Security Onion 2.x — Hunt > Alert View > auth_brute_force_ssh
Time range: Jun 1 2026  14:23:00 – 14:40:00 UTC+1 ● LIVE
HIGH
SSH Brute Force Detected — Rule: auth_brute_force_ssh  |  Wazuh Rule ID: 5712
SRC: 192.168.1.105:52341 → DST: 192.168.1.110:22  •  User: root  •  Proto: TCP/SSH  •  10+ failures in <60s window
Jun 01 14:23:45 UTC+1
OPEN
TOTAL FAILED EVENTS
847
failed authentications
UNIQUE SOURCE IPs
1
192.168.1.105
ATTACK DURATION
12m 24s
14:23:17 – 14:35:41
SUCCESSFUL LOGINS
0
attack unsuccessful
FAILED SSH AUTH ATTEMPTS — COUNT PER MINUTE (Jun 01 14:23 – 14:35)
90 60 30 0
TOP SOURCE IPs — ATTACK ORIGIN
IP AddressHostnameEventsShare
192.168.1.105 attacker-vm 847 100%
TARGET ASSETS
IP AddressServicePortUser Targeted
192.168.1.110 sshd 22/TCP root
MITRE ATT&CK MAPPING
T1110 — Brute Force
Tactic: Credential Access  •  Confidence: HIGH
T1110.001 — Password Guessing
Tactic: Credential Access  •  Confidence: HIGH
T1021.004 — Remote Services: SSH
Tactic: Lateral Movement  •  Confidence: MEDIUM
RECENT LOG EVENTS — /var/log/auth.log  |  Wazuh decoder: sshd  |  Showing last 6 of 847
TimestampSeveritySource IPPIDMessage
Jun 01 14:35:41 HIGH 192.168.1.105 sshd[3847] Failed password for root from 192.168.1.105 port 52889 ssh2
Jun 01 14:35:39 HIGH 192.168.1.105 sshd[3846] Failed password for root from 192.168.1.105 port 52888 ssh2
Jun 01 14:33:05 MED 192.168.1.105 sshd[3400] Failed password for root from 192.168.1.105 port 52610 ssh2
Jun 01 14:30:12 MED 192.168.1.105 sshd[3200] Failed password for root from 192.168.1.105 port 52480 ssh2
Jun 01 14:23:45 HIGH 192.168.1.105 alert-engine [ALERT TRIGGERED] auth_brute_force_ssh: 10 failures in 28s from single source
Jun 01 14:23:17 LOW 192.168.1.105 sshd[2341] Failed password for root from 192.168.1.105 port 52341 ssh2 — [first event]