[Logcheck-commits] CVS logcheck/rulefiles/linux/ignore.d.server
CVS User maks-guest
logcheck-devel@lists.alioth.debian.org
Thu, 21 Apr 2005 21:20:22 +0000
Update of /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server
In directory haydn:/tmp/cvs-serv27340/rulefiles/linux/ignore.d.server
Modified Files:
jabberd rsync scponly squid ssh
Log Message:
add weasel rules for jabberd, rsync squid and ssh.
while beeing at it fix scponly user match.
the ssh rule ignores dump scanning by nmap and co,
it may have been contestable in the past,
but nowadays it's just noise.
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/jabberd 2004/12/20 21:57:31 1.3
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/jabberd 2005/04/21 21:20:22 1.4
@@ -16,6 +16,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] closing connection$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] dns lookup for [._[:alnum:]-]+ timed out$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: connection to [._[:alnum:]-]+ timed out$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] error: XML parse error \((syntax error|junk after document element)\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/sm\[[0-9]+\]: session (replaced|ended|started): jid=[._[:alnum:]-]+@[._[:alnum:]-]+/[._[:alnum:]-]+$
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/rsync 2005/04/10 17:19:34 1.2
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/rsync 2005/04/21 21:20:22 1.3
@@ -1,3 +1,6 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsync\[[0-9]+\]: connect from [0-9.]{7,15} \([0-9.]{7,15}\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync on [[:alnum:]/._-]+ from [._[:alnum:]-]+ \([0-9.]{7,15}\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: wrote [0-9]+ bytes read [0-9]+ bytes total size [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync error: some files could not be transferred \(code 23\) at main.c\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: unknown module 'pub' tried from [._[:alnum:]-]+ \([0-9.]{7,15}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync error: received SIGUSR1 or SIGINT \(code 20\) at rsync.c\([0-9]+\)$
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/scponly 2005/01/12 13:01:12 1.5
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/scponly 2005/04/21 21:20:22 1.6
@@ -1 +1 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ \[[0-9]+\]: running: /(usr/)?bin/(groups|ls|mkdir|mv|pwd|rm|rsync|scp).* \(username: [_[:alnum:]-]+\([0-9]+\), IP/port: [.:[:alnum:]]+ [0-9]+ 22\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ \[[0-9]+\]: running: /(usr/)?bin/(groups|ls|mkdir|mv|pwd|rm|rsync|scp).* \(username: [._[:alnum:]-]+\([0-9]+\), IP/port: [.:[:alnum:]]+ [0-9]+ 22\)$
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/squid 2004/10/19 14:58:52 1.6
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/squid 2005/04/21 21:20:22 1.7
@@ -49,5 +49,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: storeLateRelease: released [0-9]+ objects$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ entries written so far\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: urlParse: Illegal character in hostname '.*'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: httpReadReply: Excess data from "GET .*"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: WARNING: found whitespace in HTTP header name {Cache Control: no-cache}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: ctx: exit level 0$
# squidguard
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ 'squidGuard' processes$
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/ssh 2005/03/22 22:39:39 1.9
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/ssh 2005/04/21 21:20:22 1.10
@@ -8,3 +8,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from [:[:alnum:].]+ \([:[:alnum:].]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: Timeout before authentication for [:[:alnum:].]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from ::ffff:[0-9.]{7,15}$