From 0380cafd806755da4e9c39508c8b9cd8a763caf0 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Sat, 14 Aug 2004 07:40:10 +0000
Subject: group (and improve a bit) login failure ignores. Simplify non-space
 (and generally improve a bit) postfix ignores.

---
 logcheck/violations.ignore.d/temp | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'logcheck/violations.ignore.d/temp')

diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp
index c669588..669ccc2 100644
--- a/logcheck/violations.ignore.d/temp
+++ b/logcheck/violations.ignore.d/temp
@@ -1,28 +1,31 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|netatalk|pop|samba)(\(pam_unix\))?\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*(  user=[[:alnum:]]+)?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: bad function 7A
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: cnid_open: Cannot establish logfile cleanup lock for database environment .*/\.AppleDB/cnid\.lock \(open\(\) failed\)
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: dsi_stream_read\(0\): Permission denied
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: error removing /.+/net[\.0-9]+node[0-9]+: Permission denied
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+
-#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IP_MASQ:reverse ICMP: failed checksum from [^[:space:]]+!
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
-#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> [^[:space:]]+ for (imap|netatalk|pop|samba|ssh) service
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ portsentry\[[0-9]+\]: attackalert: .*
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   ERROR: string overflow by [[:digit:]]+ in safe_strcpy .*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   api_rpcTNP: api_srvsvc_rpc: SRV_NET_SHARE_ADD failed. ?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   getpeername failed. Error was Transport endpoint is not connected ?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ ?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]:   yield_connection: tdb_delete for name  failed with error Record does not exist\.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [^[:space:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 550 <[^[:space:]]*>: User unknown; .*
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: reject: .*: 554 <[^[:space:]]*>: Recipient address rejected: User unknown; .*
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort: spp_http_decode: IIS Unicode attack detected:
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .*
 # Suspicious words within email addresses are ok
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^[:space:]]*(attack|debug|deny|expn|refused)[^[:space:]]*>.*
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix.*\[[0-9]+\]: .* (from|message\-id|to)=<[^[:space:]]*(attack|debug|deny|expn|refused)[^[:space:]]*>.*
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^[:space:]]*(attack|debug|deny|error|expn|refused)[^[:space:]]*>.*
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix[[:alnum:]]+\[[0-9]+\]: .* (from|message\-id|to)=<[^[:space:]]*(attack|debug|deny|error|expn|refused)[^[:space:]]*>.*
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|debug|deny|error|expn|refused)[^[:space:]]* has a valid A record$
+# Failed logins is impossible to deal with here here anyway
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|netatalk|pop|samba)(\(pam_unix\))?\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*(  user=[[:alnum:]]+)?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
+#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> [^[:space:]]+ for (imap|netatalk|pop|samba|ssh) service$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mod_auth_shadow: VALIDATE: user: [^[:space:]]+, Authentication failure$
-- 
cgit v1.2.3