diff --git a/.tests/sshd-logs/parser.assert b/.tests/sshd-logs/parser.assert index 2d9a2ffc2f5..72c323483eb 100644 --- a/.tests/sshd-logs/parser.assert +++ b/.tests/sshd-logs/parser.assert @@ -1,5 +1,5 @@ len(results) == 3 -len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 16 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 18 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "sshd" results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Feb 12 14:10:21" @@ -144,7 +144,26 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Parsed["message"] == "Co results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_path"] == "sshd-logs.log" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["datasource_type"] == "file" results["s00-raw"]["crowdsecurity/syslog-logs"][15].Evt.Meta["machine"] == "hostname" -len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 16 +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["pid"] == "277078" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["program"] == "sshd" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["timestamp"] == "Apr 05 16:29:20" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Parsed["message"] == "Connection closed by 87.236.176.236 port 52909" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["datasource_path"] == "sshd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][16].Evt.Meta["machine"] == "hostname" + +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["pid"] == "277079" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["program"] == "sshd" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["timestamp"] == "Apr 05 16:29:20" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Parsed["message"] == "Connection closed by 87.236.176.236 port 44845 [preauth]" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_path"] == "sshd-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][17].Evt.Meta["machine"] == "hostname" +len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 18 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Success == true results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["pid"] == "16378" results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["sshd_invalid_user"] == "pascal" @@ -365,4 +384,31 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["machine"] == "host results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["service"] == "ssh" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["source_ip"] == "80.94.92.63" results["s01-parse"]["crowdsecurity/sshd-logs"][15].Evt.Meta["target_user"] == "root" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Success == true +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["pid"] == "277078" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["sshd_client_ip"] == "87.236.176.236" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["message"] == "Connection closed by 87.236.176.236 port 52909" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["program"] == "sshd" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Parsed["timestamp"] == "Apr 05 16:29:20" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["datasource_path"] == "sshd-logs.log" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["machine"] == "hostname" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["service"] == "ssh" +results["s01-parse"]["crowdsecurity/sshd-logs"][16].Evt.Meta["source_ip"] == "87.236.176.236" + +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Success == true +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["pid"] == "277079" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["sshd_client_ip"] == "87.236.176.236" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["message"] == "Connection closed by 87.236.176.236 port 44845 [preauth]" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["program"] == "sshd" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Parsed["timestamp"] == "Apr 05 16:29:20" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["datasource_path"] == "sshd-logs.log" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["log_type"] == "ssh_failed-auth" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["machine"] == "hostname" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["service"] == "ssh" +results["s01-parse"]["crowdsecurity/sshd-logs"][17].Evt.Meta["source_ip"] == "87.236.176.236" len(results["success"][""]) == 0 \ No newline at end of file diff --git a/.tests/sshd-logs/sshd-logs.log b/.tests/sshd-logs/sshd-logs.log index 3ae87d36088..cdc74bb5ffb 100644 --- a/.tests/sshd-logs/sshd-logs.log +++ b/.tests/sshd-logs/sshd-logs.log @@ -13,4 +13,6 @@ Aug 03 21:39:20 hostname sshd[69420]: Connection closed by invalid user root 206 Jun 8 10:44:36 server sshd[3204729]: Unable to negotiate with 123.57.135.134 port 45626: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth] Jun 7 04:07:10 server sshd[1941162]: Unable to negotiate with 206.189.59.169 port 34386: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth] Jul 7 06:11:48 node1 sshd[1625360]: Unable to negotiate with 123.123.123.123 port 45296: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha1,hmac-sha1-96 [preauth] -Feb 8 17:15:01 hostname sshd[1478159]: Connection reset by authenticating user root 80.94.92.63 port 49115 [preauth] \ No newline at end of file +Feb 8 17:15:01 hostname sshd[1478159]: Connection reset by authenticating user root 80.94.92.63 port 49115 [preauth] +Apr 05 16:29:20 hostname sshd[277078]: Connection closed by 87.236.176.236 port 52909 +Apr 05 16:29:20 hostname sshd[277079]: Connection closed by 87.236.176.236 port 44845 [preauth] \ No newline at end of file diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml index 55dea911e40..195bf549d83 100644 --- a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml @@ -12,7 +12,7 @@ pattern_syntax: SSHD_MAGIC_VALUE_FAILED: 'Magic value check failed \(\d+\) on obfuscated handshake from %{IP_WORKAROUND:sshd_client_ip} port \d+' SSHD_INVALID_USER: 'Invalid user\s*%{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?' SSHD_INVALID_BANNER: 'banner exchange: Connection from %{IP_WORKAROUND:sshd_client_ip} port \d+: invalid format' - SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' + SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by( (authenticating|invalid) user %{USERNAME:sshd_invalid_user})? %{IP_WORKAROUND:sshd_client_ip} port \d+( \[preauth\])?' #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]' SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.'