Source and Destination for Linux Brute Force

[global-H]

Didn't see an "Issues" at UTMStackCorrelationRules
/linux
/bruteforce_attack.yml

So just wanted to note, at:

save:
- field: "logx.linux.host.name"
alias: "SourceHost"
- field: "logx.linux.host.ip.0"
alias: "SourceIP"

The ip.0 should be destination maybe?

Source of the brute force in the log below was ...* (port *****ssh2), so sourceIP should be parsed out of that I think. Just seems to me that destination is the host machine for the agent here, dunno.

From log:

logx.linux.host.ip.0
...*

logx.linux.host.ip.1
...

logx.linux.host.ip.2
...

logx.linux.host.ip.3
:::::****

logx.linux.host.mac.0
-----
logx.linux.host.name
host.hancoeuropa.com
logx.linux.host.os.family
logx.linux.host.os.kernel
4.18.0-513.5.1.el8_9.x86_64
logx.linux.host.os.name
AlmaLinux
logx.linux.host.os.platform
almalinux
logx.linux.host.os.type
linux
logx.linux.host.os.version
8.9 (Midnight Oncilla)
logx.linux.input.type
log
logx.linux.message
Feb 16 04:09:35 host sshd[3167667]: Failed password for invalid user ubuntu from ...* port ***** ssh2

Thanks!

[c3s4rfred]

Hi @global-H, some of the origins of logs have changed their basic structure, so we will perform rule updates in the future