Mercurial > syslog2iptables
comparison syslog2iptables.conf.top @ 65:f17e6599b82c
fix default config regular expressions for geedy matching
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Sat, 19 Dec 2015 11:12:08 -0800 |
| parents | 60f59936fabb |
| children | d179292293eb |
comparison
equal
deleted
inserted
replaced
| 64:4b147494fc64 | 65:f17e6599b82c |
|---|---|
| 47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { | 47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { |
| 48 index 1; // zero based | 48 index 1; // zero based |
| 49 bucket 400; | 49 bucket 400; |
| 50 message "ftp failed password"; | 50 message "ftp failed password"; |
| 51 }; | 51 }; |
| 52 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " { | |
| 53 index 1; // zero based | |
| 54 bucket 100; | |
| 55 message "dovecot failed password"; | |
| 56 }; | |
| 57 pattern "dovecot.* authentication failure; .* rhost=(.*) " { | |
| 58 index 1; // zero based | |
| 59 bucket 100; | |
| 60 message "dovecot failed password"; | |
| 61 }; | |
| 62 }; | 52 }; |
| 63 | 53 |
| 64 file "/var/log/messages" { | 54 file "/var/log/messages" { |
| 65 pattern "dovecot.* authentication failure; .* rhost=(.*) " { | |
| 66 index 1; // zero based | |
| 67 bucket 100; | |
| 68 message "dovecot failed password"; | |
| 69 }; | |
| 70 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { | 55 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { |
| 71 index 1; // zero based | 56 index 1; // zero based |
| 72 bucket 400; | 57 bucket 400; |
| 73 message "kernel firewall blocked packet"; | 58 message "kernel firewall blocked packet"; |
| 74 }; | 59 }; |
| 90 bucket 100; | 75 bucket 100; |
| 91 message "sendmail authentication attack"; | 76 message "sendmail authentication attack"; |
| 92 }; | 77 }; |
| 93 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { | 78 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { |
| 94 index 1; // zero based | 79 index 1; // zero based |
| 95 bucket 1800; | 80 bucket 0; // disable - iphone setup trips this; bucket 1800; |
| 96 message "sendmail pre-greeting"; | 81 message "sendmail pre-greeting"; |
| 97 }; | 82 }; |
| 98 pattern "authentication failure: checkpass failed, .*\[(.*)\]" { | 83 pattern "authentication failure: checkpass failed, .*\[(.*)\]" { |
| 99 index 1; // zero based | 84 index 1; // zero based |
| 100 bucket 100; | 85 bucket 100; |
| 101 message "sendmail authentication failed"; | 86 message "sendmail authentication failed"; |
| 102 }; | 87 }; |
| 103 pattern "dovecot.*Aborted login .* rip=(.*)," { | 88 pattern "dovecot.*Aborted login .* rip=(.*), lip=" { |
| 104 index 1; // zero based | 89 index 1; // zero based |
| 105 bucket 100; | 90 bucket 100; |
| 106 message "dovecot failed password"; | 91 message "dovecot failed password"; |
| 107 }; | 92 }; |
| 108 pattern "dovecot.*Login: .* rip=(.*)," { | 93 pattern "dovecot.*Login: .* rip=(.*), lip=" { |
| 109 index 1; // zero based | 94 index 1; // zero based |
| 110 bucket -5000; | 95 bucket -5000; |
| 111 message "dovecot good authentication"; | 96 message "dovecot good authentication"; |
| 112 }; | 97 }; |
| 113 pattern "sendmail.*AUTH=server, .*\[(.*)\]," { | 98 pattern "sendmail.*AUTH=server, .*\[(.*)\]," { |