Hi list,
i have a request on the rule philosophy, how and when rules handle
unknown events.
At this time there is the weighty rule 1002, to catch many
error <http://www.dict.cc/englisch-deutsch/weighty.html>messages, but
then the rules are looking for something they know.
For example the ssh rules:
All of the ssh rules are matched by rule 5700. After this match all
child rules are tested.
But when a new attack appears or a new version of ssh outputs a new kind
of log or we forget to create a rule for a rare event, we would not
recognize it, because rule 5700 has level 0 and the option noalert.
So i use a edited version for ssh, where rule 5700 has level 5.
At the beginning there might be many alerts to ignore (writing rules
with level 0), but after a time you can get sure not to miss a unknown
event.
Best regards
Christian Göttsche
p.s.: my sshd_rules.xml is attached
<!-- @(#) $Id: sshd_rules.xml,v 1.22 2010/12/19 14:50:14 ddp Exp $
- Official SSHD rules for OSSEC.
-
- Copyright (C) 2009-2011 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<group name="syslog,sshd,">
<rule id="5700" level="5">
<decoded_as>sshd</decoded_as>
<description>Grouping of SSHD messages.</description>
<group>grouping_rule,</group>
</rule>
<rule id="5701" level="8">
<if_sid>5700</if_sid>
<match>Bad protocol version identification</match>
<description>Possible attack on the ssh server (or version gathering).</description>
</rule>
<rule id="5702" level="5">
<if_sid>5700</if_sid>
<match>^reverse mapping</match>
<regex>failed - POSSIBLE BREAK</regex>
<description>Reverse lookup error (bad ISP or attack).</description>
</rule>
<rule id="5703" level="10" frequency="4" timeframe="360">
<if_matched_sid>5702</if_matched_sid>
<description>Possible breakin attempt (high number of reverse lookup errors).</description>
</rule>
<rule id="5704" level="4">
<if_sid>5700</if_sid>
<match>fatal: Timeout before authentication for</match>
<description>Timeout while logging in (sshd).</description>
</rule>
<rule id="5705" level="10" frequency="4" timeframe="360">
<if_matched_sid>5704</if_matched_sid>
<description>Possible scan or breakin attempt (high number of login timeouts).</description>
</rule>
<rule id="5706" level="5">
<if_sid>5700</if_sid>
<match>Did not receive identification string from</match>
<description>SSH insecure connection attempt (possible scan).</description>
<group>recon,</group>
</rule>
<rule id="5707" level="14">
<if_sid>5700</if_sid>
<match>fatal: buffer_get_string: bad string</match>
<description>OpenSSH challenge-response exploit.</description>
<group>exploit_attempt,</group>
</rule>
<rule id="5709" level="0">
<if_sid>5700</if_sid>
<match>error: Could not get shadow information for NOUSER|</match>
<match>fatal: Read from socket failed: |error: ssh_msg_send: write|</match>
<match>^syslogin_perform_logout: |^pam_succeed_if(sshd:auth): error retrieving information about user|can't verify hostname: getaddrinfo</match>
<description>Useless SSHD message without an user/ip and context.</description>
</rule>
<rule id="5710" level="3">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>Attempt to login using a non-existent user</description>
<group>invalid_login,authentication_failed,</group>
</rule>
<rule id="5711" level="0">
<if_sid>5700</if_sid>
<match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
<match>input_userauth_request: invalid user|</match>
<match>PAM: User not known to the underlying authentication module for illegal user|</match>
<match>error retrieving information about user</match>
<description>Useless/Duplicated SSHD message without a user/ip.</description>
</rule>
<!-- <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
<if_matched_sid>5710</if_matched_sid>
<description>SSHD brute force trying to get access to </description>
<description>the system.</description>
<same_source_ip />
<group>authentication_failures,</group>
</rule> -->
<rule id="5713" level="6">
<if_sid>5700</if_sid>
<match>Corrupted check bytes on</match>
<description>Corrupted bytes on SSHD.</description>
</rule>
<rule id="5714" level="14" timeframe="120" frequency="1">
<if_matched_sid>5713</if_matched_sid>
<match>Local: crc32 compensation attack</match>
<description>SSH CRC-32 Compensation attack</description>
<info type="cve">2001-0144</info>
<info type="link">http://www.securityfocus.com/bid/2347/info/</info>
<group>exploit_attempt,</group>
</rule>
<rule id="5715" level="3">
<if_sid>5700</if_sid>
<match>^Accepted|authenticated.$</match>
<description>SSHD authentication success.</description>
<group>authentication_success,</group>
</rule>
<rule id="5716" level="3">
<if_sid>5700</if_sid>
<match>^Failed|^error: PAM: Authentication</match>
<description>SSHD authentication failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="5717" level="4">
<if_sid>5700</if_sid>
<match>error: Bad prime description in line</match>
<description>SSHD configuration error (moduli).</description>
</rule>
<rule id="5718" level="5">
<if_sid>5700</if_sid>
<match>not allowed because</match>
<description>Attempt to login using a denied user.</description>
<group>authentication_failed,</group>
</rule>
<rule id="5719" level="10" frequency="6" timeframe="120" ignore="60">
