diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2004-07-27 22:41:18 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2004-07-27 22:41:18 +0000 |
| commit | 6aee77dfcbb3003730f84931640d83793d00001e (patch) | |
| tree | 787c2b988ee7c733df383d6e6896693afff9d842 | |
| parent | 18a1567e65bea79439e3a1a8e2d4cdd1902a8b0f (diff) | |
Improved violations ignore lines, and more...
| -rw-r--r-- | logcheck/violations.ignore.d/amavisd-new | 1 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/local | 18 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/temp | 24 |
3 files changed, 23 insertions, 20 deletions
diff --git a/logcheck/violations.ignore.d/amavisd-new b/logcheck/violations.ignore.d/amavisd-new index 9507e24..60f7798 100644 --- a/logcheck/violations.ignore.d/amavisd-new +++ b/logcheck/violations.ignore.d/amavisd-new @@ -2,5 +2,6 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Not-Delivered, <[^[:space:]]*> -> <[^[:space:]]*>, quarantine spam-[^[:space:]]+, Message-ID: <[^[:space:]]+>, Hits: 10.684$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: Not sending DSN in response to bulk mail from <[^[:space:]]*> containing BAD HEADER & SPAM, mail intentionally dropped$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: DSN contains BAD HEADER & SPAM; bounce is not bouncable, mail intentionally dropped$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: UNABLE TO SEND DSN to <[^[:space:]]*>: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) mail_via_smtp: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$ diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index 0b2c20b..1ce3249 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -10,6 +10,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Not-Delivered, <[^[:space:]]*> -> <[^[:space:]]*>, quarantine spam-[^[:space:]]+, Message-ID: <[^[:space:]]+>, Hits: 10.684$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: Not sending DSN in response to bulk mail from <[^[:space:]]*> containing BAD HEADER & SPAM, mail intentionally dropped$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: DSN contains BAD HEADER & SPAM; bounce is not bouncable, mail intentionally dropped$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: UNABLE TO SEND DSN to <[^[:space:]]*>: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) mail_via_smtp: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ @@ -62,7 +63,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+ user=[^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[[:alnum:]-]+ ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|netatalk|pop|samba)\[[0-9]+\]): \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*( user=[[:alnum:]]+)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|netatalk|pop|samba)(\(pam_unix\))?\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*( user=[[:alnum:]]+)?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function 7A @@ -70,19 +71,18 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from [^[:space:]]+! ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\.$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <[^[:space:]]*>: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <[^[:space:]]*>: Recipient address rejected: User unknown; .* ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^[:space:]]*(attack|debug|expn|refused)[^[:space:]]*>.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<[^[:space:]]*(attack|debug|expn|refused)[^[:space:]]*>, .* diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp index a35805b..d716f4e 100644 --- a/logcheck/violations.ignore.d/temp +++ b/logcheck/violations.ignore.d/temp @@ -1,4 +1,4 @@ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|netatalk|pop|samba)\[[0-9]+\]): \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*( user=[[:alnum:]]+)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|netatalk|pop|samba)(\(pam_unix\))?\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*( user=[[:alnum:]]+)?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function 7A @@ -6,21 +6,23 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* -#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+ +#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from [^[:space:]]+! ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ +#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> [^[:space:]]+ for (imap|netatalk|pop|samba|ssh) service +#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* +#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\.$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <[^[:space:]]*>: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <[^[:space:]]*>: Recipient address rejected: User unknown; .* ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +# Suspicious words within email addresses are ok +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^[:space:]]*(attack|debug|expn|refused)[^[:space:]]*>.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<[^[:space:]]*(attack|debug|expn|refused)[^[:space:]]*>, .* |