Hi,
Over on Security Onion group I asked a question about parsing Ubiquiti USG firewall logs and presenting them in SGUIL. I did manage to chunk together a pattern file that worked well on the nicely structured USG firewall logs to parse them into the Firewall access deny class. Nice!
But now I am working on parsing the DropBear SSH events into the SSH_ACCESS_DENY class and I'm having difficulty with the pattern matching. I'm following various reputable guides, but i think its just the the dropbear event 'language' can;t be shoehorned into the strings/numbers in the SSH_ACCESS_DENY class........aaaand I'm probably avoiding INSERTing things to the database to accommodate....but I was hoping to avoid ;)
Anyhoo, here is the pattern file I have at the current time......
<ruleset name="ubiquitiUAPSSH">
<pattern>dropbear</pattern>
<rules>
<rule provider="ELSA" class='12' id='12'>
<patterns>
<pattern>@QSTRING:s0:@ @QSTRING:s1:'@ @QSTRING:s2::@ @NUMBER:i0:@</pattern>
</patterns>
<examples>
<example>
<test_message program="dropbear">Bad password attempt for 'username' from
192.168.1.44:42884</test_message>
<test_value name="s0">Bad password attempt for </test_value>
<test_value name="s1">username</test_value>
<test_value name="s2">192.168.1.44</test_value>
<test_value name="i0">42884</test_value>
</example>
</examples>
</rule>
</rules>
the output from pdbtool test
Testing message program='dropbear' message='Bad password attempt for 'username' from
192.168.1.44:42884'
Wrong match name='.classifier.rule_id', value='', expected='12'
Wrong match name='s0', value='', expected='Bad password attempt for '
Wrong match name='s1', value='', expected='username'
Wrong match name='s2', value='', expected='192.168.1.44'
Wrong match name='i0', value='', expected='42884'
/thoughts?