I have the following message:
<38>sshd: Accepted password for root from 192.168.2.180 port 51942 ssh2
I want to create a filter that limits the results to only the 192.168.2.0/24 adress span and so i've tried the following:
message: "Accepted password for" AND NOT src_ip: 192.168.2.0/24<- i still get a hit
message: "Accepted password for" AND NOT src_ip: [192.168.2.0 TO 192.168.2.255] <- still get a hit
I don't understand what i am doing wrong. Could someone point me in the right direction?