| 1 |
1 |
#####
|
| 2 |
2 |
#
|
| 3 |
3 |
# Copyright (C) 2002,2004 Nicolas Delon <nicolas@prelude-ids.org>
|
|
4 |
# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
|
| 4 |
5 |
# All Rights Reserved
|
| 5 |
6 |
#
|
| 6 |
7 |
# This program is free software; you can redistribute it and/or modify
|
| 7 |
|
# it under the terms of the GNU General Public License as published by
|
|
8 |
# it under the terms of the GNU General Public License as published by
|
| 8 |
9 |
# the Free Software Foundation; either version 2, or (at your option)
|
| 9 |
10 |
# any later version.
|
| 10 |
11 |
#
|
| ... | ... | |
| 24 |
25 |
###################
|
| 25 |
26 |
|
| 26 |
27 |
#LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
|
| 27 |
|
regex=Accepted (\S+) for root from ([\d\.]+) port (\d+); \
|
|
28 |
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2
|
|
29 |
regex=Accepted (\S+) for root from (\S+) port (\d+); \
|
| 28 |
30 |
classification.text=Admin login successful; \
|
| 29 |
|
id=1900; \
|
|
31 |
id=1908; \
|
| 30 |
32 |
revision=2; \
|
| 31 |
33 |
analyzer(0).name=sshd; \
|
| 32 |
34 |
analyzer(0).manufacturer=OpenSSH; \
|
| 33 |
35 |
analyzer(0).class=Remote Login; \
|
| 34 |
|
assessment.impact.severity=low; \
|
|
36 |
assessment.impact.severity=medium; \
|
| 35 |
37 |
assessment.impact.completion=succeeded; \
|
| 36 |
38 |
assessment.impact.type=admin; \
|
| 37 |
|
assessment.impact.description=Root logged in from $2:$3 using the $1 method; \
|
| 38 |
|
source(0).node.address(0).category=ipv4-addr; \
|
|
39 |
assessment.impact.description=Root logged in from $2 port $3 using the $1 method; \
|
| 39 |
40 |
source(0).node.address(0).address=$2; \
|
| 40 |
41 |
source(0).service.port=$3; \
|
| 41 |
42 |
source(0).service.iana_protocol_name=tcp; \
|
| ... | ... | |
| 52 |
53 |
additional_data(0).data=$1; \
|
| 53 |
54 |
last;
|
| 54 |
55 |
|
|
56 |
|
|
57 |
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2
|
|
58 |
regex=Accepted (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
|
|
59 |
classification.text=User login successful; \
|
|
60 |
id=1909; \
|
|
61 |
revision=2; \
|
|
62 |
analyzer(0).name=sshd; \
|
|
63 |
analyzer(0).manufacturer=OpenSSH; \
|
|
64 |
analyzer(0).class=Remote Login; \
|
|
65 |
assessment.impact.severity=low; \
|
|
66 |
assessment.impact.completion=succeeded; \
|
|
67 |
assessment.impact.type=user; \
|
|
68 |
assessment.impact.description=$2 logged in from $3 port $4 using the $1 method; \
|
|
69 |
source(0).node.address(0).address=$3; \
|
|
70 |
source(0).service.port=$4; \
|
|
71 |
source(0).service.iana_protocol_name=tcp; \
|
|
72 |
source(0).service.iana_protocol_number=6; \
|
|
73 |
target(0).service.port=22; \
|
|
74 |
target(0).service.name=ssh; \
|
|
75 |
target(0).service.iana_protocol_name=tcp; \
|
|
76 |
target(0).service.iana_protocol_number=6; \
|
|
77 |
target(0).user.category=os-device; \
|
|
78 |
target(0).user.user_id(0).type=target-user; \
|
|
79 |
target(0).user.user_id(0).name=$2; \
|
|
80 |
additional_data(0).type=string; \
|
|
81 |
additional_data(0).meaning=Authentication method; \
|
|
82 |
additional_data(0).data=$1; \
|
|
83 |
last;
|
|
84 |
|
|
85 |
|
| 55 |
86 |
#LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
|
| 56 |
|
regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
|
|
87 |
regex=Accepted (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
|
| 57 |
88 |
classification.text=User login successful; \
|
| 58 |
89 |
id=1901; \
