[SSHGuard-users] [PATCH v2 1/1] Add signature for dropbear ssh logs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Added Dropbear SSH service to the parser.

Signed-off-by: Gregor Herburger <gre...@ew...>
---
v2: adjust dangerousness for exit before auth to 2 (similar to ssh)

 src/common/attack.h         |  1 +
 src/common/service_names.c  |  1 +
 src/parser/attack_parser.y  | 11 +++++++++++
 src/parser/attack_scanner.l |  6 ++++++
 src/parser/tests.txt        | 21 +++++++++++++++++++++
 5 files changed, 40 insertions(+)

diff --git a/src/common/attack.h b/src/common/attack.h
index d19945cdddf4..46dfef351ab5 100644
--- a/src/common/attack.h
+++ b/src/common/attack.h
@@ -29,6 +29,7 @@ enum service {
     SERVICES_SSH            = 100,  //< ssh
     SERVICES_SSHGUARD       = 110,  //< SSHGuard
     SERVICES_BIND           = 120,  //< BIND (named)
+    SERVICES_DROPBEAR       = 130,  //< Dropbear SSH
     SERVICES_UWIMAP         = 200,  //< UWimap for imap and pop daemon
     SERVICES_DOVECOT        = 210,  //< dovecot
     SERVICES_CYRUSIMAP      = 220,  //< cyrus-imap
diff --git a/src/common/service_names.c b/src/common/service_names.c
index 174c57c7f644..beaa176a9b46 100644
--- a/src/common/service_names.c
+++ b/src/common/service_names.c
@@ -8,6 +8,7 @@ struct service_s {
 static const struct service_s services[] = {
     {SERVICES_SSH, "SSH"},
     {SERVICES_SSHGUARD, "SSHGuard"},
+    {SERVICES_DROPBEAR, "Dropbear"},
     {SERVICES_UWIMAP, "UW IMAP"},
     {SERVICES_DOVECOT, "Dovecot"},
     {SERVICES_CYRUSIMAP, "Cyrus IMAP"},
diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index 0cfc5d66a74b..1b7f72630b92 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -62,6 +62,10 @@ static void yyerror(attack_t *, const char *);
 %token SSH_INVALIDFORMAT_PREF SSH_INVALIDFORMAT_SUFF
 %token SSH_BADKEX_PREF SSH_BADKEX_SUFF
 %token SSH_DISCONNECT_PREF SSH_CONNECTION_CLOSED SSH_PREAUTH_SUFF
+/* dropbear */
+%token DROPBEAR_BAD_PASSWORD
+%token DROPBEAR_BAD_USER
+%token DROPBEAR_EXIT_BEFORE_AUTH_PREF DROPBEAR_EXIT_BEFORE_AUTH_SUFF
 /* SSHGuard */
 %token SSHGUARD_ATTACK_PREF SSHGUARD_ATTACK_SUFF
 %token SSHGUARD_BLOCK_PREF SSHGUARD_BLOCK_SUFF
@@ -163,6 +167,7 @@ repetition_suffix:
 
 msg_single:
     sshmsg            { attack->service = SERVICES_SSH; }
+  | dropbearmsg       { attack->service = SERVICES_DROPBEAR; }
   | sshguardmsg       { attack->service = SERVICES_SSHGUARD; }
   | bindmsg           { attack->service = SERVICES_BIND; }
   | dovecotmsg        { attack->service = SERVICES_DOVECOT; }
@@ -254,6 +259,12 @@ ssh_badkex:
     SSH_BADKEX_PREF addr SSH_BADKEX_SUFF
   ;
 
+dropbearmsg:
+    DROPBEAR_BAD_PASSWORD addr ':' INTEGER
+  | DROPBEAR_BAD_USER addr ':' INTEGER
+  | DROPBEAR_EXIT_BEFORE_AUTH_PREF addr ':' INTEGER DROPBEAR_EXIT_BEFORE_AUTH_SUFF { attack->dangerousness = 2; }
+ ;
+
 /* attacks and blocks from SSHGuard */
 sshguardmsg:
     SSHGUARD_ATTACK_PREF addr SSHGUARD_ATTACK_SUFF
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 9857cb3affec..6dfde151ff10 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -192,6 +192,12 @@ HTTP_LOGIN_200OK_BAD       .*({WORDPRESS_LOGIN}|{TYPO3_LOGIN}|{CONTAO_LOGIN}).*
 "fatal: "?"Unable to negotiate with "                                     { BEGIN(ssh_badkex); return SSH_BADKEX_PREF; }
 <ssh_badkex>(" port ".*)?[: ].*"no matching ".*" found".*       { BEGIN(INITIAL); return SSH_BADKEX_SUFF; }
 
+[Bb]"ad "("PAM ")?"password attempt for "[^ ]+" from "                      { return DROPBEAR_BAD_PASSWORD; }
+[Ll]"ogin attempt for nonexistent user from"                     { return DROPBEAR_BAD_USER; }
+[Ee]"xit before auth from <"                                     { return DROPBEAR_EXIT_BEFORE_AUTH_PREF; }
+">:".*                                                           { return DROPBEAR_EXIT_BEFORE_AUTH_SUFF; }
+
+
  /* SSHGuard */
 "Attack from \""                                                { BEGIN(sshguard_attack); return SSHGUARD_ATTACK_PREF; }
 <sshguard_attack>"\" on service "{NUMBER}" with danger "{NUMBER}"."    { BEGIN(INITIAL); return SSHGUARD_ATTACK_SUFF; }
diff --git a/src/parser/tests.txt b/src/parser/tests.txt
index eaba934a035a..497c34111793 100644
--- a/src/parser/tests.txt
+++ b/src/parser/tests.txt
@@ -177,6 +177,27 @@ Dec 29 16:48:56 xxx sshd[24924]: Did not receive identification string from 5.20
 M
 # }}}
 
+# Dropbear {{{
+Bad password attempt for 'root' from ::ffff:1.2.3.4:55990
+130 1.2.3.4 4 10
+M
+Bad PAM password attempt for 'user23' from ::ffff:1.2.3.4:55992
+130 1.2.3.4 4 10
+M
+Login attempt for nonexistent user from 1.2.3.4:60794
+130 1.2.3.4 4 10
+M
+May 08 09:49:25 hostname dropbear[1773]: Exit before auth from <::ffff:10.42.42.135:46154>: (user 'root', 0 fails): Exited normally
+130 10.42.42.135 4 2
+M
+May 08 10:02:05 server dropbear[1977]: Exit before auth from <::ffff:10.42.63.135:50288>: Exited normally
+130 10.42.63.135 4 2
+M
+Exit before auth from <::ffff:1.2.3.4:47810>: (user 'root', 0 fails): Error reading: Connection reset by peer
+130 1.2.3.4 4 2
+M
+# }}}
+
 #### Remote SSHGuard {{{
 Attack from "2001:db8::a11:beef:456e" on service 100 with danger 10.
 110 2001:db8::a11:beef:456e 6 10
-- 
2.34.1





[SSHGuard-users] [PATCH v2 1/1] Add signature for dropbear ssh logs

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] [PATCH v2 1/1] Add signature for dropbear ssh logs