Skip to content

Rule idea: Linux/OpenSSH sshd DEBUG logs for SSH TCP forwarding channel activity #6117

Description

@marvalous123

Hi SigmaHQ maintainers,

I wanted to ask whether this detection idea would be suitable for SigmaHQ before opening a pull request.

Detection idea

Detect OpenSSH sshd DEBUG log messages that show SSH TCP forwarding channel activity, including:

  • server_request_direct_tcpip
  • ctype direct-tcpip
  • new direct-tcpip
  • server_input_global_request: rtype tcpip-forward
  • tcpip-forward listen
  • new forwarded-tcpip

This maps to SSH tunnelling / proxying behaviour and may be useful for monitored bastions, jump hosts, deception systems, high-risk SSH servers, or controlled monitoring labs.

Important caveat

The useful OpenSSH forwarding channel messages appear to require:

LogLevel DEBUG

LogLevel VERBOSE showed authentication/disconnect events, but did not expose the useful forwarding channel details in my testing.

Candidate logsource

logsource:
  product: linux
  service: sshd

Candidate detection logic

detection:
  keywords_direct_tcpip:
    - 'server_request_direct_tcpip'
    - 'ctype direct-tcpip'
    - 'new direct-tcpip'
  keywords_remote_forward:
    - 'server_input_global_request: rtype tcpip-forward'
    - 'tcpip-forward listen'
    - 'new forwarded-tcpip'
  condition: 1 of keywords_*

Validation done

I tested this against sanitized positive OpenSSH DEBUG log samples for local, dynamic, and remote SSH forwarding.

Positive samples matched.

Normal SSH authentication/disconnect samples did not match.

sigma check returned:

0 errors, 0 condition errors, 0 issues

Duplicate check

I found related SigmaHQ coverage for Windows SSH/Plink/Netsh port forwarding and Linux SSH ProxyCommand process creation, but I did not find an existing Linux/OpenSSH sshd DEBUG-log rule for these forwarding channel strings.

Question

Would SigmaHQ consider a Linux/OpenSSH sshd rule acceptable if it clearly documents the LogLevel DEBUG requirement and likely false positives from legitimate admin SSH forwarding?

If yes, I can open a PR with the candidate rule.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions