Add macOS sshd rules and decoders (Branch: 3.12-feature-macOS) (Issue: #590)

[eliasgrana]

Hi team,

Done alongside @K-Embee

Introduction

As outlined in issue #590, SSH events from MacOS do not trigger alerts on Wazuh. This pull request aims to fix that by creating new rules and decoders to both parse the MacOS date format and generate alerts in spite of log differences.

Details

This PR contains three main additions:

• Decoders to parse the MacOS date format, which is not recognized by the pre-decoder alongside the program name.
• Rules based off of the existing SSH rules, fifteen in total.
• Tests for each new rule. Each log was obtained from testing on both MacOS 10.13 High Sierra and MacOS 10.14 Mojave.

Examples

Rules:

2020-03-24 06:07:50.998187-0700  localhost sshd[201]: Accepted publickey for alice from 10.0.2.2 port 55468 ssh2: RSA SHA256:abcdefghijklmopqrstuvwxyzabcdefghijklmopqrs
**Phase 1: Completed pre-decoding.
       full event: '2020-03-24 06:07:50.998187-0700  localhost sshd[201]: Accepted publickey for alice from 10.0.2.2 port 55468 ssh2: RSA SHA256:abcdefghijklmopqrstuvwxyzabcdefghijklmopqrs'
       timestamp: '(null)'
       hostname: 'master'
       program_name: '(null)'
       log: '2020-03-24 06:07:50.998187-0700  localhost sshd[201]: Accepted publickey for alice from 10.0.2.2 port 55468 ssh2: RSA SHA256:abcdefghijklmopqrstuvwxyzabcdefghijklmopqrs'
**Phase 2: Completed decoding.
       decoder: 'macos-date-format-sshd'
       dstuser: 'alice'
       srcip: '10.0.2.2'
       srcport: '55468'
**Phase 3: Completed filtering (rules).
       Rule id: '64256'
       Level: '3'
       Description: 'sshd: authentication success'
**Alert to be generated.

2020-03-23 08:14:32.766049-0700  localhost sshd[8981]: error: maximum authentication attempts exceeded for invalid user eve from 192.168.33.1 port 55146 ssh2 [preauth]
**Phase 1: Completed pre-decoding.
       full event: '2020-03-23 08:14:32.766049-0700  localhost sshd[8981]: error: maximum authentication attempts exceeded for invalid user eve from 192.168.33.1 port 55146 ssh2 [preauth]'
       timestamp: '(null)'
       hostname: 'master'
       program_name: '(null)'
       log: '2020-03-23 08:14:32.766049-0700  localhost sshd[8981]: error: maximum authentication attempts exceeded for invalid user eve from 192.168.33.1 port 55146 ssh2 [preauth]'
**Phase 2: Completed decoding.
       decoder: 'macos-date-format-sshd'
       srcuser: 'eve'
       srcip: '192.168.33.1'
       srcport: '55146'
**Phase 3: Completed filtering (rules).
       Rule id: '64254'
       Level: '8'
       Description: 'Maximum authentication attempts exceeded.'
**Alert to be generated.

Decoders:

<decoder name="macos-date-format-sshd">
  <type>syslog</type>
  <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d\d\d\d\p\d\d\d\d  \S+ sshd[\d+]: </prematch>
</decoder>

<decoder name="macos-sshd-from">
  <parent>macos-date-format-sshd</parent>
  <regex>user (\S+) from (\S+)|for (\S+) from (\S+)</regex>
  <order>srcuser, srcip</order>
</decoder>
<decoder name="macos-sshd-from">
  <parent>macos-date-format-sshd</parent>
  <regex>port (\d+)</regex>
  <order>srcport</order>
</decoder>