diff --git a/.github/workflows/update_taxonomy.yaml b/.github/workflows/update_taxonomy.yaml index 0b264288121..b8b4d5a808b 100644 --- a/.github/workflows/update_taxonomy.yaml +++ b/.github/workflows/update_taxonomy.yaml @@ -53,7 +53,7 @@ jobs: (git add taxonomy/ && git commit -m "Update taxonomy" && git pull --rebase origin ${BRANCH_NAME}) || exit 0 - name: Push changes if: ${{ github.event_name == 'push'}} - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@v0.8.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} branch: ${{ github.ref }} diff --git a/.index.json b/.index.json index 1fc0dcc200f..9b4dcbf5ce0 100644 --- a/.index.json +++ b/.index.json @@ -7507,7 +7507,7 @@ "crowdsecurity/sshd-logs": { "path": "parsers/s01-parse/crowdsecurity/sshd-logs.yaml", "stage": "s01-parse", - "version": "2.6", + "version": "2.7", "versions": { "0.1": { "digest": "ecd40cb8cd95e2bad398824ab67b479362cdbf0e1598b8833e2f537ae3ce2f93", @@ -7612,10 +7612,14 @@ "2.6": { "digest": "30c49a38d17a5ace21f41cbe175164722d1bc89ca374b1520d432d94a208a725", "deprecated": false + }, + "2.7": { + "digest": "7d541c12f97b090c5f7259b1d2c57fc6205aeea16fc7103d5bbf317f8023f27d", + "deprecated": false } }, "long_description": "WW91ciBvbmUgZml0cy1hbGwgc3NoIHBhcnNlciB3aXRoIHN1cHBvcnQgZm9yIHRoZSBtb3N0IGNvbW1vbiBraW5kIG9mIGZhaWxlZCBhdXRoZW50aWNhdGlvbnMgYW5kIGVycm9ycy4KCg==", - "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ3NzaGQnIgpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIG9wZW5TU0ggbG9ncyIKcGF0dGVybl9zeW50YXg6CiMgVGhlIElQIGdyb2sgcGF0dGVybiB0aGF0IHNoaXBzIHdpdGggY3Jvd2RzZWMgaXMgYnVnZ3kgYW5kIGRvZXMgbm90IGNhcHR1cmUgdGhlIGxhc3QgZGlnaXQgb2YgYW4gSVAgaWYgaXQgaXMgdGhlIGxhc3QgdGhpbmcgaXQgbWF0Y2hlcywgYW5kIHRoZSBsYXN0IG9jdGV0IHN0YXJ0cyB3aXRoIGEgMgojIGh0dHBzOi8vZ2l0aHViLmNvbS9jcm93ZHNlY3VyaXR5L2Nyb3dkc2VjL2lzc3Vlcy85MzgKICBJUHY0X1dPUktBUk9VTkQ6ICg/Oig/OjI1WzAtNV18MlswLTRdWzAtOV18WzAxXT9bMC05XVswLTldPylcLil7M30oPzoyNVswLTVdfDJbMC00XVswLTldfFswMV0/WzAtOV1bMC05XT8pCiAgSVBfV09SS0FST1VORDogKD86JXtJUFY2fXwle0lQdjRfV09SS0FST1VORH0pCiAgU1NIRF9BVVRIX0ZBSUw6ICdwYW1fJXtEQVRBOnBhbV90eXBlfVwoc3NoZDphdXRoXCk6IGF1dGhlbnRpY2F0aW9uIGZhaWx1cmU7IGxvZ25hbWU9IHVpZD0le05VTUJFUjp1aWR9PyBldWlkPSV7TlVNQkVSOmV1aWR9PyB0dHk9c3NoIHJ1c2VyPSByaG9zdD0le0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9KCAle1NQQUNFfXVzZXI9JXtVU0VSTkFNRTpzc2hkX2ludmFsaWRfdXNlcn0pPycKICBTU0hEX01BR0lDX1ZBTFVFX0ZBSUxFRDogJ01hZ2ljIHZhbHVlIGNoZWNrIGZhaWxlZCBcKFxkK1wpIG9uIG9iZnVzY2F0ZWQgaGFuZHNoYWtlIGZyb20gJXtJUF9XT1JLQVJPVU5EOnNzaGRfY2xpZW50X2lwfSBwb3J0IFxkKycKICBTU0hEX0lOVkFMSURfVVNFUjogJ0ludmFsaWQgdXNlclxzKiV7VVNFUk5BTUU6c3NoZF9pbnZhbGlkX3VzZXJ9PyBmcm9tICV7SVBfV09SS0FST1VORDpzc2hkX2NsaWVudF9pcH0oIHBvcnQgXGQrKT8nCiAgU1NIRF9JTlZBTElEX0JBTk5FUjogJ2Jhbm5lciBleGNoYW5nZTogQ29ubmVjdGlvbiBmcm9tICV7SVBfV09SS0FST1VORDpzc2hkX2NsaWVudF9pcH0gcG9ydCBcZCs6IGludmFsaWQgZm9ybWF0JwogIFNTSERfUFJFQVVUSF9BVVRIRU5USUNBVElOR19VU0VSOiAnQ29ubmVjdGlvbiAoY2xvc2VkfHJlc2V0KSBieSAoYXV0aGVudGljYXRpbmd8aW52YWxpZCkgdXNlciAle1VTRVJOQU1FOnNzaGRfaW52YWxpZF91c2VyfSAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9IHBvcnQgXGQrIFxbcHJlYXV0aFxdJwogICNmb2xsb3dpbmc6IGh0dHBzOi8vZ2l0aHViLmNvbS9jcm93ZHNlY3VyaXR5L2Nyb3dkc2VjL2lzc3Vlcy8xMjAxIC0gc29tZSBzY2FubmVycyBiZWhhdmUgZGlmZmVyZW50bHkgYW5kIHRyaWdnZXIgdGhpcyBvbmUKICBTU0hEX1BSRUFVVEhfQVVUSEVOVElDQVRJTkdfVVNFUl9BTFQ6ICdEaXNjb25uZWN0ZWQgZnJvbSAoYXV0aGVudGljYXRpbmd8aW52YWxpZCkgdXNlciAle1VTRVJOQU1FOnNzaGRfaW52YWxpZF91c2VyfSAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9IHBvcnQgXGQrIFxbcHJlYXV0aFxdJwogIFNTSERfQkFEX0tFWV9ORUdPVElBVElPTjogJ1VuYWJsZSB0byBuZWdvdGlhdGUgd2l0aCAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9IHBvcnQgXGQrOiBubyBtYXRjaGluZyAoaG9zdCBrZXkgdHlwZXxrZXkgZXhjaGFuZ2UgbWV0aG9kfE1BQykgZm91bmQuJwojIGluIGNhc2UgdGhleSBhcmUgYmxvY2tlZCBieSAvZXRjL3NzaC9zc2hkX2NvbmZpZyBBbGxvd1VzZXJzIHh4IHl5CiAgU1NIRF9OT1RfQUxMT1dFRF9VU0VSOiAnVXNlciAle1VTRVJOQU1FOnNzaGRfaW52YWxpZF91c2VyfT8gZnJvbSAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9KCBwb3J0IFxkKyk/IG5vdCBhbGxvd2VkIGJlY2F1c2Ugbm90IGxpc3RlZCBpbiBBbGxvd1VzZXJzJwogIFNTSERfQVVUSF9USU1FT1VUOiAnVGltZW91dCBiZWZvcmUgYXV0aGVudGljYXRpb24gZm9yICV7SVBfV09SS0FST1VORDpzc2hkX2NsaWVudF9pcH0oIHBvcnQgXGQrKT8nCm5vZGVzOgogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfRkFJTCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiB0YXJnZXRfdXNlcgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9pbnZhbGlkX3VzZXIiCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9QUkVBVVRIX0FVVEhFTlRJQ0FUSU5HX1VTRVJfQUxUIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfZmFpbGVkLWF1dGgKICAgICAgICAtIG1ldGE6IHRhcmdldF91c2VyCiAgICAgICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zc2hkX2ludmFsaWRfdXNlciIKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJTU0hEX1BSRUFVVEhfQVVUSEVOVElDQVRJTkdfVVNFUiIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiB0YXJnZXRfdXNlcgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9pbnZhbGlkX3VzZXIiCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9ESVNDX1BSRUFVVEgiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9CQURfVkVSU0lPTiIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJTU0hEX0lOVkFMSURfVVNFUiIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiB0YXJnZXRfdXNlcgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9pbnZhbGlkX3VzZXIiCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9OT1RfQUxMT1dFRF9VU0VSIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfZmFpbGVkLWF1dGgKICAgICAgICAtIG1ldGE6IHRhcmdldF91c2VyCiAgICAgICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zc2hkX2ludmFsaWRfdXNlciIKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJTU0hEX0lOVkFMSURfQkFOTkVSIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfZmFpbGVkLWF1dGgKICAgICAgICAtIG1ldGE6IGV4dHJhX2xvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2JhZF9iYW5uZXIKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJTU0hEX1VTRVJfRkFJTCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiB0YXJnZXRfdXNlcgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9pbnZhbGlkX3VzZXIiCiAgLSBncm9rOiAKICAgICAgbmFtZTogIlNTSERfQVVUSF9GQUlMIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfZmFpbGVkLWF1dGgKICAgICAgICAtIG1ldGE6IHRhcmdldF91c2VyCiAgICAgICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zc2hkX2ludmFsaWRfdXNlciIKICAtIGdyb2s6IAogICAgICBuYW1lOiAiU1NIRF9NQUdJQ19WQUxVRV9GQUlMRUQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IHNzaF9mYWlsZWQtYXV0aAogICAgICAgIC0gbWV0YTogdGFyZ2V0X3VzZXIKICAgICAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNzaGRfaW52YWxpZF91c2VyIgogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfQkFEX0tFWV9ORUdPVElBVElPTiIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2JhZF9rZXlleGNoYW5nZQogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfQVVUSF9USU1FT1VUIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfYXV0aF90aW1lb3V0CnN0YXRpY3M6CiAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgdmFsdWU6IHNzaAogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9jbGllbnRfaXAiCg==", + "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJldnQuUGFyc2VkLnByb2dyYW0gPT0gJ3NzaGQnIgpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaGQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIG9wZW5TU0ggbG9ncyIKcGF0dGVybl9zeW50YXg6CiAgIyBUaGUgSVAgZ3JvayBwYXR0ZXJuIHRoYXQgc2hpcHMgd2l0aCBjcm93ZHNlYyBpcyBidWdneSBhbmQgZG9lcyBub3QgY2FwdHVyZSB0aGUgbGFzdCBkaWdpdCBvZiBhbiBJUCBpZiBpdCBpcyB0aGUgbGFzdCB0aGluZyBpdCBtYXRjaGVzLCBhbmQgdGhlIGxhc3Qgb2N0ZXQgc3RhcnRzIHdpdGggYSAyCiAgIyBodHRwczovL2dpdGh1Yi5jb20vY3Jvd2RzZWN1cml0eS9jcm93ZHNlYy9pc3N1ZXMvOTM4CiAgSVB2NF9XT1JLQVJPVU5EOiAoPzooPzoyNVswLTVdfDJbMC00XVswLTldfFswMV0/WzAtOV1bMC05XT8pXC4pezN9KD86MjVbMC01XXwyWzAtNF1bMC05XXxbMDFdP1swLTldWzAtOV0/KQogIElQX1dPUktBUk9VTkQ6ICg/OiV7SVBWNn18JXtJUHY0X1dPUktBUk9VTkR9KQogIFNTSERfQVVUSF9GQUlMOiAncGFtXyV7REFUQTpwYW1fdHlwZX1cKHNzaGQ6YXV0aFwpOiBhdXRoZW50aWNhdGlvbiBmYWlsdXJlOyBsb2duYW1lPSB1aWQ9JXtOVU1CRVI6dWlkfT8gZXVpZD0le05VTUJFUjpldWlkfT8gdHR5PXNzaCBydXNlcj0gcmhvc3Q9JXtJUF9XT1JLQVJPVU5EOnNzaGRfY2xpZW50X2lwfSggJXtTUEFDRX11c2VyPSV7VVNFUk5BTUU6c3NoZF9pbnZhbGlkX3VzZXJ9KT8nCiAgU1NIRF9NQUdJQ19WQUxVRV9GQUlMRUQ6ICdNYWdpYyB2YWx1ZSBjaGVjayBmYWlsZWQgXChcZCtcKSBvbiBvYmZ1c2NhdGVkIGhhbmRzaGFrZSBmcm9tICV7SVBfV09SS0FST1VORDpzc2hkX2NsaWVudF9pcH0gcG9ydCBcZCsnCiAgU1NIRF9JTlZBTElEX1VTRVI6ICdJbnZhbGlkIHVzZXJccyole1VTRVJOQU1FOnNzaGRfaW52YWxpZF91c2VyfT8gZnJvbSAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9KCBwb3J0IFxkKyk/JwogIFNTSERfSU5WQUxJRF9CQU5ORVI6ICdiYW5uZXIgZXhjaGFuZ2U6IENvbm5lY3Rpb24gZnJvbSAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9IHBvcnQgXGQrOiBpbnZhbGlkIGZvcm1hdCcKICBTU0hEX1BSRUFVVEhfQVVUSEVOVElDQVRJTkdfVVNFUjogJ0Nvbm5lY3Rpb24gKGNsb3NlZHxyZXNldCkgYnkgKGF1dGhlbnRpY2F0aW5nfGludmFsaWQpIHVzZXIgJXtVU0VSTkFNRTpzc2hkX2ludmFsaWRfdXNlcn0gJXtJUF9XT1JLQVJPVU5EOnNzaGRfY2xpZW50X2lwfSBwb3J0IFxkKyBcW3ByZWF1dGhcXScKICAjZm9sbG93aW5nOiBodHRwczovL2dpdGh1Yi5jb20vY3Jvd2RzZWN1cml0eS9jcm93ZHNlYy9pc3N1ZXMvMTIwMSAtIHNvbWUgc2Nhbm5lcnMgYmVoYXZlIGRpZmZlcmVudGx5IGFuZCB0cmlnZ2VyIHRoaXMgb25lCiAgU1NIRF9QUkVBVVRIX0FVVEhFTlRJQ0FUSU5HX1VTRVJfQUxUOiAnRGlzY29ubmVjdGVkIGZyb20gKGF1dGhlbnRpY2F0aW5nfGludmFsaWQpIHVzZXIgJXtVU0VSTkFNRTpzc2hkX2ludmFsaWRfdXNlcn0gJXtJUF9XT1JLQVJPVU5EOnNzaGRfY2xpZW50X2lwfSBwb3J0IFxkKyBcW3ByZWF1dGhcXScKICBTU0hEX0JBRF9LRVlfTkVHT1RJQVRJT046ICdVbmFibGUgdG8gbmVnb3RpYXRlIHdpdGggJXtJUF9XT1JLQVJPVU5EOnNzaGRfY2xpZW50X2lwfSBwb3J0IFxkKzogbm8gbWF0Y2hpbmcgKGhvc3Qga2V5IHR5cGV8a2V5IGV4Y2hhbmdlIG1ldGhvZHxNQUMpIGZvdW5kLicKICAjIGluIGNhc2UgdGhleSBhcmUgYmxvY2tlZCBieSAvZXRjL3NzaC9zc2hkX2NvbmZpZyBBbGxvd1VzZXJzIHh4IHl5CiAgU1NIRF9OT1RfQUxMT1dFRF9VU0VSOiAnVXNlciAle1VTRVJOQU1FOnNzaGRfaW52YWxpZF91c2VyfT8gZnJvbSAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9KCBwb3J0IFxkKyk/IG5vdCBhbGxvd2VkIGJlY2F1c2Ugbm90IGxpc3RlZCBpbiBBbGxvd1VzZXJzJwogIFNTSERfQVVUSF9USU1FT1VUOiAnVGltZW91dCBiZWZvcmUgYXV0aGVudGljYXRpb24gZm9yICV7SVBfV09SS0FST1VORDpzc2hkX2NsaWVudF9pcH0oIHBvcnQgXGQrKT8nCiAgU1NIRF9ESVNQQVRDSF9GQVRBTDogJ3NzaF9kaXNwYXRjaF9ydW5fZmF0YWw6IENvbm5lY3Rpb24gZnJvbSAle0lQX1dPUktBUk9VTkQ6c3NoZF9jbGllbnRfaXB9KCBwb3J0IFxkKyk/OiBtZXNzYWdlIGF1dGhlbnRpY2F0aW9uIGNvZGUgaW5jb3JyZWN0IFxbcHJlYXV0aFxdJwpub2RlczoKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJTU0hEX0ZBSUwiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IHNzaF9mYWlsZWQtYXV0aAogICAgICAgIC0gbWV0YTogdGFyZ2V0X3VzZXIKICAgICAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNzaGRfaW52YWxpZF91c2VyIgogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfUFJFQVVUSF9BVVRIRU5USUNBVElOR19VU0VSX0FMVCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiB0YXJnZXRfdXNlcgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9pbnZhbGlkX3VzZXIiCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9QUkVBVVRIX0FVVEhFTlRJQ0FUSU5HX1VTRVIiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IHNzaF9mYWlsZWQtYXV0aAogICAgICAgIC0gbWV0YTogdGFyZ2V0X3VzZXIKICAgICAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNzaGRfaW52YWxpZF91c2VyIgogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfRElTQ19QUkVBVVRIIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfQkFEX1ZFUlNJT04iCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9JTlZBTElEX1VTRVIiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IHNzaF9mYWlsZWQtYXV0aAogICAgICAgIC0gbWV0YTogdGFyZ2V0X3VzZXIKICAgICAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNzaGRfaW52YWxpZF91c2VyIgogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfTk9UX0FMTE9XRURfVVNFUiIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiB0YXJnZXRfdXNlcgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9pbnZhbGlkX3VzZXIiCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9JTlZBTElEX0JBTk5FUiIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiBleHRyYV9sb2dfdHlwZQogICAgICAgICAgdmFsdWU6IHNzaF9iYWRfYmFubmVyCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9VU0VSX0ZBSUwiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IHNzaF9mYWlsZWQtYXV0aAogICAgICAgIC0gbWV0YTogdGFyZ2V0X3VzZXIKICAgICAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnNzaGRfaW52YWxpZF91c2VyIgogIC0gZ3JvazoKICAgICAgbmFtZTogIlNTSERfQVVUSF9GQUlMIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfZmFpbGVkLWF1dGgKICAgICAgICAtIG1ldGE6IHRhcmdldF91c2VyCiAgICAgICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zc2hkX2ludmFsaWRfdXNlciIKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJTU0hEX01BR0lDX1ZBTFVFX0ZBSUxFRCIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogc3NoX2ZhaWxlZC1hdXRoCiAgICAgICAgLSBtZXRhOiB0YXJnZXRfdXNlcgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9pbnZhbGlkX3VzZXIiCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9CQURfS0VZX05FR09USUFUSU9OIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfYmFkX2tleWV4Y2hhbmdlCiAgLSBncm9rOgogICAgICBuYW1lOiAiU1NIRF9BVVRIX1RJTUVPVVQiCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IHNzaF9hdXRoX3RpbWVvdXQKICAtIGdyb2s6CiAgICAgIG5hbWU6ICJTU0hEX0RJU1BBVENIX0ZBVEFMIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgICAgIHZhbHVlOiBzc2hfZGlzcGF0Y2hfZmF0YWwKc3RhdGljczoKICAtIG1ldGE6IHNlcnZpY2UKICAgIHZhbHVlOiBzc2gKICAtIG1ldGE6IHNvdXJjZV9pcAogICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc3NoZF9jbGllbnRfaXAiCg==", "description": "Parse openSSH logs", "author": "crowdsecurity", "labels": null @@ -13946,15 +13950,19 @@ }, "crowdsecurity/ssh-cve-2024-6387": { "path": "scenarios/crowdsecurity/ssh-cve-2024-6387.yaml", - "version": "0.1", + "version": "0.2", "versions": { "0.1": { "digest": "1a36e33f8743790c5544faa999aa8dd062f6e2b696e16232d3a3f28576119503", "deprecated": false + }, + "0.2": { + "digest": "7888f1f31ea75d55f7b4bdf56b6f0840ca4ecbd937af0655cdf263062a11e85a", + "deprecated": false } }, "long_description": "RGV0ZWN0IGV4cGxvaXRhdGlvbiBhdHRlbXB0cyBvZiBDVkUtMjAyNC02Mzg3CiA=", - "content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1jdmUtMjAyNC02Mzg3CmRlc2NyaXB0aW9uOiAiRGV0ZWN0IGV4cGxvaXRhdGlvbiBhdHRlbXB0IG9mIENWRS0yMDI0LTYzODciCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlID09ICdzc2hfYXV0aF90aW1lb3V0JyIKbGVha3NwZWVkOiAiMTgwcyIKY2FwYWNpdHk6IDMKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogMW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjdmUuQ1ZFLTIwMjQtNjM4NwogIGxhYmVsOiAiU1NIIENWRS0yMDI0LTYzODciCiAgYmVoYXZpb3I6ICJzc2g6ZXhwbG9pdCIKICByZW1lZGlhdGlvbjogdHJ1ZQ==", + "content": "IyBzc2ggYnJ1dGVmb3JjZQp0eXBlOiBsZWFreQpuYW1lOiBjcm93ZHNlY3VyaXR5L3NzaC1jdmUtMjAyNC02Mzg3CmRlc2NyaXB0aW9uOiAiRGV0ZWN0IGV4cGxvaXRhdGlvbiBhdHRlbXB0IG9mIENWRS0yMDI0LTYzODciCmZpbHRlcjogImV2dC5NZXRhLmxvZ190eXBlIGluIFsnc3NoX2F1dGhfdGltZW91dCcsICdzc2hfZGlzcGF0Y2hfZmF0YWwnXSIKbGVha3NwZWVkOiAiMTgwcyIKY2FwYWNpdHk6IDMKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmJsYWNraG9sZTogMW0KcmVwcm9jZXNzOiB0cnVlCmxhYmVsczoKICBzZXJ2aWNlOiBzc2gKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjdmUuQ1ZFLTIwMjQtNjM4NwogIGxhYmVsOiAiU1NIIENWRS0yMDI0LTYzODciCiAgYmVoYXZpb3I6ICJzc2g6ZXhwbG9pdCIKICByZW1lZGlhdGlvbjogdHJ1ZQo=", "description": "Detect exploitation attempt of CVE-2024-6387", "author": "crowdsecurity", "labels": { diff --git a/.tests/ssh-timeout/scenario.assert b/.tests/ssh-timeout/scenario.assert index c51a2e168db..a744e18fed4 100644 --- a/.tests/ssh-timeout/scenario.assert +++ b/.tests/ssh-timeout/scenario.assert @@ -1,37 +1,73 @@ -len(results) == 1 -"192.168.9.212" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212" -results[0].Overflow.Sources["192.168.9.212"].Range == "" -results[0].Overflow.Sources["192.168.9.212"].GetScope() == "Ip" -results[0].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212" +len(results) == 2 +"192.168.9.213" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.9.213"].IP == "192.168.9.213" +results[0].Overflow.Sources["192.168.9.213"].Range == "" +results[0].Overflow.Sources["192.168.9.213"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.9.213"].GetValue() == "192.168.9.213" results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "ssh-timeout.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_auth_timeout" -results[0].Overflow.Alert.Events[0].GetMeta("machine") == "usbkey" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_dispatch_fatal" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "instance-20240401-2335" results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212" -results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-07-01T09:30:56Z" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.213" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-07-02T11:32:16Z" results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "ssh-timeout.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_auth_timeout" -results[0].Overflow.Alert.Events[1].GetMeta("machine") == "usbkey" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_dispatch_fatal" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "instance-20240401-2335" results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh" -results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212" -results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-07-01T09:31:26Z" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.213" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-07-02T11:32:16Z" results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "ssh-timeout.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_auth_timeout" -results[0].Overflow.Alert.Events[2].GetMeta("machine") == "usbkey" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_dispatch_fatal" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "instance-20240401-2335" results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh" -results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212" -results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-07-01T09:31:56Z" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.213" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-07-02T11:32:16Z" results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "ssh-timeout.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" -results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_auth_timeout" -results[0].Overflow.Alert.Events[3].GetMeta("machine") == "usbkey" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_dispatch_fatal" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "instance-20240401-2335" results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh" -results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212" -results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-07-01T09:32:26Z" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.213" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-07-02T11:32:16Z" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-cve-2024-6387" results[0].Overflow.Alert.Remediation == true -results[0].Overflow.Alert.GetEventsCount() == 4 \ No newline at end of file +results[0].Overflow.Alert.GetEventsCount() == 4 +"192.168.9.212" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["192.168.9.212"].IP == "192.168.9.212" +results[1].Overflow.Sources["192.168.9.212"].Range == "" +results[1].Overflow.Sources["192.168.9.212"].GetScope() == "Ip" +results[1].Overflow.Sources["192.168.9.212"].GetValue() == "192.168.9.212" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "ssh-timeout.log" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_auth_timeout" +results[1].Overflow.Alert.Events[0].GetMeta("machine") == "usbkey" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "ssh" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.9.212" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-07-01T09:30:56Z" +results[1].Overflow.Alert.Events[1].GetMeta("datasource_path") == "ssh-timeout.log" +results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_auth_timeout" +results[1].Overflow.Alert.Events[1].GetMeta("machine") == "usbkey" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "ssh" +results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.9.212" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-07-01T09:31:26Z" +results[1].Overflow.Alert.Events[2].GetMeta("datasource_path") == "ssh-timeout.log" +results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_auth_timeout" +results[1].Overflow.Alert.Events[2].GetMeta("machine") == "usbkey" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "ssh" +results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.9.212" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-07-01T09:31:56Z" +results[1].Overflow.Alert.Events[3].GetMeta("datasource_path") == "ssh-timeout.log" +results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_auth_timeout" +results[1].Overflow.Alert.Events[3].GetMeta("machine") == "usbkey" +results[1].Overflow.Alert.Events[3].GetMeta("service") == "ssh" +results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.9.212" +results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-07-01T09:32:26Z" +results[1].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-cve-2024-6387" +results[1].Overflow.Alert.Remediation == true +results[1].Overflow.Alert.GetEventsCount() == 4 diff --git a/.tests/ssh-timeout/ssh-timeout.log b/.tests/ssh-timeout/ssh-timeout.log index 7f3d2a001ad..2e6d90109a4 100644 --- a/.tests/ssh-timeout/ssh-timeout.log +++ b/.tests/ssh-timeout/ssh-timeout.log @@ -2,3 +2,7 @@ Jul 1 09:30:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192. Jul 1 09:31:26 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056 Jul 1 09:31:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056 Jul 1 09:32:26 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056 +Jul 2 11:32:16 instance-20240401-2335 sshd[309785]: ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth] +Jul 2 11:32:16 instance-20240401-2335 sshd[309785]: ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth] +Jul 2 11:32:16 instance-20240401-2335 sshd[309785]: ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth] +Jul 2 11:32:16 instance-20240401-2335 sshd[309785]: ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth] diff --git a/.tests/sshd-logs/parser.assert b/.tests/sshd-logs/parser.assert index 92a438d196e..c347f2adefe 100644 --- a/.tests/sshd-logs/parser.assert +++ b/.tests/sshd-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 3 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 19 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 20 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "Invalid user pascal from 35.188.49.176 port 53502" @@ -190,7 +190,17 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_path"] results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Meta["machine"] == "usbkey" results["s00-raw"]["crowdsecurity/syslog-logs"][18].Evt.Whitelisted == false -len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 19 +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["message"] == "ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth]" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["pid"] == "309785" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["program"] == "sshd" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Parsed["timestamp"] == "Jul 2 11:32:16" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["datasource_path"] == "sshd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Meta["machine"] == "instance-20240401-2335" +results["s00-raw"]["crowdsecurity/syslog-logs"][19].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 20 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Success == true results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["logsource"] == "syslog" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["message"] == "Invalid user pascal from 35.188.49.176 port 53502" @@ -474,4 +484,18 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["machine"] == "usbk results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Meta["source_ip"] == "192.168.9.212" results["s01-parse"]["crowdsecurity/sshd-logs"][18].Evt.Whitelisted == false -len(results["success"][""]) == 0 \ No newline at end of file +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Success == true +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Parsed["message"] == "ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth]" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Parsed["pid"] == "309785" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Parsed["program"] == "sshd" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Parsed["sshd_client_ip"] == "192.168.9.213" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Parsed["timestamp"] == "Jul 2 11:32:16" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Meta["datasource_path"] == "sshd-logs.log" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Meta["log_type"] == "ssh_dispatch_fatal" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Meta["machine"] == "instance-20240401-2335" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Meta["service"] == "ssh" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Meta["source_ip"] == "192.168.9.213" +results["s01-parse"]["crowdsecurity/sshd-logs"][19].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/sshd-logs/sshd-logs.log b/.tests/sshd-logs/sshd-logs.log index 337b440b167..422d59ce0e5 100644 --- a/.tests/sshd-logs/sshd-logs.log +++ b/.tests/sshd-logs/sshd-logs.log @@ -16,4 +16,5 @@ Jul 7 06:11:48 node1 sshd[1625360]: Unable to negotiate with 123.123.123.123 po Feb 8 17:15:01 hostname sshd[1478159]: Connection reset by authenticating user root 80.94.92.63 port 49115 [preauth] 2023-11-14T00:20:42.738197+01:00 myserver sshd[1112652]: User root from 192.168.1.1 not allowed because not listed in AllowUsers