Range filter doesn't work with IP-adresses

victor.nilsson · January 10, 2020, 12:30pm

Hi,

I have the following message:

<38>sshd[31656]: Accepted password for root from 192.168.2.180 port 51942 ssh2

I want to create a filter that limits the results to only the 192.168.2.0/24 adress span and so i've tried the following:

message: "Accepted password for" AND NOT src_ip: 192.168.2.0/24<- i still get a hit
message: "Accepted password for" AND NOT src_ip: [192.168.2.0 TO 192.168.2.255] <- still get a hit

I don't understand what i am doing wrong. Could someone point me in the right direction?

anjilinga · January 10, 2020, 3:58pm

Range filter works for numbers only i believe.

system · February 7, 2020, 3:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.