+
+ <rule id="5721" level="0">
+ <if_sid>5700</if_sid>
+ <match>Received disconnect from</match>
+ <description>System disconnected from sshd.</description>
+ </rule>
+
+ <rule id="5722" level="0">
+ <if_sid>5700</if_sid>
+ <match>Connection closed</match>
+ <description>ssh connection closed.</description>
+ </rule>
+
+ <rule id="5723" level="0">
+ <if_sid>5700</if_sid>
+ <match>error: buffer_get_bignum2_ret: negative numbers not supported</match>
+ <info>This maybe a bad key in authorized_keys.</info>
+ <description>SSHD key error.</description>
+ </rule>
+
+ <rule id="5724" level="0">
+ <if_sid>5700</if_sid>
+ <match>fatal: buffer_get_bignum2: buffer error</match>
+ <info>This error may relate to ssh key handling.</info>
+ <description>SSHD key error.</description>
+ </rule>
+
+ <rule id="5725" level="0">
+ <if_sid>5700</if_sid>
+ <match>fatal: Write failed: Host is down</match>
+ <description>Host ungracefully disconnected.</description>
+ </rule>
+
+ <rule id="5726" level="5">
+ <if_sid>5700</if_sid>
+ <match>error: PAM: Module is unknown for</match>
+ <description>Unknown PAM module, PAM misconfiguration.</description>
+ </rule>
+
+ <rule id="5727" level="0">
+ <if_sid>5700</if_sid>
+ <match>failed: Address already in use.</match>
+ <description>Attempt to start sshd when something already bound to the port.</description>
+ </rule>
+
+ <rule id="5728" level="4">
+ <if_sid>5700</if_sid>
+ <match>Authentication service cannot retrieve user credentials</match>
+ <info>May be related to PAM module errors.</info>
+ <description>Authentication services were not able to retrieve user credentials.</description>
+ <group>authentication_failed</group>
+ </rule>
+
+ <rule id="5729" level="0">
+ <if_sid>5700</if_sid>
+ <match>debug1: attempt</match>
+ <description>Debug message.</description>
+ </rule>
+
+ <rule id="5730" level="4">
+ <if_sid>5700</if_sid>
+ <regex>error: connect to \S+ port \d+ failed: Connection refused</regex>
+ <description>SSHD is not accepting connections.</description>
+ </rule>
+
+ <rule id="5731" level="6">
+ <if_sid>5700</if_sid>
+ <match>AKASSH_Version_Mapper1.</match>
+ <description>SSH Scanning.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="5732" level="0">
+ <if_sid>5700</if_sid>
+ <match>error: connect_to </match>
+ <description>Possible port forwarding failure.</description>
+ </rule>
+
+ <rule id="5733" level="0">
+ <if_sid>5700</if_sid>
+ <match>Invalid credentials</match>
+ <description>User entered incorrect password.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="5734" level="0">
+ <if_sid>5700</if_sid>
+ <match>Could not load host key</match>
+ <description>sshd could not load one or more host keys.</description>
+ <info>This may be related to an upgrade to OpenSSH.</info>
+ </rule>
+
+ <rule id="5735" level="0">
+ <if_sid>5700</if_sid>
+ <match>Write failed: Broken pipe</match>
+ <description>Failed write due to one host disappearing.</description>
+ </rule>
+
+ <rule id="5736" level="0">
+ <if_sid>5700</if_sid>
+ <match>^error: setsockopt SO_KEEPALIVE: Connection reset by peer$|</match>
+ <match>^error: accept: Software caused connection abort$</match>
+ <description>Connection reset or aborted.</description>
+ </rule>
+
+ <rule id="5737" level="5">
+ <if_sid>5700</if_sid>
+ <match>^fatal: Cannot bind any address.$</match>
+ <description>sshd cannot bind to configured address.</description>
+ </rule>
+
+ <rule id="5738" level="5">
+ <if_sid>5700</if_sid>
+ <match>set_loginuid failed opening loginuid$</match>
+ <description>pam_loginuid could not open loginuid.</description>
+ <group>authentication_failed,</group>
+ </rule>
+