sshrules.diff

ssh rules diff - prmarino1-gmail-com -, 06/05/2007 08:42 PM

     ###################
     #LOG:Dec  8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
     regex=Accepted (\S+) for root from ([\d\.]+) port (\d+); \
     #LOG:Dec  8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from ::ffff:12.34.56.78 port 56634 ssh2
     regex=Accepted (\S+) for root from (::[fF]{4}:)?([\d\.]+) port (\d+); \
      classification.text=Admin login successful; \
      id=1900; \
      revision=2; \
-...
      assessment.impact.severity=low; \
      assessment.impact.completion=succeeded; \
      assessment.impact.type=admin; \
      assessment.impact.description=Root logged in from $2:$3 using the $1 method; \
      assessment.impact.description=Root logged in from $3:$4 using the $1 method; \
      source(0).node.address(0).category=ipv4-addr; \
      source(0).node.address(0).address=$2; \
      source(0).service.port=$3; \
      source(0).node.address(0).address=$3; \
      source(0).service.port=$4; \
      source(0).service.iana_protocol_name=tcp; \
      source(0).service.iana_protocol_number=6; \
      target(0).service.port=22; \
-...
      last;
     #LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
     regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
     #LOG:Jun 5 15:50:35 somehost sshd[17740]: Accepted publickey for someuser from ::ffff:192.168.0.22 port 59610 ssh2
     regex=Accepted (\S+) for (?!root)(\S+) from (::[fF]{4}:)?([\d\.]+) port (\d+); \
      classification.text=User login successful; \
      id=1901; \
      revision=2; \
-...
      assessment.impact.type=user; \
      assessment.impact.description=User $2 logged in from $3:$4 using the $1 method; \
      source(0).node.address(0).category=ipv4-addr; \
      source(0).node.address(0).address=$3; \
      source(0).service.port=$4; \
      source(0).node.address(0).address=$4; \
      source(0).service.port=$5; \
      source(0).service.iana_protocol_name=tcp; \
      source(0).service.iana_protocol_number=6; \
      target(0).service.port=22; \
-...
     ################
     #LOG:Dec  9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
     regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
     #LOG:Dec  9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from ::ffff:12.34.56.78 port 1806
     regex=Failed (\S+) for root from (::[fF]{4}:)?([\d\.]+) port (\d+); \
      classification.text=Admin login failed; \
      id=1902; \
      revision=2; \
-...
      assessment.impact.severity=medium; \
      assessment.impact.completion=failed; \
      assessment.impact.type=admin; \
      assessment.impact.description=Someone tried to login as root from $2:$3 using the $1 method; \
      assessment.impact.description=Someone tried to login as root from $3:$4 using the $1 method; \
      source(0).node.address(0).category=ipv4-addr; \
      source(0).node.address(0).address=$2; \
      source(0).service.port=$3; \
      source(0).node.address(0).address=$3; \
      source(0).service.port=$4; \
      source(0).service.iana_protocol_name=tcp; \
      source(0).service.iana_protocol_number=6; \
      target(0).service.port=22; \
-...
      last
     #LOG:Dec  9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
     regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
     #LOG:Dec  9 21:29:56 devel5 sshd[17554]: Failed password for akarade from ::ffff:12.34.56.78 port 4214
     regex=Failed (\S+) for (?!root)(\S+) from (::[fF]{4}:)?([\d\.]+) port (\d+); \
      classification.text=User login failed; \
      id=1903; \
      revision=2; \
-...
      assessment.impact.severity=medium; \
      assessment.impact.completion=failed; \
      assessment.impact.type=user; \
      assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
      assessment.impact.description=Someone tried to login as $2 from $4:$5 using the $1 method; \
      source(0).node.address(0).category=ipv4-addr; \
      source(0).node.address(0).address=$3; \
      source(0).service.port=$4; \
      source(0).node.address(0).address=$4; \
      source(0).service.port=$5; \
      source(0).service.iana_protocol_name=tcp; \
      source(0).service.iana_protocol_number=6; \
      target(0).service.port=22; \
-...
     ##############################################
     #LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134
     #LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from ::ffff:213.201.222.134
     regex=(Illegal|Invalid) user (\S+) from ([\d\.]+); \
     regex=(Illegal|Invalid) user (\S+) from (::[fF]{4}:)?([\d\.]+); \
      classification.text=User login failed with an invalid user; \
      id=1904; \
      revision=1; \
-...
      assessment.impact.severity=medium; \
      assessment.impact.completion=failed; \
      assessment.impact.type=user; \
      assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \
      assessment.impact.description=Someone tried to login with the invalid user "$2" from $4; \
      source(0).node.address(0).category=ipv4-addr; \
      source(0).node.address(0).address=$3; \
      source(0).node.address(0).address=$4; \
      source(0).service.iana_protocol_name=tcp; \
      source(0).service.iana_protocol_number=6; \
      target(0).service.port=22; \
-...
     ##################################################################
     # LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4
     # LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from ::ffff:1.2.3.4
+    #
     regex=Did not receive identification string from ([\d\.]+); \
     regex=Did not receive identification string from (::[fF]{4}:)?([\d\.]+); \
      classification.text=Server recognition; \
      id=1906; \
      revision=2; \
-...
      assessment.impact.severity=medium; \
      assessment.impact.completion=failed; \
      assessment.impact.type=recon; \
      assessment.impact.description=$1 is probably making a server recognition; \
      assessment.impact.description=$2 is probably making a server recognition; \
      source(0).node.address(0).category=ipv4-addr; \
      source(0).node.address(0).address=$1; \
      source(0).node.address(0).address=$2; \
      source(0).service.iana_protocol_name=tcp; \
      source(0).service.iana_protocol_number=6; \
      target(0).service.port=22; \
-...
     #########################################################################
     # LOG:Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
     # LOG:Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
+    #
     regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
     regex=ROOT LOGIN REFUSED FROM (::[fF]{4}:)?([\d\.]+); \
      classification.text=Admin login forbidden; \
      id=1907; \
      revision=1; \
-...
      assessment.impact.type=admin; \
      assessment.impact.description=Root tried to login while it is forbidden; \
      source(0).node.address(0).category=ipv4-addr; \
      source(0).node.address(0).address=$1; \
      source(0).node.address(0).address=$2; \
      source(0).service.iana_protocol_name=tcp; \
      source(0).service.iana_protocol_number=6; \
      target(0).service.port=22; \
-...
      target(0).service.iana_protocol_number=6; \
      target(0).user.category=os-device; \
      target(0).user.user_id(0).type=target-user; \
      target(0).user.user_id(0).name=root; \
      target(0).user.user_id(0).name=$2; \
      additional_data(0).type=string; \
      additional_data(0).meaning=Authentication method; \
      additional_data(0).data=$1; \

Project

General

Profile

sshrules.diff