From b700a85b053ebbe78a1a913e1ec6be31ed78999f Mon Sep 17 00:00:00 2001
From: Henri DF <henridf@gmail.com>
Date: Wed, 2 Mar 2016 17:32:04 -0800
Subject: [PATCH] Add ssh alert

---
 rules/base.txt | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/base.txt b/rules/base.txt
index 237d92f9..aee630ce 100644
--- a/rules/base.txt
+++ b/rules/base.txt
@@ -44,11 +44,14 @@ elasticsearch_port: elasticsearch_cluster_port or elasticsearch_api_port
 
 ssh_port: fd.lport=22
 
+# Ssh
+ssh_error_message: evt.arg.data contains "Invalid user" or evt.arg.data contains "preauth"
+
 # System
 modules: syscall.type in (delete_module, init_module)
 container: container.id != host
 interactive: proc.aname=sshd
-
+syslog: fd.name = /dev/log
 
 #######
 # Rules
@@ -86,3 +89,6 @@ container and proc.name = bash | shell in a container (%proc.name %evt.dir %evt.
 
 # Network traffic to/from standard utils
 (fd.typechar = 4 or fd.typechar=6) and coreutils_binaries | network traffic to %proc.name (%proc.name %evt.dir %evt.type %evt.args %fd.name)
+
+# SSH errors (failed logins, disconnects, ..)
+syslog and ssh_error_message and evt.dir = < | output.syslog(evt, "warning", "sshd: %proc.name %evt.arg.data")