|
| 59 |
90 |
revision=2; \
|
| ... | ... | |
| 64 |
95 |
assessment.impact.completion=succeeded; \
|
| 65 |
96 |
assessment.impact.type=user; \
|
| 66 |
97 |
assessment.impact.description=User $2 logged in from $3:$4 using the $1 method; \
|
| 67 |
|
source(0).node.address(0).category=ipv4-addr; \
|
| 68 |
98 |
source(0).node.address(0).address=$3; \
|
| 69 |
99 |
source(0).service.port=$4; \
|
| 70 |
100 |
source(0).service.iana_protocol_name=tcp; \
|
| ... | ... | |
| 86 |
116 |
################
|
| 87 |
117 |
|
| 88 |
118 |
#LOG:Dec 9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
|
| 89 |
|
regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
|
|
119 |
regex=Failed (\S+) for root from (\S+) port (\d+); \
|
| 90 |
120 |
classification.text=Admin login failed; \
|
| 91 |
121 |
id=1902; \
|
| 92 |
122 |
revision=2; \
|
| ... | ... | |
| 97 |
127 |
assessment.impact.completion=failed; \
|
| 98 |
128 |
assessment.impact.type=admin; \
|
| 99 |
129 |
assessment.impact.description=Someone tried to login as root from $2:$3 using the $1 method; \
|
| 100 |
|
source(0).node.address(0).category=ipv4-addr; \
|
| 101 |
130 |
source(0).node.address(0).address=$2; \
|
| 102 |
131 |
source(0).service.port=$3; \
|
| 103 |
132 |
source(0).service.iana_protocol_name=tcp; \
|
| ... | ... | |
| 115 |
144 |
last
|
| 116 |
145 |
|
| 117 |
146 |
#LOG:Dec 9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
|
| 118 |
|
regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
|
|
147 |
regex=Failed (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
|
| 119 |
148 |
classification.text=User login failed; \
|
| 120 |
149 |
id=1903; \
|
| 121 |
150 |
revision=2; \
|
| ... | ... | |
| 126 |
155 |
assessment.impact.completion=failed; \
|
| 127 |
156 |
assessment.impact.type=user; \
|
| 128 |
157 |
assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
|
| 129 |
|
source(0).node.address(0).category=ipv4-addr; \
|
| 130 |
158 |
source(0).node.address(0).address=$3; \
|
| 131 |
159 |
source(0).service.port=$4; \
|
| 132 |
160 |
source(0).service.iana_protocol_name=tcp; \
|
| ... | ... | |
| 149 |
177 |
|
| 150 |
178 |
#LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134
|
| 151 |
179 |
|
| 152 |
|
regex=(Illegal|Invalid) user (\S+) from ([\d\.]+); \
|
|
180 |
regex=(Illegal|Invalid) user (\S+) from (\S+); \
|
| 153 |
181 |
classification.text=User login failed with an invalid user; \
|
| 154 |
182 |
id=1904; \
|
| 155 |
183 |
revision=1; \
|
| ... | ... | |
| 160 |
188 |
assessment.impact.completion=failed; \
|
| 161 |
189 |
assessment.impact.type=user; \
|
| 162 |
190 |
assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \
|
| 163 |
|
source(0).node.address(0).category=ipv4-addr; \
|
| 164 |
191 |
source(0).node.address(0).address=$3; \
|
| 165 |
192 |
source(0).service.iana_protocol_name=tcp; \
|
| 166 |
193 |
source(0).service.iana_protocol_number=6; \
|
| ... | ... | |
| 213 |
240 |
|
| 214 |
241 |
# LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4
|
| 215 |
242 |
#
|
| 216 |
|
regex=Did not receive identification string from ([\d\.]+); \
|
|
243 |
regex=Did not receive identification string from (\S+); \
|
| 217 |
244 |
classification.text=Server recognition; \
|
| 218 |
245 |
id=1906; \
|
| 219 |
246 |
revision=2; \
|
| ... | ... | |
| 224 |
251 |
assessment.impact.completion=failed; \
|
| 225 |
252 |
assessment.impact.type=recon; \
|
| 226 |
253 |
assessment.impact.description=$1 is probably making a server recognition; \
