diff --git a/plugins/pcre/ruleset/ssh.rules b/plugins/pcre/ruleset/ssh.rules
index 0d63bfc..b538570 100644
--- a/plugins/pcre/ruleset/ssh.rules
+++ b/plugins/pcre/ruleset/ssh.rules
@@ -1,10 +1,11 @@
 #####
 #
 # Copyright (C) 2002,2004 Nicolas Delon <nicolas@prelude-ids.org>
+# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
 # All Rights Reserved
 #
 # This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by 
+# it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
@@ -24,18 +25,18 @@
 ###################
 
 #LOG:Dec  8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
-regex=Accepted (\S+) for root from ([\d\.]+) port (\d+); \
+#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2
+regex=Accepted (\S+) for root from (\S+) port (\d+); \
  classification.text=Admin login successful; \
- id=1900; \
+ id=1908; \
  revision=2; \
  analyzer(0).name=sshd; \
  analyzer(0).manufacturer=OpenSSH; \
  analyzer(0).class=Remote Login; \
- assessment.impact.severity=low; \
+ assessment.impact.severity=medium; \
  assessment.impact.completion=succeeded; \
  assessment.impact.type=admin; \
- assessment.impact.description=Root logged in from $2:$3 using the $1 method; \
- source(0).node.address(0).category=ipv4-addr; \
+ assessment.impact.description=Root logged in from $2 port $3 using the $1 method; \
  source(0).node.address(0).address=$2; \
  source(0).service.port=$3; \
  source(0).service.iana_protocol_name=tcp; \
@@ -52,8 +53,38 @@ regex=Accepted (\S+) for root from ([\d\.]+) port (\d+); \
  additional_data(0).data=$1; \
  last;
 
+
+#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2
+regex=Accepted (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
+ classification.text=User login successful; \
+ id=1909; \
+ revision=2; \
+ analyzer(0).name=sshd; \
+ analyzer(0).manufacturer=OpenSSH; \
+ analyzer(0).class=Remote Login; \
+ assessment.impact.severity=low; \
+ assessment.impact.completion=succeeded; \
+ assessment.impact.type=user; \
+ assessment.impact.description=$2 logged in from $3 port $4 using the $1 method; \
+ source(0).node.address(0).address=$3; \
+ source(0).service.port=$4; \
+ source(0).service.iana_protocol_name=tcp; \
+ source(0).service.iana_protocol_number=6; \
+ target(0).service.port=22; \
+ target(0).service.name=ssh; \
+ target(0).service.iana_protocol_name=tcp; \
+ target(0).service.iana_protocol_number=6; \
+ target(0).user.category=os-device; \
+ target(0).user.user_id(0).type=target-user; \
+ target(0).user.user_id(0).name=$2; \
+ additional_data(0).type=string; \
+ additional_data(0).meaning=Authentication method; \
+ additional_data(0).data=$1; \
+ last;
+
+
 #LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
-regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
+regex=Accepted (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
  classification.text=User login successful; \
  id=1901; \
  revision=2; \
@@ -64,7 +95,6 @@ regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
  assessment.impact.completion=succeeded; \
  assessment.impact.type=user; \
  assessment.impact.description=User $2 logged in from $3:$4 using the $1 method; \
- source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$3; \
  source(0).service.port=$4; \
  source(0).service.iana_protocol_name=tcp; \
@@ -86,7 +116,7 @@ regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
 ################
 
 #LOG:Dec  9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
-regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
+regex=Failed (\S+) for root from (\S+) port (\d+); \
  classification.text=Admin login failed; \
  id=1902; \
  revision=2; \
@@ -97,7 +127,6 @@ regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
  assessment.impact.completion=failed; \
  assessment.impact.type=admin; \
  assessment.impact.description=Someone tried to login as root from $2:$3 using the $1 method; \
- source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$2; \
  source(0).service.port=$3; \
  source(0).service.iana_protocol_name=tcp; \
@@ -115,7 +144,7 @@ regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
  last
 
 #LOG:Dec  9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
-regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
+regex=Failed (\S+) for (?!root)(\S+) from (\S+) port (\d+); \
  classification.text=User login failed; \
  id=1903; \
  revision=2; \
@@ -126,7 +155,6 @@ regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
  assessment.impact.completion=failed; \
  assessment.impact.type=user; \
  assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
- source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$3; \
  source(0).service.port=$4; \
  source(0).service.iana_protocol_name=tcp; \
@@ -149,7 +177,7 @@ regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
 
 #LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134
 
-regex=(Illegal|Invalid) user (\S+) from ([\d\.]+); \
+regex=(Illegal|Invalid) user (\S+) from (\S+); \
  classification.text=User login failed with an invalid user; \
  id=1904; \
  revision=1; \
@@ -160,7 +188,6 @@ regex=(Illegal|Invalid) user (\S+) from ([\d\.]+); \
  assessment.impact.completion=failed; \
  assessment.impact.type=user; \
  assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \
- source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$3; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
@@ -213,7 +240,7 @@ regex=User (\S+) not allowed because (.*)listed in (\w+); \
 
 # LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4
 #
-regex=Did not receive identification string from ([\d\.]+); \
+regex=Did not receive identification string from (\S+); \
  classification.text=Server recognition; \
  id=1906; \
  revision=2; \
@@ -224,7 +251,6 @@ regex=Did not receive identification string from ([\d\.]+); \
  assessment.impact.completion=failed; \
  assessment.impact.type=recon; \
  assessment.impact.description=$1 is probably making a server recognition; \
- source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$1; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
@@ -245,7 +271,7 @@ regex=Did not receive identification string from ([\d\.]+); \
 