Apr 6 18:51:41 eve sshd[2784424]: Failed password for invalid user root from 192.168.1.2 port 51182 ssh2 -Jul 1 09:30:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056 \ No newline at end of file +Jul 1 09:30:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056 +Jul 2 11:32:16 instance-20240401-2335 sshd[309785]: ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth] \ No newline at end of file diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml index 59f4db6ef2e..18751b976a2 100644 --- a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml @@ -4,8 +4,8 @@ filter: "evt.Parsed.program == 'sshd'" name: crowdsecurity/sshd-logs description: "Parse openSSH logs" pattern_syntax: -# The IP grok pattern that ships with crowdsec is buggy and does not capture the last digit of an IP if it is the last thing it matches, and the last octet starts with a 2 -# https://github.com/crowdsecurity/crowdsec/issues/938 + # The IP grok pattern that ships with crowdsec is buggy and does not capture the last digit of an IP if it is the last thing it matches, and the last octet starts with a 2 + # https://github.com/crowdsecurity/crowdsec/issues/938 IPv4_WORKAROUND: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) IP_WORKAROUND: (?:%{IPV6}|%{IPv4_WORKAROUND}) SSHD_AUTH_FAIL: 'pam_%{DATA:pam_type}\(sshd:auth\): authentication failure; logname= uid=%{NUMBER:uid}? euid=%{NUMBER:euid}? tty=ssh ruser= rhost=%{IP_WORKAROUND:sshd_client_ip}( %{SPACE}user=%{USERNAME:sshd_invalid_user})?' @@ -16,9 +16,10 @@ pattern_syntax: #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.' -# in case they are blocked by /etc/ssh/sshd_config AllowUsers xx yy + # in case they are blocked by /etc/ssh/sshd_config AllowUsers xx yy SSHD_NOT_ALLOWED_USER: 'User %{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)? not allowed because not listed in AllowUsers' SSHD_AUTH_TIMEOUT: 'Timeout before authentication for %{IP_WORKAROUND:sshd_client_ip}( port \d+)?' + SSHD_DISPATCH_FATAL: 'ssh_dispatch_run_fatal: Connection from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?: message authentication code incorrect \[preauth\]' nodes: - grok: name: "SSHD_FAIL" @@ -82,7 +83,7 @@ nodes: value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - - grok: + - grok: name: "SSHD_AUTH_FAIL" apply_on: message statics: @@ -90,7 +91,7 @@ nodes: value: ssh_failed-auth - meta: target_user expression: "evt.Parsed.sshd_invalid_user" - - grok: + - grok: name: "SSHD_MAGIC_VALUE_FAILED" apply_on: message statics: @@ -110,8 +111,14 @@ nodes: statics: - meta: log_type value: ssh_auth_timeout + - grok: + name: "SSHD_DISPATCH_FATAL" + apply_on: message + statics: + - meta: log_type + value: ssh_dispatch_fatal statics: - - meta: service - value: ssh - - meta: source_ip - expression: "evt.Parsed.sshd_client_ip" + - meta: service + value: ssh + - meta: source_ip + expression: "evt.Parsed.sshd_client_ip" diff --git a/scenarios/crowdsecurity/ssh-cve-2024-6387.yaml b/scenarios/crowdsecurity/ssh-cve-2024-6387.yaml index 929d8176257..c1b0dd07803 100644 --- a/scenarios/crowdsecurity/ssh-cve-2024-6387.yaml +++ b/scenarios/crowdsecurity/ssh-cve-2024-6387.yaml @@ -2,7 +2,7 @@ type: leaky name: crowdsecurity/ssh-cve-2024-6387 description: "Detect exploitation attempt of CVE-2024-6387" -filter: "evt.Meta.log_type == 'ssh_auth_timeout'" +filter: "evt.Meta.log_type in ['ssh_auth_timeout', 'ssh_dispatch_fatal']" leakspeed: "180s" capacity: 3 groupby: evt.Meta.source_ip @@ -17,4 +17,4 @@ labels: - cve.CVE-2024-6387 label: "SSH CVE-2024-6387" behavior: "ssh:exploit" - remediation: true \ No newline at end of file + remediation: true