--- ./ssh.rules.orig	2007-06-05 14:25:21.883101600 -0400
+++ ./ssh.rules	2007-06-05 14:25:12.689882400 -0400
@@ -24,7 +24,8 @@
 ###################
 
 #LOG:Dec  8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
-regex=Accepted (\S+) for root from ([\d\.]+) port (\d+); \
+#LOG:Dec  8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from ::ffff:12.34.56.78 port 56634 ssh2
+regex=Accepted (\S+) for root from (::[fF]{4}:)?([\d\.]+) port (\d+); \
  classification.text=Admin login successful; \
  id=1900; \
  revision=2; \
@@ -34,10 +35,10 @@
  assessment.impact.severity=low; \
  assessment.impact.completion=succeeded; \
  assessment.impact.type=admin; \
- assessment.impact.description=Root logged in from $2:$3 using the $1 method; \
+ assessment.impact.description=Root logged in from $3:$4 using the $1 method; \
  source(0).node.address(0).category=ipv4-addr; \
- source(0).node.address(0).address=$2; \
- source(0).service.port=$3; \
+ source(0).node.address(0).address=$3; \
+ source(0).service.port=$4; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  target(0).service.port=22; \
@@ -53,7 +54,8 @@
  last;
 
 #LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
-regex=Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
+#LOG:Jun 5 15:50:35 somehost sshd[17740]: Accepted publickey for someuser from ::ffff:192.168.0.22 port 59610 ssh2
+regex=Accepted (\S+) for (?!root)(\S+) from (::[fF]{4}:)?([\d\.]+) port (\d+); \
  classification.text=User login successful; \
  id=1901; \
  revision=2; \
@@ -65,8 +67,8 @@
  assessment.impact.type=user; \
  assessment.impact.description=User $2 logged in from $3:$4 using the $1 method; \
  source(0).node.address(0).category=ipv4-addr; \
- source(0).node.address(0).address=$3; \
- source(0).service.port=$4; \
+ source(0).node.address(0).address=$4; \
+ source(0).service.port=$5; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  target(0).service.port=22; \
@@ -86,7 +88,8 @@
 ################
 
 #LOG:Dec  9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
-regex=Failed (\S+) for root from ([\d\.]+) port (\d+); \
+#LOG:Dec  9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from ::ffff:12.34.56.78 port 1806
+regex=Failed (\S+) for root from (::[fF]{4}:)?([\d\.]+) port (\d+); \
  classification.text=Admin login failed; \
  id=1902; \
  revision=2; \
@@ -96,10 +99,10 @@
  assessment.impact.severity=medium; \
  assessment.impact.completion=failed; \
  assessment.impact.type=admin; \
- assessment.impact.description=Someone tried to login as root from $2:$3 using the $1 method; \
+ assessment.impact.description=Someone tried to login as root from $3:$4 using the $1 method; \
  source(0).node.address(0).category=ipv4-addr; \
- source(0).node.address(0).address=$2; \
- source(0).service.port=$3; \
+ source(0).node.address(0).address=$3; \
+ source(0).service.port=$4; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  target(0).service.port=22; \
@@ -115,7 +118,8 @@
  last
 
 #LOG:Dec  9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
-regex=Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+); \
+#LOG:Dec  9 21:29:56 devel5 sshd[17554]: Failed password for akarade from ::ffff:12.34.56.78 port 4214
+regex=Failed (\S+) for (?!root)(\S+) from (::[fF]{4}:)?([\d\.]+) port (\d+); \
  classification.text=User login failed; \
  id=1903; \
  revision=2; \
@@ -125,10 +129,10 @@
  assessment.impact.severity=medium; \
  assessment.impact.completion=failed; \
  assessment.impact.type=user; \
- assessment.impact.description=Someone tried to login as $2 from $3:$4 using the $1 method; \
+ assessment.impact.description=Someone tried to login as $2 from $4:$5 using the $1 method; \
  source(0).node.address(0).category=ipv4-addr; \
- source(0).node.address(0).address=$3; \
- source(0).service.port=$4; \
+ source(0).node.address(0).address=$4; \
+ source(0).service.port=$5; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  target(0).service.port=22; \
@@ -148,8 +152,9 @@
 ##############################################
 
 #LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134
+#LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from ::ffff:213.201.222.134
 
-regex=(Illegal|Invalid) user (\S+) from ([\d\.]+); \
+regex=(Illegal|Invalid) user (\S+) from (::[fF]{4}:)?([\d\.]+); \
  classification.text=User login failed with an invalid user; \
  id=1904; \
  revision=1; \
@@ -159,9 +164,9 @@
  assessment.impact.severity=medium; \
  assessment.impact.completion=failed; \
  assessment.impact.type=user; \
- assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \
+ assessment.impact.description=Someone tried to login with the invalid user "$2" from $4; \
  source(0).node.address(0).category=ipv4-addr; \
- source(0).node.address(0).address=$3; \
+ source(0).node.address(0).address=$4; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  target(0).service.port=22; \
@@ -212,8 +217,9 @@
 ##################################################################
 
 # LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4
+# LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from ::ffff:1.2.3.4
 #
-regex=Did not receive identification string from ([\d\.]+); \
+regex=Did not receive identification string from (::[fF]{4}:)?([\d\.]+); \
  classification.text=Server recognition; \
  id=1906; \
  revision=2; \
@@ -223,9 +229,9 @@
  assessment.impact.severity=medium; \
  assessment.impact.completion=failed; \
  assessment.impact.type=recon; \
- assessment.impact.description=$1 is probably making a server recognition; \
+ assessment.impact.description=$2 is probably making a server recognition; \
  source(0).node.address(0).category=ipv4-addr; \
- source(0).node.address(0).address=$1; \
+ source(0).node.address(0).address=$2; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  target(0).service.port=22; \
@@ -244,8 +250,9 @@
 #########################################################################
 
 # LOG:Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+# LOG:Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
 #
-regex=ROOT LOGIN REFUSED FROM ([\d\.]+); \
+regex=ROOT LOGIN REFUSED FROM (::[fF]{4}:)?([\d\.]+); \
  classification.text=Admin login forbidden; \
  id=1907; \
  revision=1; \
@@ -257,7 +264,7 @@
  assessment.impact.type=admin; \
  assessment.impact.description=Root tried to login while it is forbidden; \
  source(0).node.address(0).category=ipv4-addr; \
- source(0).node.address(0).address=$1; \
+ source(0).node.address(0).address=$2; \
  source(0).service.iana_protocol_name=tcp; \
  source(0).service.iana_protocol_number=6; \
  target(0).service.port=22; \
@@ -327,7 +334,7 @@
  target(0).service.iana_protocol_number=6; \
  target(0).user.category=os-device; \
  target(0).user.user_id(0).type=target-user; \
- target(0).user.user_id(0).name=root; \
+ target(0).user.user_id(0).name=$2; \
  additional_data(0).type=string; \
  additional_data(0).meaning=Authentication method; \
  additional_data(0).data=$1; \