 # LOG:Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
 #
-regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
+regex=ROOT LOGIN REFUSED FROM (\S+); \
  classification.text=Admin login forbidden; \
  id=1907; \
  revision=1; \
@@ -256,7 +282,6 @@ regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
  assessment.impact.completion=failed; \
  assessment.impact.type=admin; \
  assessment.impact.description=Root tried to login while it is forbidden; \
- source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$1; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
@@ -269,69 +294,6 @@ regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
  target(0).user.user_id(0).name=root; \
  last
 
-# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
-# All Rights Reserved
-
-#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2
-regex=Accepted (\S+) for root from ([A-Fa-f\d:\.]+) port (\d+); \
- classification.text=User login successful; \
- id=1908; \
- revision=2; \
- analyzer(0).name=sshd; \
- analyzer(0).manufacturer=OpenSSH; \
- analyzer(0).class=Remote Login; \
- assessment.impact.severity=medium; \
- assessment.impact.completion=succeeded; \
- assessment.impact.type=admin; \
- assessment.impact.description=Root logged in from $2 port $3 using the $1 method; \
- source(0).node.address(0).category=ipv6-addr; \
- source(0).node.address(0).address=$2; \
- source(0).service.port=$3; \
- source(0).service.iana_protocol_name=tcp; \
- source(0).service.iana_protocol_number=6; \
- target(0).service.port=22; \
- target(0).service.name=ssh; \
- target(0).service.iana_protocol_name=tcp; \
- target(0).service.iana_protocol_number=6; \
- target(0).user.category=os-device; \
- target(0).user.user_id(0).type=target-user; \
- target(0).user.user_id(0).name=root; \
- additional_data(0).type=string; \
- additional_data(0).meaning=Authentication method; \
- additional_data(0).data=$1; \
- last;
-
-# Copyright (C) 2005 John R Shannon <john@johnrshannon.com>
-# All Rights Reserved
-
-#LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2
-regex=Accepted (\S+) for (?!root)(\S+) from ([A-Fa-f\d:\.]+) port (\d+); \
- classification.text=User login successful; \
- id=1909; \
- revision=2; \
- analyzer(0).name=sshd; \
- analyzer(0).manufacturer=OpenSSH; \
- analyzer(0).class=Remote Login; \
- assessment.impact.severity=low; \
- assessment.impact.completion=succeeded; \
- assessment.impact.type=user; \
- assessment.impact.description=$2 logged in from $3 port $4 using the $1 method; \
- source(0).node.address(0).category=ipv6-addr; \
- source(0).node.address(0).address=$3; \
- source(0).service.port=$4; \
- source(0).service.iana_protocol_name=tcp; \
- source(0).service.iana_protocol_number=6; \
- target(0).service.port=22; \
- target(0).service.name=ssh; \
- target(0).service.iana_protocol_name=tcp; \
- target(0).service.iana_protocol_number=6; \
- target(0).user.category=os-device; \
- target(0).user.user_id(0).type=target-user; \
- target(0).user.user_id(0).name=root; \
- additional_data(0).type=string; \
- additional_data(0).meaning=Authentication method; \
- additional_data(0).data=$1; \
- last;
 
 #LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail
 # Re: Generic Message Exchange Authentication For SSH
@@ -388,7 +350,7 @@ regex=input_userauth_request: (.+); \
 
 #LOG:Dec  9 18:48:29 itguxweb2 sshd[29536]: Failed password for illegal user ROOT from 12.34.56.78 port 2886
 #LOG:Jan 14 08:19:21 ras sshd[22774]: Failed none for invalid user remote-mail from 192.168.1.22 port 65407 ssh2
-regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([\d\.]+) port (\d+); \
+regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \
  classification.text=User login failed; \
  id=1912; \
  revision=2; \
@@ -399,7 +361,6 @@ regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([\d\.]+) port (\d+); \
  assessment.impact.completion=failed; \
  assessment.impact.type=admin; \
  assessment.impact.description=Someone tried to login as $3 from $4:$5 using the $1 method; \
- source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$4; \
  source(0).service.port=$5; \
  source(0).service.iana_protocol_name=tcp; \
@@ -420,7 +381,9 @@ regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([\d\.]+) port (\d+); \
  last
 
 #LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from fec0:0:201::3 port 62788 ssh2
-regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([A-Fa-f\d:\.]+) port (\d+); \
+#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from 1.2.3.4 port 62788 ssh2
+#LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from hostname port 62788 ssh2
+regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \
  classification.text=SSH Remote login failed; \
  id=1913; \
  revision=2; \
@@ -431,7 +394,6 @@ regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([A-Fa-f\d:\.]+) port (
  assessment.impact.completion=failed; \
  assessment.impact.type=admin; \
  assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
- source(0).node.address(0).category=ipv6-addr; \
  source(0).node.address(0).address=$4; \
  source(0).service.port=$5; \
  source(0).service.iana_protocol_name=tcp; \
@@ -451,9 +413,6 @@ regex=Failed (\S+) for (illegal|invalid) user (\S+) from ([A-Fa-f\d:\.]+) port (
  additional_data(1).data=$2 user; \
  last
 
-# Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com>
-# All Rights Reserved
-
 #LOG:Oct  2 14:40:05 suse-9.2 sshd[18725]: error: PAM: Authentication failure for root from unknown.anywhere.net
 regex=error: PAM: Authentication failure for root from (\S+); \
  classification.text=Admin login failed; \