-
Notifications
You must be signed in to change notification settings - Fork 0
/
openssh.rules
125 lines (93 loc) · 21.5 KB
/
openssh.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Sagan openssh.rules
# Copyright (c) 2009-2013, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
# Not getting the source IP addresses that you'd expect? Then you probably
# have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll
# need to set that to "No" so Sagan can "find" the source IP addresses and
# port information.
# Failed password for root from 109.70.148.243 port 17298 ssh2
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [5/5]"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize: openssh; program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; sid: 5000015; rev:5;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/5]"; content: "Authentication failure"; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001634; sid: 5001634; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [20/5]"; content: "Authentication failure"; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001635; sid: 5001635; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [30/5]"; content: "Authentication failure"; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001636; sid: 5001636; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [40/5]"; content: "Authentication failure"; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001637; sid: 5001637; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [50/5]"; content: "Authentication failure"; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001638; sid: 5001638; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [100/5]"; content: "Authentication failure"; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001639; sid: 5001639; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001523; normalize: openssh; program: sshd; sid: 5001523; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [5/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:5;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001628; sid: 5001628; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [20/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001629; sid: 5001629; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [30/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001630; sid: 5001630; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [40/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001631; sid: 5001631; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [50/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001632; sid: 5001632; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [100/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001633; sid: 5001633; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure"; content: "authentication failure;"; classtype: unsuccessful-user;program: sshd; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001524; sid: 5001524; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root - Brute force"; content: "Authentication failure for root"; classtype: unsuccessful-admin;program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; classtype: unsuccessful-admin;program: sshd; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001525; sid: 5001525; rev:2;)
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000018; sid: 5000018; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Not executable shell - login attempt"; content: "is not executable"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000020; sid: 5000020; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Message send write error"; content: "ssh_msg_send";classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000021; sid:5000021; rev:2;)
# General "illegal user"
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user"; pcre: "/invalid user|illegal user/i"; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000022; sid: 5000022; rev:8;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [a]"; pcre: "/invalid user|illegal user/i"; content: "user a "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001106; sid: 5001106; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [admin]"; pcre: "/invalid user|illegal user/i"; content: "user admin "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001107; sid: 5001107; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [ftp]"; pcre: "/invalid user|illegal user/i"; content: "user ftp "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001108; sid: 5001108; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [guest]"; pcre: "/invalid user|illegal user/i"; content: "user guest "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001109; sid: 5001109; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [info]"; pcre: "/invalid user|illegal user/i"; content: "user info "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001110; sid: 5001110; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [mysql]"; pcre: "/invalid user|illegal user/i"; content: "user mysql "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001111; sid: 5001111; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [nagios]"; pcre: "/invalid user|illegal user/i"; content: "user nagios "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001112; sid: 5001112; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [oracle]"; pcre: "/invalid user|illegal user/i"; content: "user oracle "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001113; sid: 5001113; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [postgres]"; pcre: "/invalid user|illegal user/i"; content: "user postgres "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001114; sid: 5001114; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [test]"; pcre: "/invalid user|illegal user/i"; content: "user test "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001115; sid: 5001115; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [user]"; pcre: "/invalid user|illegal user/i"; content: "user user "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001116; sid: 5001116; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [web]"; pcre: "/invalid user|illegal user/i"; content: "user web "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001117; sid: 5001117; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [webmaster]"; pcre: "/invalid user|illegal user/i"; content: "user webmaster "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001118; sid: 5001118; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [apache]"; pcre: "/invalid user|illegal user/i"; content: "user apache "; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001119; sid: 5001119; rev:4;)
# Champ Clark (Quadrant Information Security) - Jan 27th 2010 - Out of band challenge - for more info see: http://sourceforge.net/projects/pamobc/
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Out-of-Band challenge failure"; content: "Failed auth"; content: "out-of-band challenge"; content: "pam_obc"; classtype: unsuccessful-user;program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000023; sid: 5000023; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Bad protocol version - possible attack"; content: "Bad protocol version identification"; parse_src_ip: 1; classtype: non-standard-protocol; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000068; sid: 5000068; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT ( msg: "[OPENSSH] Timeout while logging in"; content:"Timeout before authentication" ;classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000069; sid: 5000069; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] No identification string - possible scan"; content:"Did not receive identification string"; classtype: network-scan; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000070; sid: 5000070; rev:4;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] OpenSSH challenge-response exploit"; content: "buffer_get_string: bad string"; classtype: exploit-attempt; program: sshd; parse_src_ip: 1; fwsam: src, 1 week; reference: url,wiki.quadrantsec.com/bin/view/Main/5000071; sid: 5000071; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Message without user-IP and context"; content: "Could not get shadow information for NOUSER"; classtype: misc-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000072; sid: 5000072; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Corrupted traffic"; content: "Corrupted check bytes on"; classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000073; sid: 5000073; rev:2;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] CRC32 compensation attack"; content: "crc32 compensation attack"; nocase; classtype: shellcode-detect; program: sshd; fwsam: src, 1 week; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000074; reference: url, http://www.securityfocus.com/bid/2347/info/; sid: 5000074; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication success"; pcre: "/accepted|authenticated/i"; classtype: successful-user; normalize: openssh; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000075; sid: 5000075; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] configuration error [moduli]"; content: "Bad prime description in line"; classtype: program-error; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000076; sid: 5000076; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Attempt to login using a denied user"; content: "not allowed because"; classtype: unsuccessful-user; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000077; sid:5000077; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Accepted publickey"; content: "Accepted publickey" ; classtype: successful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000406; sid:5000406; rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Session closed"; content: "session closed for" ; classtype: not-suspicious; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000407; sid:5000407; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Received disconnect"; content: "Received disconnect from"; classtype: not-suspicious; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000408; sid:5000408; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] User logged into a disabled account"; pcre: "/accepted|authenticated/i"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; parse_src_ip: 1; parse_port; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000411; program: sshd; sid: 5000411; rev:4;)
# Failed password for root from 10.10.0.1 port 17298 ssh2
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password - Brute force"; content: "Failed password"; program: sshd; normalize: openssh; classtype: unsuccessful-user; sid: 5001646; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001646; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password"; content: "Failed password"; program: sshd; normalize: openssh; classtype: unsuccessful-user; sid: 5001647; reference: url,wiki.quadrantsec.com/bin/view/Main/5001647; rev:2;)
# AIX 5 has a tendency to log ssh connections via program: syslog :(
# syslog ssh: failed login attempt for UNKNOWN_USER from 10.1.1.4
#drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] SYSLOG Authentication failure - Brute force [5/5]"; content: "ssh|3a| failed login attempt"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001954; program: syslog; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; sid: 5001954; rev:5;)
# Added by Robert Nunley - 02/20/2014 ([email protected])
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Fail2Ban SSH Suspicious Activity"; content: "Fail2Ban"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001974; parse_src_ip: 1; sid: 5001974; rev:1;)