<if_matched_sid>5718</if_matched_sid>
<description>Multiple access attempts using a denied user.</description>
<group>authentication_failed,</group>
</rule>
<!-- <rule id="5720" level="10" frequency="6">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>Multiple SSHD authentication failures.</description>
<group>authentication_failures,</group>
</rule> -->
<rule id="5721" level="1">
<if_sid>5700</if_sid>
<match>Received disconnect from</match>
<description>System disconnected from sshd.</description>
</rule>
<rule id="5722" level="1">
<if_sid>5700</if_sid>
<match>Connection closed</match>
<description>ssh connection closed.</description>
</rule>
<rule id="5723" level="1">
<if_sid>5700</if_sid>
<match>error: buffer_get_bignum2_ret: negative numbers not supported|</match>
<match>fatal: buffer_get_bignum2: buffer error</match>
<description>SSHD key error.</description>
<info>This maybe a bad key in authorized_keys or related to ssh key handling.</info>
</rule>
<rule id="5725" level="1">
<if_sid>5700</if_sid>
<match>fatal: Write failed: Host is down</match>
<description>Host ungracefully disconnected.</description>
</rule>
<rule id="5726" level="5">
<if_sid>5700</if_sid>
<match>error: PAM: Module is unknown for</match>
<description>Unknown PAM module, PAM misconfiguration.</description>
</rule>
<rule id="5727" level="9">
<if_sid>5700</if_sid>
<match>failed: Address already in use.</match>
<description>Attempt to start sshd when something already bound to the port.</description>
</rule>
<rule id="5728" level="4">
<if_sid>5700</if_sid>
<match>Authentication service cannot retrieve user credentials</match>
<description>Authentication services were not able to retrieve user credentials.</description>
<info>May be related to PAM module errors.</info>
<group>authentication_failed,</group>
</rule>
<rule id="5729" level="0">
<if_sid>5700</if_sid>
<match>debug1: attempt</match>
<description>Debug message.</description>
</rule>
<rule id="5730" level="5">
<if_sid>5700</if_sid>
<regex>error: connect to \S+ port \d+ failed: Connection refused</regex>
<description>SSHD is not accepting connections.</description>
</rule>
<rule id="5731" level="6">
<if_sid>5700</if_sid>
<match>AKASSH_Version_Mapper1.</match>
<description>SSH Scanning.</description>
<group>recon,</group>
</rule>
<rule id="5732" level="1">
<if_sid>5700</if_sid>
<match>error: connect_to </match>
<description>Possible port forwarding failure.</description>
</rule>
<rule id="5733" level="3">
<if_sid>5700</if_sid>
<match>Invalid credentials</match>
<description>User entered incorrect password.</description>
<group>authentication_failures,</group>
</rule>
<rule id="5734" level="0">
<if_sid>5700</if_sid>
<match>Could not load host key</match>
<description>sshd could not load one or more host keys.</description>
<info>This may be related to an upgrade to OpenSSH.</info>
</rule>
<rule id="5735" level="1">
<if_sid>5700</if_sid>
<match>Write failed: Broken pipe</match>
<description>Failed write due to one host disappearing.</description>
</rule>
<rule id="5736" level="0">
<if_sid>5700</if_sid>
<match>^error: setsockopt SO_KEEPALIVE: Connection reset by peer$|</match>
<match>^error: accept: Software caused connection abort$</match>
<description>Connection reset or aborted.</description>
</rule>
<rule id="5737" level="5">
<if_sid>5700</if_sid>
<match>^fatal: Cannot bind any address.$</match>
<description>sshd cannot bind to configured address.</description>
</rule>
<rule id="5738" level="5">
<if_sid>5700</if_sid>
<match>set_loginuid failed opening loginuid$</match>
<description>pam_loginuid could not open loginuid.</description>
<group>authentication_failed,</group>
</rule>
<rule id="5739" level="11">
<if_sid>5700</if_sid>
<regex>^Address \d+.\d+.\d+.\d+ maps to \S+, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$</regex>
<description>Host is not mapping to address.</description>
<group>attack</group>
</rule>
<rule id="5740" level="0">
<if_sid>5739</if_sid>
<match>^Address 192.168.</match>
<description>Ignore that local network host is not mapping to address.</description>
</rule>
<rule id="5741" level="3" ignore="1">
<if_sid>5700</if_sid>
<regex>^Server listening on \S+ port \d+.$</regex>
<description>sshd start.</description>
<group>service_availability,</group>
</rule>
<rule id="5742" level="3">
<if_sid>5700</if_sid>
<match>Received signal|terminating.$</match>
<description>sshd stop.</description>
<group>service_availability,</group>
</rule>
<rule id="5743" level="3">
<if_sid>5700</if_sid>
<match>subsystem request for sftp$</match>
<description>sshd sftp session opened.</description>
</rule>
<rule id="5744" level="3">
<if_sid>5700</if_sid>
<match>PAM service(sshd) ignoring max retries;</match>
<description>sshd ignore max retries.</description>
</rule>
<rule id="5745" level="2">
<if_sid>5700</if_sid>
<match>refused connect from </match>
<description>sshd refused connect (because of host.deny?).</description>
<group>access_denied,</group>
</rule>
<rule id="5746" level="3">
<if_sid>5700</if_sid>
<match>more authentication failures</match>
<description>sshd recognizes multiple authentication failures.</description>
</rule>
</group> <!-- SYSLOG, SSHD --> <!-- EOF -->
