SigmaHQ/rules/linux/lnx_susp_ssh.yml

29 lines
987 B
YAML
Raw Normal View History

2018-01-27 09:57:30 +00:00
title: Suspicious SSHD Error
2017-06-30 06:47:56 +00:00
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/openssh/openssh-portable/blob/master/ssherr.c
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
2017-06-30 06:47:56 +00:00
author: Florian Roth
date: 2017/06/30
logsource:
product: linux
service: sshd
detection:
keywords:
- '*unexpected internal error*'
- '*unknown or unsupported key type*'
- '*invalid certificate signing key*'
- '*invalid elliptic curve value*'
- '*incorrect signature*'
- '*error in libcrypto*'
- '*unexpected bytes remain after decoding*'
- '*fatal: buffer_get_string: bad string*'
- '*Local: crc32 compensation attack*'
- '*bad client public DH value*'
- '*Corrupted MAC on input*'
2017-06-30 06:47:56 +00:00
condition: keywords
falsepositives:
- Unknown
level: medium