# THUNDER PRM LIBRARY
# Copyright 2007 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# Smart Monitor library
#
# DESCRIPTION:
#
# These signatures look for a variety of events occuring in the 
# the dropbear sign-on. For more information about Dropbear, please
# visit http://matt.ucc.asn.au/dropbear/dropbear.html 
# 
# LAST UPDATE: $Date$
#

id=3850
name=The SSH DropBear application had a normal logout.
match=ar
match=pbear[
match=ed
match=): Exited normally
match=]: exit after auth (
log=event:Dropbear-Exited_Normally type:logout

NEXT

id=3851
name=The SSH DropBear application had a child connection.
match=ar
match=pbear[
match=rom
match=ion
match=]: Child connection from
match=ect
match=onnect
match=onnection
regex=([0-9]+(\.[0-9]+){3})\:([0-9]+)
log=event:Dropbear-Child_Connection srcip:$1 srcport:$3 dstport:22 type:connection

NEXT

id=3852
name=The SSH DropBear application had a failed password attempt.
match=ar
match=pbear[
match=ss
match=ass
match=pass
match=tem
match=pt
match=]: bad password attempt for '
regex=([0-9]+(\.[0-9]+){3})\:([0-9]+)
log=event:Dropbear-Bad_Password srcip:$1 srcport:$3 dstport:22 type:login-failure

NEXT

id=3853
name=The SSH DropBear application had a user login.
match=ar
match=pbear[
match=ss
match=ass
match=pass
match=ce
match=ed
match=]: password auth succeeded for '
regex=for '([^']+)' from ([0-9]+(\.[0-9]+){3})\:([0-9]+)
log=event:Dropbear-Password_Succeeded user:$1 srcip:$2 srcport:$4 dstport:22 type:login

NEXT

id=3854
name=The SSH DropBear application encountered an error setting attributes for a connected network session.
match=ar
match=pbear[
match=rr
match=ing
match=]: error setting terminal attributes
log=event:Dropbear-Error_Setting_Terminal_Attributes type:error