title: Suspicious SSHD Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
author: Florian Roth
date: 2017/06/30
logsource:
    product: linux
    service: sshd
detection:
    keywords:
        - '*unexpected internal error*'
        - '*unknown or unsupported key type*'
        - '*invalid certificate signing key*'
        - '*invalid elliptic curve value*'
        - '*incorrect signature*'
        - '*error in libcrypto*'
        - '*unexpected bytes remain after decoding*'
        - '*fatal: buffer_get_string: bad string*'
        - '*Local: crc32 compensation attack*'
        - '*bad client public DH value*'
        - '*Corrupted MAC on input*'
    condition: keywords
falsepositives:
    - Unknown
level: medium