From e76e155c9e2231b201553a21b2df2ba7d7fa5a65 Mon Sep 17 00:00:00 2001
From: ddpbsd <ddpbsd@gmail.com>
Date: Mon, 25 Jun 2018 11:32:04 -0400
Subject: [PATCH] Add a rule to basically ignore dropbear trying to run on
 itself and not being able to listen on the configured port.

---
 contrib/ossec-testing/tests/dropbear.ini | 7 +++++++
 etc/rules/dropbear_rules.xml             | 7 +++++++
 2 files changed, 14 insertions(+)
 create mode 100644 contrib/ossec-testing/tests/dropbear.ini

diff --git a/contrib/ossec-testing/tests/dropbear.ini b/contrib/ossec-testing/tests/dropbear.ini
new file mode 100644
index 000000000..b48008ff3
--- /dev/null
+++ b/contrib/ossec-testing/tests/dropbear.ini
@@ -0,0 +1,7 @@
+[already listening]
+log 1 pass = Jun 25 14:04:30 10.0.0.1 dropbear[30746]: Failed listening on '7001': Error listening: Address already in use
+
+rule = 51011
+alert = 1
+decoder = dropbear
+
diff --git a/etc/rules/dropbear_rules.xml b/etc/rules/dropbear_rules.xml
index 8fe0412df..813dfd00a 100644
--- a/etc/rules/dropbear_rules.xml
+++ b/etc/rules/dropbear_rules.xml
@@ -92,6 +92,13 @@
     <description>User successfully logged in using a public key.</description>
     <group>authentication_success,</group>
   </rule>
+
+  <rule id="51011" level="1">
+    <decoded_as>dropbear</decoded_as>
+    <if_sid>1002</if_sid>
+    <match>Error listening: Address already in use</match>
+    <description>Dropbear cannot listen on port.</description>
+  </rule>      
  
    
 </group> <!-- SYSLOG,LOCAL -->