From b35cb812a629d336082b47c95023b6174b8330f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Tokarski?= <rtokarski@pm.me>
Date: Sat, 31 Aug 2024 14:33:58 +0200
Subject: [PATCH] Update sshd-logs.yaml
Added new pattern syntax for sshd-logs
---
parsers/s01-parse/crowdsecurity/sshd-logs.yaml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
index dc05052bc31..c6883e459df 100644
--- a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
+++ b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
@@ -15,6 +15,7 @@ pattern_syntax:
SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
#following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
+ SSHD_PREAUTH_AUTHENTICATING_IP: 'Connection (closed|reset) by %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.'
# in case they are blocked by /etc/ssh/sshd_config AllowUsers xx yy
SSHD_NOT_ALLOWED_USER: 'User %{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)? not allowed because not listed in AllowUsers'
@@ -45,6 +46,14 @@ nodes:
value: ssh_failed-auth
- meta: target_user
expression: "evt.Parsed.sshd_invalid_user"
+ - grok:
+ name: "SSHD_PREAUTH_AUTHENTICATING_IP"
+ apply_on: message
+ statics:
+ - meta: log_type
+ value: ssh_failed-auth
+ - meta: target_user
+ expression: "evt.Parsed.sshd_invalid_user"
- grok:
name: "SSHD_DISC_PREAUTH"
apply_on: message