182 |
id=1904; \
|
155 |
183 |
revision=1; \
|
... | ... | |
160 |
188 |
assessment.impact.completion=failed; \
|
161 |
189 |
assessment.impact.type=user; \
|
162 |
190 |
assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \
|
163 |
|
source(0).node.address(0).category=ipv4-addr; \
|
164 |
191 |
source(0).node.address(0).address=$3; \
|
165 |
192 |
source(0).service.iana_protocol_name=tcp; \
|
166 |
193 |
source(0).service.iana_protocol_number=6; \
|
... | ... | |
213 |
240 |
|
214 |
241 |
# LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4
|
215 |
242 |
#
|
216 |
|
regex=Did not receive identification string from ([\d\.]+); \
|
|
243 |
regex=Did not receive identification string from (\S+); \
|
217 |
244 |
classification.text=Server recognition; \
|
218 |
245 |
id=1906; \
|
219 |
246 |
revision=2; \
|
... | ... | |
224 |
251 |
assessment.impact.completion=failed; \
|
225 |
252 |
assessment.impact.type=recon; \
|
226 |
253 |
assessment.impact.description=$1 is probably making a server recognition; \
|
227 |
|
source(0).node.address(0).category=ipv4-addr; \
|
228 |
254 |
source(0).node.address(0).address=$1; \
|
229 |
255 |
source(0).service.iana_protocol_name=tcp; \
|
230 |
256 |
source(0).service.iana_protocol_number=6; \
|
... | ... | |
245 |
271 |
|
246 |
272 |
# LOG:Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
|
247 |
273 |
#
|
248 |
|
regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
|
|
274 |
regex=ROOT LOGIN REFUSED FROM (\S+); \
|
249 |
275 |
classification.text=Admin login forbidden; \
|
250 |
276 |
id=1907; \
|
251 |
277 |
revision=1; \
|
... | ... | |
256 |
282 |
assessment.impact.completion=failed; \
|
257 |
283 |
assessment.impact.type=admin; \
|
258 |
284 |
assessment.impact.description=Root tried to login while it is forbidden; \
|
259 |
|
source(0).node.address(0).category=ipv4-addr; \
|
260 |
285 |
source(0).node.address(0).address=$1; \
|
261 |
286 |
source(0).service.iana_protocol_name=tcp; \
|
262 |
287 |
source(0).service.iana_protocol_number=6; \
|
... | ... | |
269 |
294 |
target(0).user.user_id(0).name=root; \
|
270 |
295 |
last
|
271 |
296 |
|
272 |
|
# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
|
273 |
|
# All Rights Reserved
|
274 |
|
|
275 |
|
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2
|
276 |
|
regex=Accepted (\S+) for root from ([A-Fa-f\d:\.]+) port (\d+); \
|
277 |
|
classification.text=User login successful; \
|
278 |
|
id=1908; \
|
279 |
|
revision=2; \
|
280 |
|
analyzer(0).name=sshd; \
|
281 |
|
analyzer(0).manufacturer=OpenSSH; \
|
282 |
|
analyzer(0).class=Remote Login; \
|
283 |
|
assessment.impact.severity=medium; \
|
284 |
|
assessment.impact.completion=succeeded; \
|
285 |
|
assessment.impact.type=admin; \
|
286 |
|
assessment.impact.description=Root logged in from $2 port $3 using the $1 method; \
|
287 |
|
source(0).node.address(0).category=ipv6-addr; \
|
288 |
|
source(0).node.address(0).address=$2; \
|
289 |
|
source(0).service.port=$3; \
|
290 |
|
source(0).service.iana_protocol_name=tcp; \
|
291 |
|
source(0).service.iana_protocol_number=6; \
|
292 |
|
target(0).service.port=22; \
|
293 |
|
target(0).service.name=ssh; \
|
294 |
|
target(0).service.iana_protocol_name=tcp; \
|
295 |
|
target(0).service.iana_protocol_number=6; \
|
296 |
|
target(0).user.category=os-device; \
|
297 |
|
target(0).user.user_id(0).type=target-user; \
|
298 |
|
target(0).user.user_id(0).name=root; \
|
299 |
|
additional_data(0).type=string; \
|
300 |
|
additional_data(0).meaning=Authentication method; \
|
301 |
|
additional_data(0).data=$1; \
|
302 |
|
last;
|
303 |
|
|
304 |
|
# Copyright (C) 2005 John R Shannon <john@johnrshannon.com>
|
305 |
|
# All Rights Reserved
|
306 |
|
|
307 |
|
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2
|
308 |
|
regex=Accepted (\S+) for (?!root)(\S+) from ([A-Fa-f\d:\.]+) port (\d+); \
