Hi Daniel,
Thanks for the help and for the great work on developing this tool.
I was pretty sure that the log entries without an IP were the culprit
but wasnt exactly sure about the best way to fix it. I am thinking
that since rule 5712 keys off of 5710 (which has the "illegal user"
match), my new rule should be something like:
<!-- Fix active response abort from rules 5712,5710 -->
<rule id="100008" level="0">
<if_sid>5710</if_sid>
<match>input_userauth_request: illegal user</match>
<description>Ignore ssh log entry with no IP</description>
</rule>
Does that look right?
The machine that generates these logs has an older Slackware version
so I expect that is why the sshd entry is a bit odd.
Thanks,
Wm
