[POSSIBLE BUG] Source and Destination for Linux Brute Force

Didn't see an "Issues" at [UTMStackCorrelationRules](https://github.com/AtlasInsideCorp/UTMStackCorrelationRules/tree/master)
/[linux](https://github.com/AtlasInsideCorp/UTMStackCorrelationRules/tree/master/linux)
/bruteforce_attack.yml

So just wanted to note, at:

 save:
        - field: "[logx.linux.host.name](http://logx.linux.host.name/)"
          alias: "SourceHost"
        - field: "logx.linux.host.ip.0"
          alias: "SourceIP"

The ip.0 should be destination maybe? 

Source of the brute force in the log below was 162.62.226.200 (port 51922 ssh2), so sourceIP should be parsed out of that I think.    Just seems to me that destination is the host machine for the agent here, dunno.  

From log:

logx.linux.host.ip.0
178.62.118.229

logx.linux.host.ip.1
10.16.0.5

logx.linux.host.ip.2
159.65.210.175

logx.linux.host.ip.3
fe80::24ca:45ff:fe90:2526

logx.linux.host.mac.0
26-CA-45-90-25-26

[logx.linux.host.name](http://logx.linux.host.name/)
[host.hancoeuropa.com](http://host.hancoeuropa.com/)

logx.linux.host.os.family
logx.linux.host.os.kernel
4.18.0-513.5.1.el8_9.x86_64

[logx.linux.host.os.name](http://logx.linux.host.os.name/)
AlmaLinux

logx.linux.host.os.platform
almalinux

logx.linux.host.os.type
linux

logx.linux.host.os.version
8.9 (Midnight Oncilla)

logx.linux.input.type
log

logx.linux.message
Feb 16 04:09:35 host sshd[3167667]: Failed password for invalid user ubuntu from 162.62.226.200 port 51922 ssh2

Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[POSSIBLE BUG] Source and Destination for Linux Brute Force #453

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[POSSIBLE BUG] Source and Destination for Linux Brute Force #453

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions