Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Sigma rule (View on GitHub)
1title: Suspicious OpenSSH Daemon Error
2id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
3status: test
4description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
5references:
6 - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
7 - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
8author: Florian Roth (Nextron Systems)
9date: 2017-06-30
10modified: 2021-11-27
11tags:
12 - attack.initial-access
13 - attack.t1190
14logsource:
15 product: linux
16 service: sshd
17detection:
18 keywords:
19 - 'unexpected internal error'
20 - 'unknown or unsupported key type'
21 - 'invalid certificate signing key'
22 - 'invalid elliptic curve value'
23 - 'incorrect signature'
24 - 'error in libcrypto'
25 - 'unexpected bytes remain after decoding'
26 - 'fatal: buffer_get_string: bad string'
27 - 'Local: crc32 compensation attack'
28 - 'bad client public DH value'
29 - 'Corrupted MAC on input'
30 condition: keywords
31falsepositives:
32 - Unknown
33level: medium
References
-
Portable OpenSSH. Contribute to openssh/openssh-portable development by creating an account on GitHub.
Read More -
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. - os...
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations