This is the query for the "SSH to the Internet" Rule:
network.transport: tcp and destination.port:22 and (
network.direction: outbound or (
source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
)
)
It matches on internal ssh traffic however, because of network.direction: outbound, which is found in the auditbeat socket dataset.
Hey there Willem! Thanks for reaching out. It looks like the rule you mentioned - "SSH (Secure Shell) to the Internet" was updated for 7.7 to address the undesired behavior you brought up.
The rule's query was updated in #61903 to be the following:
network.transport:tcp and destination.port:22 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
I was able to confirm this change on a 7.7 build. Does this rule still show the older query for you on your 7.7 build?
Awesome! And yes, if updates are available for prepackaged rules, you will see the banner (in your screenshot) and they can be manually updated by a user with the necessary privileges.
You can also view the current version and change history of each prepackaged rule in the release notes linked in the screenshot you attached. This version's (7.7) prepackaged rules release notes can be found here.
In the future, if you run into an issue with a prebuilt rule and a fix is not yet available, you can select to duplicate the rule. This will provide you your own copy of the rule which you can then edit. The downside here is that the duplicated rule is then self-managed, but this can at least provide a temporary workaround until a fix is in.
Thanks again for reaching out and hope this helps!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
