[Logcheck-commits] r1214 - in logcheck/trunk: debian rulefiles/linux/ignore.d.server

madduck at users.alioth.debian.org madduck at users.alioth.debian.org
Wed Sep 13 16:32:39 UTC 2006 

Author: madduck
Date: 2006-09-13 16:32:39 +0000 (Wed, 13 Sep 2006)
New Revision: 1214

Modified:
   logcheck/trunk/debian/changelog
   logcheck/trunk/rulefiles/linux/ignore.d.server/ssh
Log:
* ignore.d.server/ssh: duplicate possible breakin messages from
  violations.ignore.d.

Modified: logcheck/trunk/debian/changelog
===================================================================
--- logcheck/trunk/debian/changelog	2006-09-13 16:26:28 UTC (rev 1213)
+++ logcheck/trunk/debian/changelog	2006-09-13 16:32:39 UTC (rev 1214)
@@ -32,6 +32,8 @@
   * ignore.d.server/postfix: also add msgid status messages by cleanup daemon.
   * ignore.d.server/proftpd: fixed rule to ignore unknown user logins.
   * ignore.d.server/spamd: fixed rule for config location message.
+  * ignore.d.server/ssh: duplicate possible breakin messages from
+    violations.ignore.d.
   * ignore.d.server/kernel: partially undo link status message filter, now
     only filters up messages, not the down ones. By nature of the link status,
     the messages will come in pairs or not at all anyway.

Modified: logcheck/trunk/rulefiles/linux/ignore.d.server/ssh
===================================================================
--- logcheck/trunk/rulefiles/linux/ignore.d.server/ssh	2006-09-13 16:26:28 UTC (rev 1213)
+++ logcheck/trunk/rulefiles/linux/ignore.d.server/ssh	2006-09-13 16:32:39 UTC (rev 1214)
@@ -16,3 +16,5 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '[^']*' from ([:.[:xdigit:]]+|UNKNOWN)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$

More information about the Logcheck-commits mailing list