-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathfilter-ssh.conf
92 lines (90 loc) · 3.6 KB
/
filter-ssh.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
filter {
if [message] =~ /^(Accepted|Failed)/ {
grok {
match => ["message", "%{WORD:[ssh][auth][result]} %{WORD:[ssh][auth][method]} for (invalid user )?%{USERNAME:[user][name]} from %{IPORHOST:[client][address]} port %{NUMBER:[client][port]} %{WORD:[ssh][protocol]}(: %{GREEDYDATA:[ssh][signature]})?"]
id => "ssh_login"
tag_on_failure => ["_grokparsefaillure","ssh_login_grok_failed"]
add_field => {
"[ssh][eventtype]" => "ssh_accepted_connection"
}
}
if [ssh][auth][result] == "Failed" {
mutate {
replace => { "[ssh][eventtype]" => "ssh_suspicious_connection" }
}
}
} else if [message] =~ /^Invalid/ {
grok {
match => ["message","%{DATA:[ssh][auth][result]} user %{USERNAME:[user][name]} from %{IPORHOST:[client][address]}"]
id => "ssh_login_suspection"
tag_on_failure => ["_grokparsefaillure","ssh_login_suspection_grok_failed"]
add_field => {
"[ssh][eventtype]" => "ssh_suspicious_connection"
}
}
} else if [message] =~ /pam_unix/ {
grok {
match => ["message","pam_unix\(%{DATA:[session][type]}\:session\)\: session %{DATA:[ssh][session][status]} for user %{USERNAME:[user][name]}( by (.*)?\(uid\=%{NUMBER:[uid]}\))?"]
id => "pam_unix_session"
tag_on_failure => ["_grokparsefaillure","pam_unix_session_grok_failed"]
add_field => {
"[ssh][eventtype]" => "ssh_session_status"
}
}
} else if [message] =~ /^Did not receive identification string/ {
grok {
match => ["message","Did not receive identification string from %{IPORHOST:[client][ip]} port %{NUMBER:[client][port]}"]
id => "ssh_noidentstring"
tag_on_failure => ["_grokparsefaillure","ssh_noidentstring_grok_failed"]
add_field => {
"[ssh][eventtype]" => "ssh_noidentstring"
}
}
} else if [message] =~ /(Received )?(d|D)isconnect(ed)? from/ {
grok {
match => ["message","%{DATA:[ssh][session][status]} from( user %{USERNAME:[user][name]})? %{IPORHOST:[client][ip]} port %{BASE10NUM:[client][port]}(disconnected by user)?"]
id => "ssh_disconnected"
tag_on_failure => ["_grokparsefaillure","ssh_disconnected_grok_failed"]
add_field => {
"[ssh][eventtype]" => "ssh_session_status"
}
}
}
else if [message] =~ /^Connection closed/ {
grok {
match => ["message","Connection %{DATA:[ssh][session][status]} by %{IPORHOST:[client][ip]} port %{BASE10NUM:[client][port]}"]
id => "ssh_closed"
tag_on_failure => ["_grokparsefaillure","ssh_connection_closed_grok_failed"]
add_field => {
"[ssh][eventtype]" => "ssh_session_status"
}
}
} else if [message] =~ /error:/ {
grok {
match => ["message","error: %{DATA:[ssh][session_error]}: %{GREEDYDATA:[ssh][error_message]}"]
id => "ssh_error"
tag_on_failure => ["_grokparsefaillure","ssh_error_grok_failed"]
add_field => {
"[ssh][eventtype]" => "ssh_error"
}
}
}
## Copy client.address to the matching field according to ECS ##
if [client][address] =~ /^[a-zA-Z]/ {
if !("" in [client][domain]) {
mutate {
add_field => {
"[client][domain]" => "%{[client][address]}"
}
}
}
} else if [client][address] =~ /^\d/ {
if !("" in [client][ip]) {
mutate {
add_field => {
"[client][ip]" => "%{[client][address]}"
}
}
}
}
}