False positive on SIEM rule SSH to the Internet

Hello,

This is the query for the "SSH to the Internet" Rule:

network.transport: tcp and destination.port:22 and (
    network.direction: outbound or (
        source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
        not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
    )
)

It matches on internal ssh traffic however, because of network.direction: outbound, which is found in the auditbeat socket dataset.

Seems similar to https://github.com/elastic/kibana/issues/57447

But this on a 7.7, so not fixed yet?

Grtz

Willem

Hey there Willem! Thanks for reaching out. It looks like the rule you mentioned - "SSH (Secure Shell) to the Internet" was updated for 7.7 to address the undesired behavior you brought up.

The rule's query was updated in #61903 to be the following:

network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")

I was able to confirm this change on a 7.7 build. Does this rule still show the older query for you on your 7.7 build?

Best,
Yara

1 Like

Aaah rly sorry, didn't notice this:

So I have to update the rules manually after an update, ok.. Check...

Tx!

Awesome! And yes, if updates are available for prepackaged rules, you will see the banner (in your screenshot) and they can be manually updated by a user with the necessary privileges.

You can also view the current version and change history of each prepackaged rule in the release notes linked in the screenshot you attached. This version's (7.7) prepackaged rules release notes can be found here.

In the future, if you run into an issue with a prebuilt rule and a fix is not yet available, you can select to duplicate the rule. This will provide you your own copy of the rule which you can then edit. The downside here is that the duplicated rule is then self-managed, but this can at least provide a temporary workaround until a fix is in.

Thanks again for reaching out and hope this helps!

1 Like