Add some Filters

afeefghannam89 · afeefghannam89 · commit ff5dbc03c58e · 2022-09-08T15:57:33.000Z
diff --git a/filter-ssh.conf b/filter-ssh.conf
@@ -5,16 +5,21 @@ filter {
         id => "ssh_login"
         tag_on_failure => ["_grokparsefaillure","ssh_login_grok_failed"]
         add_field => {
-          "[ssh][eventtype]" => "ssh_authentication"
+          "[ssh][eventtype]" => "ssh_accepted_connection"
         }
-      }
+      }         
+         if [ssh][auth][result] == "Failed"  {
+           mutate {
+             replace => { "[ssh][eventtype]" => "ssh_suspicious_connection" }
+           }
+         }
     } else if [message] =~ /^Invalid/ {
       grok {
-        match => ["message","%{DATA:[ssh][auth][event]} user %{USERNAME:[user][name]} from %{IPORHOST:[client][address]}"]
+        match => ["message","%{DATA:[ssh][auth][result]} user %{USERNAME:[user][name]} from %{IPORHOST:[client][address]}"]
         id => "ssh_login_suspection"
         tag_on_failure => ["_grokparsefaillure","ssh_login_suspection_grok_failed"]
         add_field => {
-          "[ssh][eventtype]" => "ssh_invalid_login"
+          "[ssh][eventtype]" => "ssh_suspicious_connection"
         }
       }
     } else if [message] =~ /pam_unix/ {
@@ -29,13 +34,41 @@ filter {
     } else if [message] =~ /^Did not receive identification string/ {
       grok {
         match => ["message","Did not receive identification string from %{IPORHOST:[client][ip]} port %{NUMBER:[client][port]}"]
-        id => "ssh_monitoring_noidentstring"
-        tag_on_failure => ["_grokparsefaillure","ssh_monitoring_noidentstring_grok_failed"]
+        id => "ssh_noidentstring"
+        tag_on_failure => ["_grokparsefaillure","ssh_noidentstring_grok_failed"]
         add_field => {
           "[ssh][eventtype]" => "ssh_noidentstring"
         }
       }
-    }
+    } else if [message] =~ /(Received )?(d|D)isconnect(ed)? from/ {
+      grok {
+        match => ["message","%{DATA:[ssh][session][status]} from( user %{USERNAME:[user][name]})? %{IPORHOST:[client][ip]} port %{BASE10NUM:[client][port]}(disconnected by user)?"]
+        id => "ssh_disconnected"
+        tag_on_failure => ["_grokparsefaillure","ssh_disconnected_grok_failed"]
+        add_field => {
+          "[ssh][eventtype]" => "ssh_session_status"
+        } 
+      }  
+    } 
+      else if [message] =~ /^Connection closed/ {
+      grok {
+        match => ["message","Connection %{DATA:[ssh][session][status]} by %{IPORHOST:[client][ip]} port %{BASE10NUM:[client][port]}"]
+        id => "ssh_closed"
+        tag_on_failure => ["_grokparsefaillure","ssh_connection_closed_grok_failed"]
+        add_field => {
+          "[ssh][eventtype]" => "ssh_session_status"
+        }
+      }
+    } else if [message] =~ /error:/ {
+      grok {
+        match => ["message","error: %{DATA:[ssh][session_error]}: %{GREEDYDATA:[ssh][error_message]}"]
+        id => "ssh_error"
+        tag_on_failure => ["_grokparsefaillure","ssh_error_grok_failed"]
+        add_field => {
+          "[ssh][eventtype]" => "ssh_error"
+        } 
+       }
+      }
 
     ## Copy client.address to the matching field according to ECS ##
 
