Skip to content

Dev/new pattern sshd logs for synology#1798

Open
lachapette wants to merge 7 commits into
crowdsecurity:masterfrom
lachapette:dev/new-pattern-sshd-logs-for-synology
Open

Dev/new pattern sshd logs for synology#1798
lachapette wants to merge 7 commits into
crowdsecurity:masterfrom
lachapette:dev/new-pattern-sshd-logs-for-synology

Conversation

@lachapette
Copy link
Copy Markdown

@lachapette lachapette commented May 13, 2026
edited
Loading

Description

Add Synology-specific patterns and tests for invalid user authentication (SSH and DSM logs API)

Impact: Enhances detection of brute force attacks on Synology devices (SSH and DSM API) with patterns specific to Synology DSM 7.x log formats.

1. SSH Parser (sshd-logs.yaml)

New pattern for Synology DSM 7.x:

  • Added Pattern: SSHD_INVALID_USER_SYNO: 'pam_%{DATA:pam_type}(sshd:auth): Can.t get user uid (%{USERNAME: sshd_invalid_user})'
    • Associated grok node with metadata:
      • log_type: ssh_failed-auth
      • target_user: evt.Parsed.sshd_invalid_user
    • Example log covered:
      • pam_syno_log_fail(sshd:auth): Can't get user uid (zm)

2. DSM Parser (synology-dsm-logs.yaml)

Updated Pattern:

  • Old: AUTH_LOG_FAIL: 'pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=%{IP_WORKAROUND:src_ip}'
  • New: Added (\s+user=%{USERNAME:sshd_invalid_user})? to capture the username
  • Example log covered:
    • pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.116 user=admin

3. New Scenario

synology-dsm-bf-slow-1h.yaml:

  • Type: leaky
  • Filter: evt.Meta.log_type == 'synology-dsm_failed_auth'
  • Strategy: Slow detection over 1 hour (leakspeed: "1h", capacity: 10)
  • Group by: source_ip
  • Blackhole: 10h
  • Added to the crowdsecurity/synology-dsm collection

4. Tests Added

Component Files created Lines
SSH BF Tests config.yaml, parser.assert (760 lines), scenario.assert, synology-dsm-ssh-bf.log (21 lines) 802+
DSM Slow Tests config.yaml, parser.assert (829 lines), scenario.assert (49 lines), synology-dsm-logs-bf-slow.log (61 lines) 952+
Existing DSM Tests Updated parser.assert (+65 lines) and synology-dsm-logs.log (+5 lines) 71+

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR

@lachapette
Copy link
Copy Markdown
Author

lachapette commented May 13, 2026
edited
Loading

@crowdsecurity/team-hub , @dimatha , @maximelouet , @buixor , @sabban Could you please review this PR ?

@lachapette lachapette force-pushed the dev/new-pattern-sshd-logs-for-synology branch 3 times, most recently from 12f3e98 to b002c0d Compare May 14, 2026 13:18
actions-user and others added 7 commits May 14, 2026 16:15
@actions-user @lachapette
Update index
b06017d
@actions-user @lachapette
Update taxonomy
fe100d6
@lachapette
Add a pattern for sshd logs parser of invalid user auth specific to S…
275faab 
…ynology machines

- Add a pattern log detection into sshd parser and scenario SSH BF specific to invalid users Synology DSM 7.x logs formats
@lachapette
Update a pattern with invalid user auth for Synology DSM logs API
740dd5a 
- Updated a pattern log detection into synology-dsm-logs parser specific to invalid users Synology DSM 7.x logs formats
@lachapette
Add a test slow strategy 1 hour with invalid user auth for Synology D…
3d80986 
…SM logs API
@lachapette
Add a scenario slow strategy 1 hour with invalid user auth for Synolo…
40ec86a 
…gy DSM logs API
@lachapette
Fix classification cast list to string
560f448
@lachapette lachapette force-pushed the dev/new-pattern-sshd-logs-for-synology branch from b002c0d to 560f448 Compare May 14, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lachapette @actions-user