Misc updates and improvements...

6 files changed, 27 insertions, 27 deletions

diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local
index d861656..acf41f3 100644
--- a/logcheck/ignore.d.server/local
+++ b/logcheck/ignore.d.server/local
@@ -347,7 +347,7 @@ portsentry\[[0-9]+\]: attackalert: .*
 ## pump
 pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
 ## samba
-smbd\[[0-9]+\]:   process_local_message: unknown UDP message command code \([0-9a-f]{4}\) - ignoring. $
+smbd\[[0-9]+\]:   process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $
 smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $
 smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $
 smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\. $
diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp
index a06f2c4..3f29c54 100644
--- a/logcheck/ignore.d.server/tmp
+++ b/logcheck/ignore.d.server/tmp
@@ -43,7 +43,7 @@ portsentry\[[0-9]+\]: attackalert: .*
 ## pump
 pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
 ## samba
-smbd\[[0-9]+\]:   process_local_message: unknown UDP message command code \([0-9a-f]{4}\) - ignoring. $
+smbd\[[0-9]+\]:   process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $
 smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $
 smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $
 smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\. $
diff --git a/logcheck/ignore.d.workstation/local b/logcheck/ignore.d.workstation/local
index 5ce36d9..c779e09 100644
--- a/logcheck/ignore.d.workstation/local
+++ b/logcheck/ignore.d.workstation/local
@@ -347,7 +347,7 @@ portsentry\[[0-9]+\]: attackalert: .*
 ## pump
 pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
 ## samba
-smbd\[[0-9]+\]:   process_local_message: unknown UDP message command code \([0-9a-f]{4}\) - ignoring. $
+smbd\[[0-9]+\]:   process_local_message: unknown UDP message command code \([0-9a-f]+\) - ignoring. $
 smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $
 smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $
 smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\. $
diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local
index 81b39d0..98ad6fa 100644
--- a/logcheck/violations.ignore.d/local
+++ b/logcheck/violations.ignore.d/local
@@ -48,7 +48,7 @@ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(Name service error for [^[:space
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(bad host/domain syntax: "[^"]+"\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host 127\.0\.0\.1\[127\.0\.0\.1\] said: 550 Message content rejected, id=[^\)]+\)?\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 504 <[^>]+>: Sender address rejected: need fully-qualified address$
-postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 550 [^\)]+ (Access denied|Message content rejected|Recipient address rejected|Relaying denied|Sender Not Authorised|unknown or illegal alias|User unknown)[^\)]*\)$
+postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 550 [^\)]+ (Access denied|Message content rejected|Recipient address rejected|Relaying denied|Sender Not Authorised|unknown or illegal alias|User unknown)[^\)]*\)+$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 552 header content rejected: see [^\)]+\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 553 sorry, your envelope sender has been denied [^\)]+\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 571 <>\.\.\. denied\)$
@@ -56,22 +56,22 @@ postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 450 <[
 postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 451 Transaction failed.\)$
 postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$
 postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 501 <[^>]+>: Helo command rejected: Invalid (ip address|name); from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>:]+>: Helo command rejected: Invalid name; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 501 <[^>]+>: Helo command rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: Helo command rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
 postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 550 <[^>]+>: User unknown; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 <[^>]+>: (Recipient address rejected: )?(Relay a|A)ccess denied; from=<[^[:space:]>]*> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 <[^>]+>: (Recipient address rejected[^;]*; from=<[^[:space:]>]*> to=<[^[:space:]>]+>$
 postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 Service unavailable; .* blocked using .*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>
 postfix/smtpd\[[0-9]+\]: warning: [^[:space:]:]+: hostname [\.[:alnum:]-]+ verification failed: Host name has no address$
 # These are only for postfix << 2.0:
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\)$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
 # These are only for postfix >= 2.0:
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\) proto=E?SMTP helo=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
 ### violations.ignore.d/proftpd
 proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$
 ### violations.ignore.d/samba
@@ -79,6 +79,7 @@ smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4\. Error = (No r
 ### violations.ignore.d/ssh
 sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
 ### violations.ignore.d/temp
+(imap|samba|netatalk)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*  user=[[:alnum:]]+$
 afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied
 afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
 afpd\[[0-9]+\]: bad function 7A
@@ -88,13 +89,12 @@ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied
 afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
 IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
 i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
-imap\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*  user=[[:alnum:]]+$
 kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
 kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
 PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
 portsentry\[[0-9]+\]: attackalert: .*
 smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
-smbd\[[0-9]+\]:   read_socket_data: recv failure for 4. Error = No route to host
+smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $
 smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
 sshd\[[0-9]+\]: Failed password for .*
 pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix
index 8cef0f1..9186b7e 100644
--- a/logcheck/violations.ignore.d/postfix
+++ b/logcheck/violations.ignore.d/postfix
@@ -9,7 +9,7 @@ postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(Name service error for [^[:space
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(bad host/domain syntax: "[^"]+"\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host 127\.0\.0\.1\[127\.0\.0\.1\] said: 550 Message content rejected, id=[^\)]+\)?\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 504 <[^>]+>: Sender address rejected: need fully-qualified address$
-postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 550 [^\)]+ (Access denied|Message content rejected|Recipient address rejected|Relaying denied|Sender Not Authorised|unknown or illegal alias|User unknown)[^\)]*\)$
+postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 550 [^\)]+ (Access denied|Message content rejected|Recipient address rejected|Relaying denied|Sender Not Authorised|unknown or illegal alias|User unknown)[^\)]*\)+$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 552 header content rejected: see [^\)]+\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 553 sorry, your envelope sender has been denied [^\)]+\)$
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 571 <>\.\.\. denied\)$
@@ -17,19 +17,19 @@ postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 450 <[
 postfix/smtp\[[0-9]+\]: [^\(]+ status=deferred \(host [^[:space:]]+ said: 451 Transaction failed.\)$
 postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$
 postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 501 <[^>]+>: Helo command rejected: Invalid (ip address|name); from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>:]+>: Helo command rejected: Invalid name; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 501 <[^>]+>: Helo command rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: Helo command rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
 postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 550 <[^>]+>: User unknown; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 <[^>]+>: (Recipient address rejected: )?(Relay a|A)ccess denied; from=<[^[:space:]>]*> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 <[^>]+>: (Recipient address rejected[^;]*; from=<[^[:space:]>]*> to=<[^[:space:]>]+>$
 postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 554 Service unavailable; .* blocked using .*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>
 postfix/smtpd\[[0-9]+\]: warning: [^[:space:]:]+: hostname [\.[:alnum:]-]+ verification failed: Host name has no address$
 # These are only for postfix << 2.0:
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\)$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$
 # These are only for postfix >= 2.0:
 postfix/smtp\[[0-9]+\]: [^\(]+ status=bounced \(host [^[:space:]]+ said: 554 <[^[:space:]>]+>:( Recipient address rejected:)? Relay access denied\) proto=E?SMTP helo=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected: Domain not found; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
-postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected: need fully-qualified (address|hostname); from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 450 <[^>]+>: (Sender|Recipient) address rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 503 Improper use of SMTP command pipelining[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
+postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: RCPT from [^:]+: 504 <[^>]+>: (Helo command|Recipient address) rejected[^;]*; from=<[^[:space:]>]+> to=<[^[:space:]>]+> proto=E?SMTP helo=<[^[:space:]>]+>$
diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp
index d77bfe0..e1f6719 100644
--- a/logcheck/violations.ignore.d/temp
+++ b/logcheck/violations.ignore.d/temp
@@ -1,3 +1,4 @@
+(imap|samba|netatalk)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*  user=[[:alnum:]]+$
 afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied
 afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
 afpd\[[0-9]+\]: bad function 7A
@@ -7,13 +8,12 @@ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied
 afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
 IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
 i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
-imap\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*  user=[[:alnum:]]+$
 kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
 kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
 PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
 portsentry\[[0-9]+\]: attackalert: .*
 smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
-smbd\[[0-9]+\]:   read_socket_data: recv failure for 4. Error = No route to host
+smbd\[[0-9]+\]:   read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $
 smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.
 sshd\[[0-9]+\]: Failed password for .*
 pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument