title: Suspicious SSHD Error
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
references: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
author: Florian Roth
date: 2017/06/30
logsource:
    product: linux
    service: sshd
detection:
    keywords:
        - 'unexpected internal error'
        - 'unknown or unsupported key type'
        - 'invalid certificate signing key'
        - 'invalid elliptic curve value'
        - 'incorrect signature'
        - 'error in libcrypto'
        - 'unexpected bytes remain after decoding'
    condition: keywords
falsepositives:
    - Unknown
level: medium