|
|
|
|
<Traverse>
<message-handler>
<ruleset type="file" name="*">
<rule>
<description>SSH: Break-In Attempt as ROOT</description> <pattern>:\d+\s+(\S+)\s+(\S+)\[\d+\]:\s+.*\s+root\s+from\s+(.*)\s+ssh2</pattern>
<action>accept</action>
<mapping>
<field name="device_name" match="1"/>
<field name="process_name" match="2"/>
<field name="remote_host" match="3"/>
</mapping>
<severity>critical</severity>
<show-message>true</show-message>
<auto-clear>1800</auto-clear>
<transform>${process_name}: break-in attempt as "root" from ${remote_host}</transform>
</rule>
</ruleset>
</message-handler>
</Traverse>