blob: c72783af7f78c52a30b7e607a4091cd75b4ab1b0 (
plain)
- ## imp
- IMP\[[0-9]+\]: FAILED .* to .*:143 as .*
- ## libpam-modules
- PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> .* for (imap|netatalk|pop|samba|ssh) service
- # old-style pam entries (no longer provided by logcheck but needed on woody
- PAM_.*: .* session (opened|closed) for user .*
- ## netatalk
- afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM (Auth OK!|Success -- .*|User entered a null value -- .*)
- afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure -- (Bad file descriptor|Invalid argument)
- afpd\[[0-9]+\]: uams_dhx_pam\.c :PAM: PAM: User entered a null value -- No such file or directory
- afpd\[[0-9]+\]: afp_getsrvrparms: stat /volumes/(km/kmstab/kmstab|kp/kp/kp(/kp|/kpstab|stab/kpstab)|misc/flstab/flstab): Permission denied
- afpd\[[0-9]+\]: bad function 7A
- atalkd\[[0-9]+\]: as_timer sendto: Netvaerket er ikke tilgaengeligt
- ## hylafax-server
- FaxGetty\[[0-9]+\]: ANSWER: Can not lock modem device
- gnome-name-server\[[0-9]+\]: server_is_alive: .*
- ## uw-imap
- i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=.*)? host=(.* )?\[.*\]
- ## ppp
- ipppd\[[0-9]+\]: Connect\[0\]: /dev/ippp[0-9], fd: 12
- ## misc
- kernel: Disorder[0-9] [0-9] [0-9] f[0-9] s[0-9] rr[0-9]
- kernel: IP_MASQ:reverse ICMP: failed checksum from .*!
- kernel: OPEN: [\.0-9]* -> [\.0-9]* UDP, port: [0-9]* -> [0-9]*
- kernel: Packet log: input DENY eth1 PROTO=1 0.0.0.0:5 10.0.0.40:1 L=427 S=0xD0 I=0 F=0x4000 T=255 \(#22\)
- kernel: lp[0-9]: compatibility mode
- kernel: Undo( partial)? (Hoe|loss|retrans)
- printer: offline or intervention needed
- ## ntp-simple
- ntpd\[[0-9]+\]: synchronisation lost
- ntpd\[[0-9]+\]: synchronisation lost
- ntpd\[[0-9]+\]: time reset [\.0-9-]* .
- ntpd\[[0-9]+\]: time reset [\.0-9-]+ s
- ## portsentry
- portsentry\[[0-9]+\]: attackalert: .*
- ## pump
- pumpd\[[0-9]+\]: SO_BINDTODEVICE eth0 \(4\) failed: Invalid argument
- ## samba
- smbd\[[0-9]+\]: read_socket_data: recv failure for 4. Error = No route to host
- smbd\[[0-9]+\]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User [[:alnum:]]+ !
- smbd\[[0-9]+\]: \[[/[0-9]]+ [:[0-9]]+, 0\] smbd/service.c:find_service\([0-9]+\)
- smbd\[[0-9]+\]: yield_connection: tdb_delete for name failed with error Record does not exist\.
- smbd\[[0-9]+\]: \[.*\] smbd/connection.c:yield_connection\([0-9]+\)
- smbd\[[0-9]+\]: \[.*\] passdb/pampass.c:smb_pam_passcheck\([0-9]+\)
- sshd\[[0-9]+\]: Failed password for .*
- sshd\[[0-9]+\]: packet_set_maxsize: setting to 4096
- ## postfix
- postfix.*\[[0-9]+\]: .* from=<groove@mailomat.grooveattack.com>
- postfix/smtpd\[[0-9]+\]: warning: Illegal address syntax from [\.[:alnum:]-]+\[[\.0-9]+\] in MAIL command: <C:\\Email\\Headers\\fresh froms 5-1\.txt>
- rpc.mountd: authenticated mount request from .* for .*
- ## snort
- snort: .*FrontPage
- snort: IDS015 - RPC - portmap-request-status:
- snort: IDS029 - SCAN-Possible Queso Fingerprint attempt:
- snort: IDS115 - MISC-Traceroute-UDP:
- snort: IDS212 - MISC - DNS Zone Transfer:
- snort: IDS226 - CVE-1999-0172 - CGI-formmail:
- snort: IDS246 - MISC - Large ICMP Packet:
- snort: IIS-
- snort: MISC-Attempted Sun RPC high port access:
- snort: NETBIOS-SMB-C:
- snort: NETBIOS-SMB-CD...:
- snort: NMAP TCP ping!:
- snort: RPC Info Query:
- snort: SCAN-SYN FIN:
- snort: spp_http_decode: IIS Unicode attack detected:
- snort: spp_portscan: End of portscan
- snort: spp_portscan: PORTSCAN DETECTED
- snort: spp_portscan: portscan status from
- snort: WEB-../..:
- snort: WEB-CGI-upload.pl:
- ## postgres
- postgres\[[0-9]+\]: \[.*\] DEBUG:
- postgres\[[0-9]+\]: \[[0-9-]*\] Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
- postgres\[[0-9]+\]: \[[0-9-]*\] [0-9]*; Re-using: Free/Avail. Space .* EndEmpty/Avail\. Pages .* CPU .* sec\.
|
