Learning as I go: Ubiquiti Patterns

Nathan Clarke

unread,

Apr 19, 2017, 8:10:50 AM4/19/17

to enterprise-log-search-and-archive

Hi,

Over on Security Onion group I asked a question about parsing Ubiquiti USG firewall logs and presenting them in SGUIL. I did manage to chunk together a pattern file that worked well on the nicely structured USG firewall logs to parse them into the Firewall access deny class. Nice!

But now I am working on parsing the DropBear SSH events into the SSH_ACCESS_DENY class and I'm having difficulty with the pattern matching. I'm following various reputable guides, but i think its just the the dropbear event 'language' can;t be shoehorned into the strings/numbers in the SSH_ACCESS_DENY class........aaaand I'm probably avoiding INSERTing things to the database to accommodate....but I was hoping to avoid ;)

Anyhoo, here is the pattern file I have at the current time......

<pattern>dropbear</pattern>

<rules>

<pattern>@QSTRING:s0:@ @QSTRING:s1:'@ @QSTRING:s2::@ @NUMBER:i0:@</pattern>

</patterns>

<test_message program="dropbear">Bad password attempt for 'username' from 192.168.1.44:42884</test_message>

<test_value name="s0">Bad password attempt for </test_value>

<test_value name="s1">username</test_value>

<test_value name="s2">192.168.1.44</test_value>

<test_value name="i0">42884</test_value>

</example>

</examples>

</rule>

</rules>

the output from pdbtool test

Testing message program='dropbear' message='Bad password attempt for 'username' from 192.168.1.44:42884'

Wrong match name='.classifier.rule_id', value='', expected='12'

Wrong match name='s0', value='', expected='Bad password attempt for '

Wrong match name='s1', value='', expected='username'

Wrong match name='s2', value='', expected='192.168.1.44'

Wrong match name='i0', value='', expected='42884'

/thoughts?

Nathan Clarke

unread,

Apr 22, 2017, 11:43:25 PM4/22/17

to enterprise-log-search-and-archive

I've made some refinements, but to no avail. This where I am at now.

<pattern>dropbear</pattern>

<rules>

<pattern>Bad password attempt for @QSTRING:s0: @from\ @QSTRING:s1::@ @NUMBER:i0:@</pattern>

</patterns>

<test_message program="dropbear">Bad password attempt for 'username' from 192.168.1.44:42884</test_message>

<test_value name="s0">username</test_value>

<test_value name="s1">192.168.1.44</test_value>

<test_value name="i0">42884</test_value>

</example>

</examples>

</rule>

</rules>

</ruleset>

Test output.

Testing message program='dropbear' message='Bad password attempt for 'username' from 192.168.1.44:42884'

Wrong match name='.classifier.rule_id', value='', expected='12'

Wrong match name='s0', value='', expected='username'

Wrong match name='s1', value='', expected='192.168.1.44'

Wrong match name='i0', value='', expected='42884'

Doug Burks

unread,

Apr 23, 2017, 5:19:36 AM4/23/17

to enterprise-log-s...@googlegroups.com

Hi Nathan,

How about something like this?

<ruleset name="UAPSSHDENY">
<pattern>dropbear</pattern>
<rules>
<rule provider="ELSA" class='12' id='12'>
<patterns>
<pattern>Bad password attempt for

'@ESTRING:s0:'@ from @ESTRING:i0::@@ESTRING:i1:@</pattern>

</patterns>
<examples>
<example>
<test_message
program="dropbear">Bad password attempt for 'username' from
192.168.1.44:42884</test_message>
<test_value
name="s0">username</test_value>
<test_value

name="i0">192.168.1.44</test_value>
<test_value name="i1">42884</test_value>

</example>
</examples>
</rule>
</rules>
</ruleset>

pdbtool test ubiquity

Testing message program='dropbear' message='Bad password attempt for
'username' from 192.168.1.44:42884'

> --
> You received this message because you are subscribed to the Google Groups
> "enterprise-log-search-and-archive" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to enterprise-log-search-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Doug Burks

Nathan Clarke

unread,

Apr 23, 2017, 11:07:11 PM4/23/17

to enterprise-log-search-and-archive

Hi Doug,

Thanks for your help. I did not realise i could change the strings (Q to E). It's now working and I have done some testing and expanded on the pattern even more from the dropbear output. Side question: If SO switches to ELK/Kibana, will parsing logs this way remain the same? I assume so for syslog-ng......

There are some fields not being filled though, as the narrative that dropbear produces is fairly succinct. Is there a way to add something to those fields under the class even though the event message does not contain said data?

pattern file as it is now (below), I'll upload it to github soon. Would be nice if dropbear captured the incorrect username for those types of failures.

<pattern>dropbear</pattern>

<rules>

<pattern>Bad password attempt for '@ESTRING:s1:'@ from @ESTRING:i0::@@ESTRING:i1:@</pattern>

<pattern>Login attempt for nonexistent user from @ESTRING:i0::@@ESTRING:i1:@</pattern>

<pattern>Exit before auth (user '@ESTRING:s1:'@, 3 fails): Exited normally</pattern>

</patterns>

<test_message program="dropbear">Bad password attempt for 'username' from 192.168.1.44:42884</test_message>

<test_value name="s1">username</test_value>

<test_value name="i0">192.168.1.44</test_value>

<test_value name="i1">42884</test_value>

</example>

<test_message program="dropbear">Login attempt for nonexistent user from 192.168.1.44:38088</test_message>

<test_value name="i0">192.168.1.44</test_value>

<test_value name="i1">38088</test_value>

</example>

<test_message program="dropbear">Exit before auth (user 'username', 3 fails): Exited normally</test_message>

<test_value name="s1">username</test_value>

</example>

</examples>

</rule>

</rules>

</ruleset>

> email to enterprise-log-search-and-archive+unsubscribe@googlegroups.com.

Reply all

Reply to author

Forward