|
| 227 |
|
source(0).node.address(0).category=ipv4-addr; \
|
| 228 |
254 |
source(0).node.address(0).address=$1; \
|
| 229 |
255 |
source(0).service.iana_protocol_name=tcp; \
|
| 230 |
256 |
source(0).service.iana_protocol_number=6; \
|
| ... | ... | |
| 245 |
271 |
|
| 246 |
272 |
# LOG:Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
|
| 247 |
273 |
#
|
| 248 |
|
regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
|
|
274 |
regex=ROOT LOGIN REFUSED FROM (\S+); \
|
| 249 |
275 |
classification.text=Admin login forbidden; \
|
| 250 |
276 |
id=1907; \
|
| 251 |
277 |
revision=1; \
|
| ... | ... | |
| 256 |
282 |
assessment.impact.completion=failed; \
|
| 257 |
283 |
assessment.impact.type=admin; \
|
| 258 |
284 |
assessment.impact.description=Root tried to login while it is forbidden; \
|
| 259 |
|
source(0).node.address(0).category=ipv4-addr; \
|
| 260 |
285 |
source(0).node.address(0).address=$1; \
|
| 261 |
286 |
source(0).service.iana_protocol_name=tcp; \
|
| 262 |
287 |
source(0).service.iana_protocol_number=6; \
|
| ... | ... | |
| 269 |
294 |
target(0).user.user_id(0).name=root; \
|
| 270 |
295 |
last
|
| 271 |
296 |
|
| 272 |
|
# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
|
| 273 |
|
# All Rights Reserved
|
| 274 |
|
|
| 275 |
|
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2
|
| 276 |
|
regex=Accepted (\S+) for root from ([A-Fa-f\d:\.]+) port (\d+); \
|
| 277 |
|
classification.text=User login successful; \
|
| 278 |
|
id=1908; \
|
| 279 |
|
revision=2; \
|
| 280 |
|
analyzer(0).name=sshd; \
|
| 281 |
|
analyzer(0).manufacturer=OpenSSH; \
|
| 282 |
|
analyzer(0).class=Remote Login; \
|
| 283 |
|
assessment.impact.severity=medium; \
|
| 284 |
|
assessment.impact.completion=succeeded; \
|
| 285 |
|
assessment.impact.type=admin; \
|
| 286 |
|
assessment.impact.description=Root logged in from $2 port $3 using the $1 method; \
|
| 287 |
|
source(0).node.address(0).category=ipv6-addr; \
|
| 288 |
|
source(0).node.address(0).address=$2; \
|
| 289 |
|
source(0).service.port=$3; \
|
| 290 |
|
source(0).service.iana_protocol_name=tcp; \
|
| 291 |
|
source(0).service.iana_protocol_number=6; \
|
| 292 |
|
target(0).service.port=22; \
|
| 293 |
|
target(0).service.name=ssh; \
|
| 294 |
|
target(0).service.iana_protocol_name=tcp; \
|
| 295 |
|
target(0).service.iana_protocol_number=6; \
|
| 296 |
|
target(0).user.category=os-device; \
|
| 297 |
|
target(0).user.user_id(0).type=target-user; \
|
| 298 |
|
target(0).user.user_id(0).name=root; \
|
| 299 |
|
additional_data(0).type=string; \
|
| 300 |
|
additional_data(0).meaning=Authentication method; \
|
| 301 |
|
additional_data(0).data=$1; \
|
| 302 |
|
last;
|
| 303 |
|
|
| 304 |
|
# Copyright (C) 2005 John R Shannon <john@johnrshannon.com>
|
| 305 |
|
# All Rights Reserved
|
| 306 |
|
|
| 307 |
|
#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2
|
| 308 |
|
regex=Accepted (\S+) for (?!root)(\S+) from ([A-Fa-f\d:\.]+) port (\d+); \
|
| 309 |
|
classification.text=User login successful; \
|
| 310 |
|
id=1909; \
|
| 311 |
|
revision=2; \
|
| 312 |
|
analyzer(0).name=sshd; \
|
| 313 |
|
analyzer(0).manufacturer=OpenSSH; \
|
| 314 |
|
analyzer(0).class=Remote Login; \
|
| 315 |
|
assessment.impact.severity=low; \
|
| 316 |
|
assessment.impact.completion=succeeded; \
|
| 317 |
|
assessment.impact.type=user; \
|
| 318 |
|
assessment.impact.description=$2 logged in from $3 port $4 using the $1 method; \
|
| 319 |
|
