diff options
Diffstat (limited to 'logcheck/violations.ignore.d/local')
| -rw-r--r-- | logcheck/violations.ignore.d/local | 164 |
1 files changed, 82 insertions, 82 deletions
diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index 463d983..3287c7d 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -1,102 +1,102 @@ ### violations.ignore.d/amavis -amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ -amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ -amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ -amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ -amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$ -amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: Checking: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: SMTP-in \[[\.0-9]+\] /var/lib/amavis/amavis-[^[:space:]:-]+: <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: cached [a-f0-9]+ from <[^[:space:]]*>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: fwd via smtp: \[[\.0-9]+:10025\] <[^[:space:]]*> -> (<[^[:space:]]*>(,)?)+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: infected \([^[:space:]]+\), from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine virus-[0-9-]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: local delivery: <[^[:space:]]+> -> <(spam|virus)-quarantine>, mbx=/var/lib/amavis/virusmails/(spam|virus)-[[:alnum:]-]+(\.gz)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam from=<[^[:space:]]+>, to=<[^[:space:]]+>, quarantine spam-[^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: spam_scan: (No|Yes), hits=[\.0-9-]+ tests=[,_A-Z0-9]+ <[^[:space:]]*>$ ### violations.ignore.d/amavisd-new -amavis\[[0-9]+\]: \([0-9-]+\) SPAM, <[^[:space:]]*> -> <[^[:space:]]*>, (No|Yes), hits=[\.0-9-]+ tagged_above=[\.0-9-]+ required=[\.0-9-]+ tests=[,_A-Z0-9 ]+ quarantine spam-[^[:space:]]+ \(spam-quarantine\)$ -amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) SPAM, <[^[:space:]]*> -> <[^[:space:]]*>, (No|Yes), hits=[\.0-9-]+ tagged_above=[\.0-9-]+ required=[\.0-9-]+ tests=[,_A-Z0-9 ]+ quarantine spam-[^[:space:]]+ \(spam-quarantine\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) BAD HEADER from( \((bulk|list|junk)\))? <[^[:space:]]*>: .*$ ### violations.ignore.d/bind -named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ ### violations.ignore.d/bind.tmp -named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out ### violations.ignore.d/dhcp-client -dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$ -dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd(-2.2.x)?: (send_packet|fallback_discard): Connection refused$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: receive_packet failed on eth[0-9]: Network is down$ ### violations.ignore.d/dovecot-common -xayide dovecot\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xayide dovecot\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= $ ### violations.ignore.d/libpam-modules -pam_limits\[[0-9]+\]: setrlimit limit #[0-9]+ to soft=[-0-9]+, hard=[-0-9]+ failed: Operation not permitted; uid=[0-9]+ euid=[0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_limits\[[0-9]+\]: setrlimit limit #[0-9]+ to soft=[-0-9]+, hard=[-0-9]+ failed: Operation not permitted; uid=[0-9]+ euid=[0-9]+$ ### violations.ignore.d/misc # This one shows up with firewalls blocking SMB ports non-silently -kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth[0-9]+ PROTO=17 .*:137 .*:137 L=78 S=0x00 I=[0-9]+ F=0x0000 T=[0-9]+ \(#[0-9]+\) ### violations.ignore.d/netatalk.changes # Lines with "[^[:space:]]+:" at the beginning are for netatalk 1.6.x or newer. -afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$ -afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ -afpd\[[0-9]+\]: [^[:space:]]+: D5:Default: cnid_mangle_get: Failed to find mangled entry for .*$ -afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_die: asp_shutdown: Connection timed out$ -afpd\[[0-9]+\]: [^[:space:]]+: E:Default: cnid_open: dbenv->open of /[^[:space:]]+/\.AppleDB failed: Permission denied$ -afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$ -afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_die: asp_shutdown: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: (afp_flushfork|afp_read|getforkparms): (ad_refresh|of_find): Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:AFPDaemon: Parsing volset [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: D5:Default: cnid_mangle_get: Failed to find mangled entry for .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:AFPDaemon: afp_die: asp_shutdown: Connection timed out$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: E:Default: cnid_open: dbenv->open of /[^[:space:]]+/\.AppleDB failed: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /[^/]+/: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied$ ### violations.ignore.d/netsaint -netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms -netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds -netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms -netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold) -netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold) -netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host -netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host -netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time -netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.* -netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.* -netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;PING;CRITICAL;.*;PING CRITICAL - Packet loss =.*%, RTA =.*ms +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;ROUTER;CRITICAL;.*;CRITICAL - Plugin timed out after 10 seconds +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT:.*;ROUTER;OK;.*;PING OK - Packet loss =.*%, RTA =.*ms +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE FLAPPING ALERT:.*;PING;STOPPED; Service appears to have stopped flapping (.*% change < .*% threshold) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE FLAPPING ALERT:.*;PING;STARTED; Service appears to have started flapping (.*% change >.*% threshold) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT: mail;SMTP;CRITICAL;.*;Connection refused by host +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE NOTIFICATION:.*;CRITICAL;notify-by-.*;Connection refused by host +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: SERVICE ALERT: mail;SMTP;OK;.