2020-05-15 15:19:32 +00:00
|
|
|
title: Suspicious OpenSSH Daemon Error
|
2019-11-12 22:12:27 +00:00
|
|
|
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
|
2020-09-14 04:03:04 +00:00
|
|
|
status: experimental
|
2019-11-12 22:12:27 +00:00
|
|
|
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
|
2017-06-30 06:47:56 +00:00
|
|
|
author: Florian Roth
|
|
|
|
|
date: 2017/06/30
|
2020-05-15 15:19:32 +00:00
|
|
|
modified: 2020/05/15
|
2020-09-14 04:03:04 +00:00
|
|
|
references:
|
|
|
|
|
- https://github.com/openssh/openssh-portable/blob/master/ssherr.c
|
|
|
|
|
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
|
2017-06-30 06:47:56 +00:00
|
|
|
logsource:
|
|
|
|
|
product: linux
|
|
|
|
|
service: sshd
|
|
|
|
|
detection:
|
2020-11-29 20:30:50 +00:00
|
|
|
keywords:
|
|
|
|
|
- '*unexpected internal error*'
|
|
|
|
|
- '*unknown or unsupported key type*'
|
|
|
|
|
- '*invalid certificate signing key*'
|
|
|
|
|
- '*invalid elliptic curve value*'
|
|
|
|
|
- '*incorrect signature*'
|
|
|
|
|
- '*error in libcrypto*'
|
|
|
|
|
- '*unexpected bytes remain after decoding*'
|
|
|
|
|
- '*fatal: buffer_get_string: bad string*'
|
|
|
|
|
- '*Local: crc32 compensation attack*'
|
|
|
|
|
- '*bad client public DH value*'
|
|
|
|
|
- '*Corrupted MAC on input*'
|
2017-06-30 06:47:56 +00:00
|
|
|
condition: keywords
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: medium
|
2020-09-14 04:03:04 +00:00
|
|
|
tags:
|
|
|
|
|
- attack.initial_access
|
2020-10-16 02:05:53 +00:00
|
|
|
- attack.t1190
|
