Skip to content

refactor(sshd-logs): split ssh_failed-auth into distinct log_types #1650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
LaurenceJJones wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

refactor(sshd-logs): split ssh_failed-auth into distinct log_types #1650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions .tests/ssh-bf/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,47 +6,47 @@ results[0].Overflow.Sources["35.188.49.176"].GetScope() == "Ip"
results[0].Overflow.Sources["35.188.49.176"].GetValue() == "35.188.49.176"
basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-bf.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_password_fail"
results[0].Overflow.Alert.Events[0].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "35.188.49.176"
results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "pascal"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-02-12T14:10:21Z"
basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ssh-bf.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_password_fail"
results[0].Overflow.Alert.Events[1].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "35.188.49.176"
results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "pascal1"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-02-12T14:10:21Z"
basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ssh-bf.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_password_fail"
results[0].Overflow.Alert.Events[2].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "35.188.49.176"
results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "pascal2"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-02-12T14:10:22Z"
basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ssh-bf.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_password_fail"
results[0].Overflow.Alert.Events[3].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "35.188.49.176"
results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "pascal3"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-02-12T14:10:22Z"
basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ssh-bf.log"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_password_fail"
results[0].Overflow.Alert.Events[4].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[4].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "35.188.49.176"
results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "pascal4"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-02-12T14:10:23Z"
basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ssh-bf.log"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_password_fail"
results[0].Overflow.Alert.Events[5].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[5].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "35.188.49.176"
Expand All @@ -62,47 +62,47 @@ results[1].Overflow.Sources["35.188.49.176"].GetScope() == "Ip"
results[1].Overflow.Sources["35.188.49.176"].GetValue() == "35.188.49.176"
basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-bf.log"
results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth"
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_password_fail"
results[1].Overflow.Alert.Events[0].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "35.188.49.176"
results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "pascal"
results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-02-12T14:10:21Z"
basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ssh-bf.log"
results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_failed-auth"
results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_password_fail"
results[1].Overflow.Alert.Events[1].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[1].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "35.188.49.176"
results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "pascal1"
results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-02-12T14:10:21Z"
basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ssh-bf.log"
results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_failed-auth"
results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_password_fail"
results[1].Overflow.Alert.Events[2].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[2].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "35.188.49.176"
results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "pascal2"
results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-02-12T14:10:22Z"
basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ssh-bf.log"
results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_failed-auth"
results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_password_fail"
results[1].Overflow.Alert.Events[3].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[3].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "35.188.49.176"
results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "pascal3"
results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-02-12T14:10:22Z"
basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ssh-bf.log"
results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_failed-auth"
results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_password_fail"
results[1].Overflow.Alert.Events[4].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[4].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "35.188.49.176"
results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "pascal4"
results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-02-12T14:10:23Z"
basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ssh-bf.log"
results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_failed-auth"
results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_password_fail"
results[1].Overflow.Alert.Events[5].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[5].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "35.188.49.176"
Expand Down
13 changes: 6 additions & 7 deletions .tests/ssh-bf/ssh-bf.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
Feb 12 14:10:21 sd-126005 sshd[16378]: Invalid user pascal from 35.188.49.176 port 53502
Feb 12 14:10:21 sd-126005 sshd[16378]: Invalid user pascal1 from 35.188.49.176 port 53502
Feb 12 14:10:22 sd-126005 sshd[16378]: Invalid user pascal2 from 35.188.49.176 port 53502
Feb 12 14:10:22 sd-126005 sshd[16378]: Invalid user pascal3 from 35.188.49.176 port 53502
Feb 12 14:10:23 sd-126005 sshd[16378]: Invalid user pascal4 from 35.188.49.176 port 53502
Feb 12 14:10:24 sd-126005 sshd-session[16379]: Invalid user pascal5 from 35.188.49.176 port 53502

