From cbdb40307286119cada972a5bcbe8c0c776da590 Mon Sep 17 00:00:00 2001
From: Jasper Knockaert <jasper@knockaert.nl>
Date: Thu, 5 Dec 2019 13:53:03 +0100
Subject: [PATCH] limit brute force rule to dropbear

Rule 51004 was probably meant to be limited to dropbear. For the general case there already is rule 40111.
---
 etc/rules/dropbear_rules.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/rules/dropbear_rules.xml b/etc/rules/dropbear_rules.xml
index 62bd0e73e..159ebf019 100644
--- a/etc/rules/dropbear_rules.xml
+++ b/etc/rules/dropbear_rules.xml
@@ -47,6 +47,7 @@
   <rule id="51004" level="10" frequency="6" timeframe="120" ignore="60">
     <if_matched_group>authentication_failed</if_matched_group>
     <same_source_ip />
+    <decoded_as>dropbear</decoded_as>
     <description>dropbear brute force attempt.</description>
     <group>authentication_failures,</group>
   </rule>