* OK - 0 second response time +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: HOST ALERT:.*;DOWN;SOFT;.*;CRITICAL.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: HOST ALERT:.*;UP;SOFT;.*;PING OK.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ netsaint: Successfully shutdown\.\.\. \(PID=[0-9]+\) $ ### violations.ignore.d/pmud -pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pmud\[[0-9]+\]: Sleep for this PMU unsupported: will shutdown the machine on sleep request$ ### violations.ignore.d/postfix -postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ -postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$ -postfix/[ls]mtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]*>)?, relay=[^[:space:],]+, delay=[0-9]+, status=(sent|bounced|deferred) \([^\(\)]+(\([^\(\)]*\)[^\(\)]*)*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ -postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ -postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ -postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ -postfix/smtp\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.* -postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ -postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ -postfix/smtpd\[[0-9]+\]: [0-9]+:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay\.c:578: -postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ -postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in RCPT command: .* -postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ -postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: (DATA|RCPT) from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<.*>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host not found(, try again)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(local|smtpd)\[[0-9]+\]: warning: reject: ETRN [^[:space:]]+\.\.\. from [^[:space:]\[]+\[[\.0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[0-9]+\]: [A-Z0-9]+: to=<[^>,]*>(, orig_to=<[^>,]*>)?, relay=[^[:space:],]+, delay=[0-9]+, status=(sent|bounced|deferred) \([^\(\)]+(\([^\(\)]*\)[^\(\)]*)*[^\(\)]*\)( proto=E?SMTP helo=<[^[:space:]>]+>)?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=<[^[:space:]>]+>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/local\[[0-9]+\]: warning: unable to create lock file /var/mail/[[:alnum:]]+\.lock: Permission denied$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/nqmgr\[[0-9]+\]: [A-Z0-9]+: from=<[^[:space:]>]+>, size=[0-9]+, nrcpt=[0-9]+ \(queue active\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: (Unv|V)erified: subject_CN=.*, issuer=.* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer verification: CommonName in certificate does not match: [^!]+ != [^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]\[]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [0-9]+:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay\.c:578: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: RCPT from [^[:space:]\[]+\[[\.0-9]+\]: 452 Insufficient system storage; from=<[^[:space:]>]+> to=<[^[:space:]>]+>$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [^[:space:]\[]+\[[\.0-9]+\] in RCPT command: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [\.0-9]+: hostname [^[:space:]]+ verification failed: Host name has no address$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+: reject: (DATA|RCPT) from [^[:space:]\[]+\[[\.0-9]+\]: [45][0-9]{2}( [^;]+;){1,3} from=<[^>]*>( to=<[^>]*>)? proto=E?SMTP( helo=<.*>)?$ ### violations.ignore.d/proftpd -proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ ### violations.ignore.d/samba -smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) $ -smbd\[[0-9]+\]: write_socket_data: write failure\. Error = Connection reset by peer $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: write_socket_data: write failure\. Error = Connection reset by peer $ ### violations.ignore.d/ssh -sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ -ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+ user=[^[:space:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+ user=[^[:space:]]+$ ### violations.ignore.d/su ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[[:alnum:]-]+ ?$ ### violations.ignore.d/temp -(imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]* user=[[:alnum:]]+$ -afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied -afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied -afpd\[[0-9]+\]: bad function 7A -afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\) -afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied -afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied -afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) -IMP\[[0-9]+\]: FAILED .* to .*:143 as .* -i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] -kernel: IP_MASQ:reverse ICMP: failed checksum from .*! -kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) -PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service -portsentry\[[0-9]+\]: attackalert: .* -smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ -smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ -smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected $ -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! -smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. -sshd\[[0-9]+\]: Failed password for .* -pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument -postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* -postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* -postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> -snort: spp_http_decode: IIS Unicode attack detected: -postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]* user=[[:alnum:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function 7A +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED .* to .*:143 as .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\] +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: getpeername failed. Error was Transport endpoint is not connected $ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <.*>: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <.*>: Recipient address rejected: User unknown; .* +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* from=<(groove@mailomat.grooveattack.com|refused@maila.com)> +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* |