24 |
24 |
###################
|
25 |
25 |
|
26 |
26 |
#LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
|
27 |
|
regex=Accepted (\S+) for root from ([\d\.]+) port (\d+); \
|
|
27 |
#LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from ::ffff:12.34.56.78 port 56634 ssh2
|
|
28 |
regex=Accepted (\S+) for root from (::[fF]{4}:)?([\d\.]+) port (\d+); \
|
28 |
29 |
classification.text=Admin login successful; \
|
29 |
30 |
id=1900; \
|
30 |
31 |
revision=2; \
|
... | ... | |
34 |
35 |
assessment.impact.severity=low; \
|
35 |
36 |
assessment.impact.completion=succeeded; \
|
36 |
37 |
assessment.impact.type=admin; \
|
37 |
|
assessment.impact.description=Root logged in from $2:$3 using the $1 method; \
|
|
38 |
assessment.impact.description=Root logged in from $3:$4 using the $1 method; \
|
38 |
39 |
source(0).node.address(0).category=ipv4-addr; \
|
39 |
|
source(0).node.address(0).address=$2; \
|
40 |
|
source(0).service.port=$3; \
|
|
40 |
source(0).node.address(0).address=$3; \
|
|
41 |
source(0).service.port=$4; \
|
41 |
42 |
source(0).service.iana_protocol_name=tcp; \
|
42 |
43 |
source(0).service.iana_protocol_number=6; \
|
43 |
44 |
target(0).service.port=22; \
|
... | ... | |
53 |
54 |
last;
|
54 |
55 |
|
55 |
56 |
#LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
|
56 |
|
regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
|
|
57 |
#LOG:Jun 5 15:50:35 somehost sshd[17740]: Accepted publickey for someuser from ::ffff:192.168.0.22 port 59610 ssh2
|
|
58 |
regex=Accepted (\S+) for (?!root)(\S+) from (::[fF]{4}:)?([\d\.]+) port (\d+); \
|
57 |
59 |
classification.text=User login successful; \
|
58 |
60 |
id=1901; \
|
59 |
61 |
revision=2; \
|
... | ... | |
65 |
67 |
assessment.impact.type=user; \
|
66 |
68 |
assessment.impact.description=User $2 logged in from $3:$4 using the $1 method; \
|
67 |
69 |
source(0).node.address(0).category=ipv4-addr; \
|
68 |
|
source(0).node.address(0).address=$3; \
|
69 |
|
source(0).service.port=$4; \
|
|
70 |
source(0).node.address(0).address=$4; \
|
|
71 |
source(0).service.port=$5; \
|
70 |
72 |
source(0).service.iana_protocol_name=tcp; \
|
71 |
73 |
source(0).service.iana_protocol_number=6; \
|
72 |
74 |
target(0).service.port=22; \
|
... | ... | |
86 |
88 |
################
|
87 |
89 |
|
88 |
90 |
#LOG:Dec 9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
|
89 |
|
regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
|
|
91 |
#LOG:Dec 9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from ::ffff:12.34.56.78 port 1806
|
|
92 |
regex=Failed (\S+) for root from (::[fF]{4}:)?([\d\.]+) port (\d+); \
|
90 |
93 |
classification.text=Admin login failed; \
|
91 |
94 |
id=1902; \
|
92 |
95 |
revision=2; \
|
... | ... | |
96 |
99 |
assessment.impact.severity=medium; \
|
97 |
100 |
assessment.impact.completion=failed; \
|
98 |
101 |
assessment.impact.type=admin; \
|
99 |
|
assessment.impact.description=Someone tried to login as root from $2:$3 using the $1 method; \
|
|
102 |
assessment.impact.description=Someone tried to login as root from $3:$4 using the $1 method; \
|
100 |
103 |
source(0).node.address(0).category=ipv4-addr; \
|
101 |
|
source(0).node.address(0).address=$2; \
|
102 |
|
source(0).service.port=$3; \
|
|
104 |
source(0).node.address(0).address=$3; \
|
|
105 |
source(0).service.port=$4; \
|
103 |
106 |
source(0).service.iana_protocol_name=tcp; \
|
104 |
107 |
source(0).service.iana_protocol_number=6; \
|
105 |
108 |
target(0).service.port=22; \
|
... | ... | |
115 |
118 |
last
|
116 |
119 |
|
117 |
120 |
#LOG:Dec 9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
|
118 |
|
regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
|
|
121 |
#LOG:Dec 9 21:29:56 devel5 sshd[17554]: Failed password for akarade from ::ffff:12.34.56.78 port 4214
|
|
122 |
regex=Failed (\S+) for (?!root)(\S+) from (::[fF]{4}:)?([\d\.]+) port (\d+); \
|
119 |
123 |
classification.text=User login failed; \
|
120 |
124 |
id=1903; \
|
121 |
125 |
revision=2; \
|
... | ... | |
125 |
129 |
assessment.impact.severity=medium; \
|
126 |
130 |
assessment.impact.completion=failed; \
|
127 |
131 |
assessment.impact.type=user; \
|
128 |
|
assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
|
|
132 |
assessment.impact.description=Someone tried to login as $2 from $4:$5 using the $1 method; \
|
129 |
133 |
source(0).node.address(0).category=ipv4-addr; \
|
130 |
|
source(0).node.address(0).address=$3; \
|
131 |
|
source(0).service.port=$4; \
|
|
134 |
source(0).node.address(0).address=$4; \
|
|
135 |
source(0).service.port=$5; \
|
132 |
136 |
source(0).service.iana_protocol_name=tcp; \
|
133 |
137 |
source(0).service.iana_protocol_number=6; \
|
134 |
138 |
target(0).service.port=22; \
|
... | ... | |
148 |
152 |
##############################################
|
149 |
153 |
|
150 |
154 |
#LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134
|
|
155 |
#LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from ::ffff:213.201.222.134
|
151 |
156 |
|
152 |
|
regex=(Illegal|Invalid) user (\S+) from ([\d\.]+); \
|
|
157 |
regex=(Illegal|Invalid) user (\S+) from (::[fF]{4}:)?([\d\.]+); \
|
153 |
158 |
classification.text=User login failed with an invalid user; \
|
154 |
159 |
id=1904; \
|
155 |
160 |
revision=1; \
|
... | ... | |
159 |
164 |
assessment.impact.severity=medium; \
|
160 |
165 |
assessment.impact.completion=failed; \
|
161 |
166 |
assessment.impact.type=user; \
|
162 |
|
assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \
|
|
167 |
assessment.impact.description=Someone tried to login with the invalid user "$2" from $4; \
|
163 |
168 |
source(0).node.address(0).category=ipv4-addr; \
|
164 |
|
source(0).node.address(0).address=$3; \
|
|
169 |
source(0).node.address(0).address=$4; \
|
165 |
170 |
source(0).service.iana_protocol_name=tcp; \
|
166 |
171 |
source(0).service.iana_protocol_number=6; \
|
167 |
172 |
target(0).service.port=22; \
|
... | ... | |
212 |
217 |
##################################################################
|
213 |
218 |
|
214 |
219 |
# LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4
|
|
220 |
# LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from ::ffff:1.2.3.4
|
215 |
221 |
#
|
216 |
|
regex=Did not receive identification string from ([\d\.]+); \
|
|
222 |
regex=Did not receive identification string from (::[fF]{4}:)?([\d\.]+); \
|
217 |
223 |
classification.text=Server recognition; \
|
218 |
224 |
id=1906; \
|
219 |
225 |
revision=2; \
|
... | ... | |
223 |
229 |
assessment.impact.severity=medium; \
|
224 |
230 |
assessment.impact.completion=failed; \
|
225 |
231 |
assessment.impact.type=recon; \
|
226 |
|
assessment.impact.description=$1 is probably making a server recognition; \
|
|
232 |
assessment.impact.description=$2 is probably making a server recognition; \
|
227 |
233 |
source(0).node.address(0).category=ipv4-addr; \
|
228 |
|
source(0).node.address(0).address=$1; \
|
|
234 |
source(0).node.address(0).address=$2; \
|
229 |
235 |
source(0).service.iana_protocol_name=tcp; \
|
230 |
236 |
source(0).service.iana_protocol_number=6; \
|
231 |
237 |
target(0).service.port=22; \
|
... | ... | |
244 |
250 |
#########################################################################
|
245 |
251 |
|
246 |
252 |
# LOG:Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
|
|
253 |
# LOG:Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
|
247 |
254 |
#
|
248 |
|
regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
|
|
255 |
regex=ROOT LOGIN REFUSED FROM (::[fF]{4}:)?([\d\.]+); \
|
249 |
256 |
classification.text=Admin login forbidden; \
|
250 |
257 |
id=1907; \
|
251 |
258 |
revision=1; \
|
... | ... | |
257 |
264 |
assessment.impact.type=admin; \
|
258 |
265 |
assessment.impact.description=Root tried to login while it is forbidden; \
|
259 |
266 |
source(0).node.address(0).category=ipv4-addr; \
|
260 |
|
source(0).node.address(0).address=$1; \
|
|
267 |
source(0).node.address(0).address=$2; \
|
261 |
268 |
source(0).service.iana_protocol_name=tcp; \
|
262 |
269 |
source(0).service.iana_protocol_number=6; \
|
263 |
270 |
target(0).service.port=22; \
|
... | ... | |
327 |
334 |
target(0).service.iana_protocol_number=6; \
|
328 |
335 |
target(0).user.category=os-device; \
|
329 |
336 |
target(0).user.user_id(0).type=target-user; \
|
330 |
|
target(0).user.user_id(0).name=root; \
|
|
337 |
target(0).user.user_id(0).name=$2; \
|
331 |
338 |
additional_data(0).type=string; \
|
332 |
339 |
additional_data(0).meaning=Authentication method; \
|
333 |
340 |
additional_data(0).data=$1; \
|