|
309 |
|
classification.text=User login successful; \
|
310 |
|
id=1909; \
|
311 |
|
revision=2; \
|
312 |
|
analyzer(0).name=sshd; \
|
313 |
|
analyzer(0).manufacturer=OpenSSH; \
|
314 |
|
analyzer(0).class=Remote Login; \
|
315 |
|
assessment.impact.severity=low; \
|
316 |
|
assessment.impact.completion=succeeded; \
|
317 |
|
assessment.impact.type=user; \
|
318 |
|
assessment.impact.description=$2 logged in from $3 port $4 using the $1 method; \
|
319 |
|
source(0).node.address(0).category=ipv6-addr; \
|
320 |
|
source(0).node.address(0).address=$3; \
|
321 |
|
source(0).service.port=$4; \
|
322 |
|
source(0).service.iana_protocol_name=tcp; \
|
323 |
|
source(0).service.iana_protocol_number=6; \
|
324 |
|
target(0).service.port=22; \
|
325 |
|
target(0).service.name=ssh; \
|
326 |
|
target(0).service.iana_protocol_name=tcp; \
|
327 |
|
target(0).service.iana_protocol_number=6; \
|
328 |
|
target(0).user.category=os-device; \
|
329 |
|
target(0).user.user_id(0).type=target-user; \
|
330 |
|
target(0).user.user_id(0).name=root; \
|
331 |
|
additional_data(0).type=string; \
|
332 |
|
additional_data(0).meaning=Authentication method; \
|
333 |
|
additional_data(0).data=$1; \
|
334 |
|
last;
|
335 |
297 |
|
336 |
298 |
#LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail
|
337 |
299 |
# Re: Generic Message Exchange Authentication For SSH
|
... | ... | |
388 |
350 |
|
389 |
351 |
#LOG:Dec 9 18:48:29 itguxweb2 sshd[29536]: Failed password for illegal user ROOT from 12.34.56.78 port 2886
|
390 |
352 |
#LOG:Jan 14 08:19:21 ras sshd[22774]: Failed none for invalid user remote-mail from 192.168.1.22 port 65407 ssh2
|
391 |
|
regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([\d\.]+) port (\d+); \
|
|
353 |
regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \
|
392 |
354 |
classification.text=User login failed; \
|
393 |
355 |
id=1912; \
|
394 |
356 |
revision=2; \
|
... | ... | |
399 |
361 |
assessment.impact.completion=failed; \
|
400 |
362 |
assessment.impact.type=admin; \
|
401 |
363 |
assessment.impact.description=Someone tried to login as $3 from $4:$5 using the $1 method; \
|
402 |
|
source(0).node.address(0).category=ipv4-addr; \
|
403 |
364 |
source(0).node.address(0).address=$4; \
|
404 |
365 |
source(0).service.port=$5; \
|
405 |
366 |
source(0).service.iana_protocol_name=tcp; \
|
... | ... | |
420 |
381 |
last
|
421 |
382 |
|
422 |
383 |
#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from fec0:0:201::3 port 62788 ssh2
|
423 |
|
regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([A-Fa-f\d:\.]+) port (\d+); \
|
|
384 |
#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from 1.2.3.4 port 62788 ssh2
|
|
385 |
#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from hostname port 62788 ssh2
|
|
386 |
regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \
|
424 |
387 |
classification.text=SSH Remote login failed; \
|
425 |
388 |
id=1913; \
|
426 |
389 |
revision=2; \
|
... | ... | |
431 |
394 |
assessment.impact.completion=failed; \
|
432 |
395 |
assessment.impact.type=admin; \
|
433 |
396 |
assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
|
434 |
|
source(0).node.address(0).category=ipv6-addr; \
|
435 |
397 |
source(0).node.address(0).address=$4; \
|
436 |
398 |
source(0).service.port=$5; \
|
437 |
399 |
source(0).service.iana_protocol_name=tcp; \
|
... | ... | |
451 |
413 |
additional_data(1).data=$2 user; \
|
452 |
414 |
last
|
453 |
415 |
|
454 |
|
# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
|
455 |
|
# All Rights Reserved
|
456 |
|
|
457 |
416 |
#LOG:Oct 2 14:40:05 suse-9.2 sshd[18725]: error: PAM: Authentication failure for root from unknown.anywhere.net
|
458 |
417 |
regex=error: PAM: Authentication failure for root from (\S+); \
|
459 |
418 |
classification.text=Admin login failed; \
|