Feb 12 14:10:21 sd-126005 sshd[16378]: Failed password for invalid user pascal from 35.188.49.176 port 53502 ssh2
Feb 12 14:10:21 sd-126005 sshd[16378]: Failed password for invalid user pascal1 from 35.188.49.176 port 53503 ssh2
Feb 12 14:10:22 sd-126005 sshd[16378]: Failed password for invalid user pascal2 from 35.188.49.176 port 53504 ssh2
Feb 12 14:10:22 sd-126005 sshd[16378]: Failed password for invalid user pascal3 from 35.188.49.176 port 53505 ssh2
Feb 12 14:10:23 sd-126005 sshd[16378]: Failed password for invalid user pascal4 from 35.188.49.176 port 53506 ssh2
Feb 12 14:10:24 sd-126005 sshd[16379]: Failed password for invalid user pascal5 from 35.188.49.176 port 53507 ssh2
4 changes: 2 additions & 2 deletions .tests/ssh-generic-test/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ results[0].Overflow.Sources["127.0.0.1"].GetScope() == "Ip"
results[0].Overflow.Sources["127.0.0.1"].GetValue() == "127.0.0.1"
basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-generic-test.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_failed-auth"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_password_fail"
results[0].Overflow.Alert.Events[0].GetMeta("machine") == "leto"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "127.0.0.1"
results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp")[4:] == "-06-12T16:20:12Z"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-06-12T16:20:12Z"
results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-generic-test"
results[0].Overflow.Alert.Remediation == false
results[0].Overflow.Alert.GetEventsCount() == 1
2 changes: 1 addition & 1 deletion .tests/ssh-generic-test/ssh-generic-test.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Jun 12 16:20:12 leto sshd-session[406147]: Invalid user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 127.0.0.1 port 49916
Jun 12 16:20:12 leto sshd-session[406147]: Failed password for invalid user crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl from 127.0.0.1 port 49916 ssh2
12 changes: 12 additions & 0 deletions .tests/ssh-invalid-user/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
parsers:
- crowdsecurity/syslog-logs
- crowdsecurity/dateparse-enrich
- ./parsers/s01-parse/crowdsecurity/sshd-logs.yaml
scenarios:
- ./scenarios/crowdsecurity/ssh-invalid-user.yaml
postoverflows:
- ""
log_file: ssh-invalid-user.log
log_type: syslog
labels: {}
ignore_parsers: true
113 changes: 113 additions & 0 deletions .tests/ssh-invalid-user/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
len(results) == 2
"192.168.1.100" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["192.168.1.100"].IP == "192.168.1.100"
results[0].Overflow.Sources["192.168.1.100"].Range == ""
results[0].Overflow.Sources["192.168.1.100"].GetScope() == "Ip"
results[0].Overflow.Sources["192.168.1.100"].GetValue() == "192.168.1.100"
basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_invalid_user"
results[0].Overflow.Alert.Events[0].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.100"
results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "admin"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-02-12T14:10:21Z"
basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_invalid_user"
results[0].Overflow.Alert.Events[1].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[1].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.100"
results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "root"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-02-12T14:10:22Z"
basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_invalid_user"
results[0].Overflow.Alert.Events[2].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[2].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.100"
results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "test"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-02-12T14:10:23Z"
basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_invalid_user"
results[0].Overflow.Alert.Events[3].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[3].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.100"
results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "guest"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-02-12T14:10:24Z"
basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_invalid_user"
results[0].Overflow.Alert.Events[4].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[4].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.100"
results[0].Overflow.Alert.Events[4].GetMeta("target_user") == "mysql"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-02-12T14:10:25Z"
basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_invalid_user"
results[0].Overflow.Alert.Events[5].GetMeta("machine") == "sd-126005"
results[0].Overflow.Alert.Events[5].GetMeta("service") == "ssh"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.100"
results[0].Overflow.Alert.Events[5].GetMeta("target_user") == "oracle"
results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-02-12T14:10:26Z"
results[0].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-invalid-user_user-enum"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 6
"192.168.1.100" in results[1].Overflow.GetSources()
results[1].Overflow.Sources["192.168.1.100"].IP == "192.168.1.100"
results[1].Overflow.Sources["192.168.1.100"].Range == ""
results[1].Overflow.Sources["192.168.1.100"].GetScope() == "Ip"
results[1].Overflow.Sources["192.168.1.100"].GetValue() == "192.168.1.100"
basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "ssh_invalid_user"
results[1].Overflow.Alert.Events[0].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[0].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.100"
results[1].Overflow.Alert.Events[0].GetMeta("target_user") == "admin"
results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-02-12T14:10:21Z"
basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "ssh_invalid_user"
results[1].Overflow.Alert.Events[1].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[1].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.100"
results[1].Overflow.Alert.Events[1].GetMeta("target_user") == "root"
results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-02-12T14:10:22Z"
basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "ssh_invalid_user"
results[1].Overflow.Alert.Events[2].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[2].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.100"
results[1].Overflow.Alert.Events[2].GetMeta("target_user") == "test"
results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-02-12T14:10:23Z"
basename(results[1].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[1].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[3].GetMeta("log_type") == "ssh_invalid_user"
results[1].Overflow.Alert.Events[3].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[3].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.100"
results[1].Overflow.Alert.Events[3].GetMeta("target_user") == "guest"
results[1].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-02-12T14:10:24Z"
basename(results[1].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[1].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[4].GetMeta("log_type") == "ssh_invalid_user"
results[1].Overflow.Alert.Events[4].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[4].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.100"
results[1].Overflow.Alert.Events[4].GetMeta("target_user") == "mysql"
results[1].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-02-12T14:10:25Z"
basename(results[1].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "ssh-invalid-user.log"
results[1].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[5].GetMeta("log_type") == "ssh_invalid_user"
results[1].Overflow.Alert.Events[5].GetMeta("machine") == "sd-126005"
results[1].Overflow.Alert.Events[5].GetMeta("service") == "ssh"
results[1].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.100"
results[1].Overflow.Alert.Events[5].GetMeta("target_user") == "oracle"
results[1].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-02-12T14:10:26Z"
results[1].Overflow.Alert.GetScenario() == "crowdsecurity/ssh-invalid-user"
results[1].Overflow.Alert.Remediation == true
results[1].Overflow.Alert.GetEventsCount() == 6
6 changes: 6 additions & 0 deletions .tests/ssh-invalid-user/ssh-invalid-user.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Feb 12 14:10:21 sd-126005 sshd[16378]: Invalid user admin from 192.168.1.100 port 53502
Feb 12 14:10:22 sd-126005 sshd[16379]: Invalid user root from 192.168.1.100 port 53503
Feb 12 14:10:23 sd-126005 sshd[16380]: Invalid user test from 192.168.1.100 port 53504
Feb 12 14:10:24 sd-126005 sshd[16381]: Invalid user guest from 192.168.1.100 port 53505
Feb 12 14:10:25 sd-126005 sshd[16382]: Invalid user mysql from 192.168.1.100 port 53506
Feb 12 14:10:26 sd-126005 sshd[16383]: Invalid user oracle from 192.168.1.100 port 53507
Loading
Loading