comparison syslog2iptables.conf.top @ 65:f17e6599b82c

fix default config regular expressions for geedy matching
author Carl Byington <carl@five-ten-sg.com>
date Sat, 19 Dec 2015 11:12:08 -0800
parents 60f59936fabb
children d179292293eb
comparison
equal deleted inserted replaced
64:4b147494fc64 65:f17e6599b82c
47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " { 47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
48 index 1; // zero based 48 index 1; // zero based
49 bucket 400; 49 bucket 400;
50 message "ftp failed password"; 50 message "ftp failed password";
51 }; 51 };
52 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
53 index 1; // zero based
54 bucket 100;
55 message "dovecot failed password";
56 };
57 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
58 index 1; // zero based
59 bucket 100;
60 message "dovecot failed password";
61 };
62 }; 52 };
63 53
64 file "/var/log/messages" { 54 file "/var/log/messages" {
65 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
66 index 1; // zero based
67 bucket 100;
68 message "dovecot failed password";
69 };
70 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" { 55 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
71 index 1; // zero based 56 index 1; // zero based
72 bucket 400; 57 bucket 400;
73 message "kernel firewall blocked packet"; 58 message "kernel firewall blocked packet";
74 }; 59 };
90 bucket 100; 75 bucket 100;
91 message "sendmail authentication attack"; 76 message "sendmail authentication attack";
92 }; 77 };
93 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" { 78 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
94 index 1; // zero based 79 index 1; // zero based
95 bucket 1800; 80 bucket 0; // disable - iphone setup trips this; bucket 1800;
96 message "sendmail pre-greeting"; 81 message "sendmail pre-greeting";
97 }; 82 };
98 pattern "authentication failure: checkpass failed, .*\[(.*)\]" { 83 pattern "authentication failure: checkpass failed, .*\[(.*)\]" {
99 index 1; // zero based 84 index 1; // zero based
100 bucket 100; 85 bucket 100;
101 message "sendmail authentication failed"; 86 message "sendmail authentication failed";
102 }; 87 };
103 pattern "dovecot.*Aborted login .* rip=(.*)," { 88 pattern "dovecot.*Aborted login .* rip=(.*), lip=" {
104 index 1; // zero based 89 index 1; // zero based
105 bucket 100; 90 bucket 100;
106 message "dovecot failed password"; 91 message "dovecot failed password";
107 }; 92 };
108 pattern "dovecot.*Login: .* rip=(.*)," { 93 pattern "dovecot.*Login: .* rip=(.*), lip=" {
109 index 1; // zero based 94 index 1; // zero based
110 bucket -5000; 95 bucket -5000;
111 message "dovecot good authentication"; 96 message "dovecot good authentication";
112 }; 97 };
113 pattern "sendmail.*AUTH=server, .*\[(.*)\]," { 98 pattern "sendmail.*AUTH=server, .*\[(.*)\]," {