source(0).node.address(0).category=ipv6-addr; \
|
| 320 |
|
source(0).node.address(0).address=$3; \
|
| 321 |
|
source(0).service.port=$4; \
|
| 322 |
|
source(0).service.iana_protocol_name=tcp; \
|
| 323 |
|
source(0).service.iana_protocol_number=6; \
|
| 324 |
|
target(0).service.port=22; \
|
| 325 |
|
target(0).service.name=ssh; \
|
| 326 |
|
target(0).service.iana_protocol_name=tcp; \
|
| 327 |
|
target(0).service.iana_protocol_number=6; \
|
| 328 |
|
target(0).user.category=os-device; \
|
| 329 |
|
target(0).user.user_id(0).type=target-user; \
|
| 330 |
|
target(0).user.user_id(0).name=root; \
|
| 331 |
|
additional_data(0).type=string; \
|
| 332 |
|
additional_data(0).meaning=Authentication method; \
|
| 333 |
|
additional_data(0).data=$1; \
|
| 334 |
|
last;
|
| 335 |
297 |
|
| 336 |
298 |
#LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail
|
| 337 |
299 |
# Re: Generic Message Exchange Authentication For SSH
|
| ... | ... | |
| 388 |
350 |
|
| 389 |
351 |
#LOG:Dec 9 18:48:29 itguxweb2 sshd[29536]: Failed password for illegal user ROOT from 12.34.56.78 port 2886
|
| 390 |
352 |
#LOG:Jan 14 08:19:21 ras sshd[22774]: Failed none for invalid user remote-mail from 192.168.1.22 port 65407 ssh2
|
| 391 |
|
regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([\d\.]+) port (\d+); \
|
|
353 |
regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \
|
| 392 |
354 |
classification.text=User login failed; \
|
| 393 |
355 |
id=1912; \
|
| 394 |
356 |
revision=2; \
|
| ... | ... | |
| 399 |
361 |
assessment.impact.completion=failed; \
|
| 400 |
362 |
assessment.impact.type=admin; \
|
| 401 |
363 |
assessment.impact.description=Someone tried to login as $3 from $4:$5 using the $1 method; \
|
| 402 |
|
source(0).node.address(0).category=ipv4-addr; \
|
| 403 |
364 |
source(0).node.address(0).address=$4; \
|
| 404 |
365 |
source(0).service.port=$5; \
|
| 405 |
366 |
source(0).service.iana_protocol_name=tcp; \
|
| ... | ... | |
| 420 |
381 |
last
|
| 421 |
382 |
|
| 422 |
383 |
#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from fec0:0:201::3 port 62788 ssh2
|
| 423 |
|
regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([A-Fa-f\d:\.]+) port (\d+); \
|
|
384 |
#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from 1.2.3.4 port 62788 ssh2
|
|
385 |
#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from hostname port 62788 ssh2
|
|
386 |
regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \
|
| 424 |
387 |
classification.text=SSH Remote login failed; \
|
| 425 |
388 |
id=1913; \
|
| 426 |
389 |
revision=2; \
|
| ... | ... | |
| 431 |
394 |
assessment.impact.completion=failed; \
|
| 432 |
395 |
assessment.impact.type=admin; \
|
| 433 |
396 |
assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
|
| 434 |
|
source(0).node.address(0).category=ipv6-addr; \
|
| 435 |
397 |
source(0).node.address(0).address=$4; \
|
| 436 |
398 |
source(0).service.port=$5; \
|
| 437 |
399 |
source(0).service.iana_protocol_name=tcp; \
|
| ... | ... | |
| 451 |
413 |
additional_data(1).data=$2 user; \
|
| 452 |
414 |
last
|
| 453 |
415 |
|
| 454 |
|
# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
|
| 455 |
|
# All Rights Reserved
|
| 456 |
|
|
| 457 |
416 |
#LOG:Oct 2 14:40:05 suse-9.2 sshd[18725]: error: PAM: Authentication failure for root from unknown.anywhere.net
|
| 458 |
417 |
regex=error: PAM: Authentication failure for root from (\S+); \
|
| 459 |
418 |
classification.text=Admin login failed; \
|
