From 3cf4b242fbf622dbc1114d7ab7726de8f00aad85 Mon Sep 17 00:00:00 2001 From: Phrozyn Date: Mon, 16 Apr 2018 14:06:34 -0500 Subject: [PATCH] Add publickey to TermsMatch as we are missing all publickey failed logins. --- alerts/bruteforce_ssh.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alerts/bruteforce_ssh.py b/alerts/bruteforce_ssh.py index 6e5a9fa3..7b6ec928 100644 --- a/alerts/bruteforce_ssh.py +++ b/alerts/bruteforce_ssh.py @@ -18,7 +18,7 @@ class AlertBruteforceSsh(AlertTask): search_query.add_must([ PhraseMatch('summary', 'failed'), TermMatch('details.program', 'sshd'), - TermsMatch('summary', ['login', 'invalid', 'ldap_count_entries']) + TermsMatch('summary', ['login', 'invalid', 'ldap_count_entries', 'publickey']) ]) for ip_address in self.config.skiphosts.split():