Range filter doesn't work with IP-adresses


I have the following message:

<38>sshd[31656]: Accepted password for root from port 51942 ssh2

I want to create a filter that limits the results to only the adress span and so i've tried the following:

message: "Accepted password for" AND NOT src_ip:<- i still get a hit
message: "Accepted password for" AND NOT src_ip: [ TO] <- still get a hit

I don't understand what i am doing wrong. Could someone point me in the right direction?

Range filter works for numbers only i believe.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.