From b35cb812a629d336082b47c95023b6174b8330f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Tokarski?= Date: Sat, 31 Aug 2024 14:33:58 +0200 Subject: [PATCH] Update sshd-logs.yaml Added new pattern syntax for sshd-logs --- parsers/s01-parse/crowdsecurity/sshd-logs.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml index dc05052bc31..c6883e459df 100644 --- a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml @@ -15,6 +15,7 @@ pattern_syntax: SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' + SSHD_PREAUTH_AUTHENTICATING_IP: 'Connection (closed|reset) by %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.' # in case they are blocked by /etc/ssh/sshd_config AllowUsers xx yy SSHD_NOT_ALLOWED_USER: 'User %{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)? not allowed because not listed in AllowUsers' @@ -45,6 +46,14 @@ nodes: value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" + - grok: + name: "SSHD_PREAUTH_AUTHENTICATING_IP" + apply_on: message + statics: + - meta: log_type + value: ssh_failed-auth + - meta: target_user + expression: "evt.Parsed.sshd_invalid_user" - grok: name: "SSHD_DISC_PREAUTH" apply_on: message