- title: Suspicious SSHD Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
description: Detects suspicious SSH / SSHD error messages that indicate a fatal
or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/openssh/openssh-portable/blob/master/ssherr.c
- https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
author: Florian Roth
date: 2017/06/30
logsource:
product: linux
service: sshd
category: null
detection:
keywords:
- '*unexpected internal error*'
- '*unknown or unsupported key type*'
- '*invalid certificate signing key*'
- '*invalid elliptic curve value*'
- '*incorrect signature*'
- '*error in libcrypto*'
- '*unexpected bytes remain after decoding*'
- '*fatal: buffer_get_string: bad string*'
- '*Local: crc32 compensation attack*'
- '*bad client public DH value*'
- '*Corrupted MAC on input*'
condition: keywords
falsepositives:
- Unknown
level: medium
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='\*.keyword:(*unexpected\ internal\ error* OR *unknown\ or\ unsupported\ key\ type* OR *invalid\ certificate\ signing\ key* OR *invalid\ elliptic\ curve\ value* OR *incorrect\ signature* OR *error\ in\ libcrypto* OR *unexpected\ bytes\ remain\ after\ decoding* OR *fatal\:\ buffer_get_string\:\ bad\ string* OR *Local\:\ crc32\ compensation\ attack* OR *bad\ client\ public\ DH\ value* OR *Corrupted\ MAC\ on\ input*)')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()