diff options
Diffstat (limited to 'logcheck')
| -rw-r--r-- | logcheck/ignore.d.server/dhcp3-common | 24 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/local | 28 | ||||
| -rw-r--r-- | logcheck/ignore.d.server/tmp | 4 | ||||
| -rw-r--r-- | logcheck/ignore.d.workstation/local | 28 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/local | 3 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/temp | 3 |
6 files changed, 49 insertions, 41 deletions
diff --git a/logcheck/ignore.d.server/dhcp3-common b/logcheck/ignore.d.server/dhcp3-common index 8da2b18..a06415b 100644 --- a/logcheck/ignore.d.server/dhcp3-common +++ b/logcheck/ignore.d.server/dhcp3-common @@ -1,12 +1,12 @@ -dhcpd: Abandoning IP address [\.0-9]+: pinged before offer$ -dhcpd: BOOTREQUEST from [0-9a-f:]+$ -dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: DHCPACK to [\.0-9]+$ -dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)?$ -dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)?$ -dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.$ -dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.$ -dhcpd: accepting packet with data after udp payload.$ -dhcpd: ip length 576 disagrees with bytes received 590.$ +dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ +dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ +dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: DHCPACK to [\.0-9]+ ?$ +dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)? ?$ +dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)? ?$ +dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: ICMP Echo reply while lease [\.0-9]+ valid. ?$ +dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ +dhcpd: accepting packet with data after udp payload. ?$ +dhcpd: ip length 576 disagrees with bytes received 590. ?$ diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local index 04627c6..5c2f73e 100644 --- a/logcheck/ignore.d.server/local +++ b/logcheck/ignore.d.server/local @@ -81,18 +81,18 @@ dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \ dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ ### ignore.d.server/dhcp3-common -dhcpd: Abandoning IP address [\.0-9]+: pinged before offer$ -dhcpd: BOOTREQUEST from [0-9a-f:]+$ -dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: DHCPACK to [\.0-9]+$ -dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)?$ -dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)?$ -dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.$ -dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.$ -dhcpd: accepting packet with data after udp payload.$ -dhcpd: ip length 576 disagrees with bytes received 590.$ +dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ +dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ +dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: DHCPACK to [\.0-9]+ ?$ +dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)? ?$ +dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)? ?$ +dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: ICMP Echo reply while lease [\.0-9]+ valid. ?$ +dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ +dhcpd: accepting packet with data after udp payload. ?$ +dhcpd: ip length 576 disagrees with bytes received 590. ?$ ### ignore.d.server/gdm gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$ ### ignore.d.server/gdm.da_DK @@ -362,7 +362,9 @@ smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9 smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ +smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ +smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ +smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_pipe.c:api_rpcTNP|rpc_server/srv_srvsvc.c:api_srv_net_share_add|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ ## ssh sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ diff --git a/logcheck/ignore.d.server/tmp b/logcheck/ignore.d.server/tmp index 35c265c..520c4c6 100644 --- a/logcheck/ignore.d.server/tmp +++ b/logcheck/ignore.d.server/tmp @@ -48,7 +48,9 @@ smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9 smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ +smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ +smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ +smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_pipe.c:api_rpcTNP|rpc_server/srv_srvsvc.c:api_srv_net_share_add|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ ## ssh sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ diff --git a/logcheck/ignore.d.workstation/local b/logcheck/ignore.d.workstation/local index 128e6e3..f94241f 100644 --- a/logcheck/ignore.d.workstation/local +++ b/logcheck/ignore.d.workstation/local @@ -81,18 +81,18 @@ dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \ dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ ### ignore.d.server/dhcp3-common -dhcpd: Abandoning IP address [\.0-9]+: pinged before offer$ -dhcpd: BOOTREQUEST from [0-9a-f:]+$ -dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: DHCPACK to [\.0-9]+$ -dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)?$ -dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)?$ -dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+$ -dhcpd: ICMP Echo reply while lease [\.0-9]+ valid.$ -dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\.$ -dhcpd: accepting packet with data after udp payload.$ -dhcpd: ip length 576 disagrees with bytes received 590.$ +dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ +dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ +dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: DHCPACK to [\.0-9]+ ?$ +dhcpd: DHCPDISCOVER from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: DHCPINFORM from [\.0-9]+( via eth[0-9]+)? ?$ +dhcpd: DHCPRELEASE of [\.0-9]+( from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+( \(found\))?)? ?$ +dhcpd: DHCPREQUEST for [\.0-9]+( \([\.0-9]+\))? from [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ +dhcpd: ICMP Echo reply while lease [\.0-9]+ valid. ?$ +dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ +dhcpd: accepting packet with data after udp payload. ?$ +dhcpd: ip length 576 disagrees with bytes received 590. ?$ ### ignore.d.server/gdm gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$ ### ignore.d.server/gdm.da_DK @@ -362,7 +362,9 @@ smbd\[[0-9]+\]: process_local_message: unknown UDP message command code \([0-9 smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $ smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! $ smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. $ -smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ +smbd\[[0-9]+\]: api_srv_net_share_add: Failed to unmarshall SRV_Q_NET_SHARE_ADD. $ +smbd\[[0-9]+\]: prs_mem_get: reading data of size 4 would overrun buffer. $ +smbd\[[0-9]+\]: \[[0-9/]+ [0-9:]+, [0-9]+\] (lib/util_sock.c:read_data|passdb/pampass.c:smb_pam_passcheck|rpc_parse/parse_prs.c:prs_mem_get|rpc_server/srv_pipe.c:api_rpcTNP|rpc_server/srv_srvsvc.c:api_srv_net_share_add|smbd/(connection.c:yield_connection|oplock.c:process_local_message|service.c:find_service))\([0-9]+\) $ ## ssh sshd\[[0-9]+\]: Failed password for [[:alnum:]]+ from [0-9\.]+ port [0-9]+ ssh2$ sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096 $ diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index 55ef9f8..f5c4f3f 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -74,8 +74,9 @@ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service portsentry\[[0-9]+\]: attackalert: .* -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! +smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $ +smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. sshd\[[0-9]+\]: Failed password for .* pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp index 94dc1f0..a08d1b3 100644 --- a/logcheck/violations.ignore.d/temp +++ b/logcheck/violations.ignore.d/temp @@ -12,8 +12,9 @@ kernel: IP_MASQ:reverse ICMP: failed checksum from .*! kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\) PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service portsentry\[[0-9]+\]: attackalert: .* -smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! +smbd\[[0-9]+\]: api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. $ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for 4. Error = (No route to host|Connection reset by peer) $ +smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ! smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\. sshd\[[0-9]+\]: Failed password for .* pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument |