[Logcheck-devel] Re: logcheck rules

maximilian attems debian at sternwelten.at
Mon Oct 25 20:09:19 UTC 2004 

On Fri, 22 Oct 2004, Brendon Baumgartner wrote:

> I know you’re a rule collector :)

well there are times when i'm less responsive,
please just file bug reports to balance the load
on the team. i'll try on this one.
 
> Here's what I've got. Some minor adjustments. Some lines have \. To match
> periods etc. This list doesn't relate to the email I just sent about the
> bug. I removed some of this for testing. I've made a lot of minor tweeks
> since our last discussion.
> 
> ./ignore.d.server/local-perdition
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
> [.0-9]+->[.0-9]+$
strange this one should be ignored in current logcheck.
could you check why this rule goofs, i'll attach it also in local-perdition:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
maybe it was just added to current cvs?

> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Fatal error piping
> data. Exiting child\.$
no idea that sounds more like an error?

> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Closing NULL
> session: [.0-9]+->[.0-9]+ username=\(null\)$
ok cool, added with a bit stricter ip matching:
'[.0-9]+' became  '[.0-9]{7,15}'
 
> ./ignore.d.server/local-postfix
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: table
> hash:/var/lib/exact/relay\(0,100\) has changed -- restarting$
how often does that happen?
not shure if it's sane to ignore?
> ^COMMENT\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [0-9A-Z]+:
> lost connection with [^[:space:]]+ while sending end of data -- message may
> be sent more than once$
also added but used '[:upper:]' instead of 'A-Z'.
 
> ./ignore.d.server/local-cron
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
> closed for user logcheck$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
> opened for user logcheck by \(uid=0\)$
strange i've never seen this!?
when do you get that?
in ignore.d.paranoid/cron i see that rule
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\)
session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
what cron are you using? (debian or other distribution)?

> ./ignore.d.server/local-sshd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: syslogin_perform_logout:
> logout\(\) returned an error$
thanks already in current cvs.
 
> ./ignore.d.server/local-pure-ftpd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\)
> \[INFO\] New connection from [._[:alnum:]-]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\)
> \[INFO\] [._[:alnum:]-]+ is now logged in$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([\?._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Logout\.$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout - try typing a little
> faster next time$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to .+:
> No such file or directory$
all aboves already in cvs, thanks.
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to .+:
> Not a directory$
added this ending bit to aboves rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
\([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Can't change directory to .+:
(No such file or|Not a) directory$

> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Timeout \(no new data for
> [0-9]+ seconds\)$
added
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] .+ (up|down)loaded  \([0-9]+
> bytes, [0-9]+.[0-9]+KB/sec\)$
already in cvs
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] Deleted .+$
hmmm, yeaah can be noisy on big hosts,
i'll leave it out until future notice.
but ftp-user shouldn't have acces to important stuff.
please inform me on the nr. of occurence on you host for example?
egrep '\[NOTICE\] Deleted' /var/log/syslog | wc -l

> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] File successfully renamed or
> moved: \[.+\]->\[.+\]$
great added.

> ./ignore.d.server/local-exact
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: authorising
> [^[:space:]]+ at [.0-9]+$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: cleaning db file$
sorry i don't know of an "exact" daemon,
please educate me.
 
> ./ignore.d.server/local-slapd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]:
hmm that one don't make me happy,
have you tried to decrease verbosity in slapd?
 
> ./ignore.d.server/local-snmpd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snmpd\[[0-9]+\]: Connection from [.0-9]+$
thanks added with a bit stricter ip matching rule, see above.
 
> ./ignore.d.server/local-ispman
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ispman: ISPMan
looks like a verbose man,
no idea what he does nor is this rule complete. ;-)
 
> ./ignore.d.server/local-kernel
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: IN-inet:IN
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: NEW TCP
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: SYN FLOOD:IN
hmm the iptables stuff, left for another time..
 
> ./violations.ignore.d/local-postfix
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+:
> reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: Relay access
> denied; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP)
> helo=<[^[:space:]]+>$
thanks already in cvs
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [A-Z0-9]+:
> reject: RCPT from [^[:space:]]+: [0-9]{3} <[^[:space:]]+>: User unknown in
> local recipient table; from=<[^[:space:]]*> to=<[^[:space:]]+>
> proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
grr we have a slightly different rule in cvs,
could we fix that one up?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]:
[[:upper:]0-9]+: reject: RCPT from [^[:space:]]+\[[0-9.]{7,14}\]:
[45][0-9][0-9] <.+>: User unknown in local recipient table;
from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP)
helo=<[^[:space:]]+>$
looks quite similar except the part
"RCPT from [^[:space:]]+\[[0-9.]{7,14}\]"
could you try if it works for you, attached.

> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+:
> to=<[^[:space:]]+>, relay=[^[:space:]]+, delay=[0-9]+, status=deferred
> \(host [^[:space:]]+ refused to talk to me: [^[:space:]]+ 554 Access
> denied\)$
great thanks added just used [:upper:] instead of 'A-Z'
> 
> ./violations.ignore.d/local-pure-ftpd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't open .+: No such file or
> directory$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't remove directory: No
> such file or directory$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\)
> \[DEBUG\] This is a private system - No anonymous login$
thanks added
 
> ./violations.ignore.d/local-cyrus
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT failed$
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/imapd\[[0-9]+\]: SQUAT failed to
> open index file$
already in current cvs.
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3:
> [0-9]+ lockers$
what? that sounds bad?
 
> ./violations.ignore.d/local-slapd
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]:
hmm..

thanks a lot for the different rules,
i've added a thanks to current changelog for all this rules.

 
--
maks

ps added logcheck-devel on cc
-------------- next part --------------
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:upper:]0-9]+: reject: RCPT from [^[:space:]]+\[[0-9.]{7,14}\]: [45][0-9][0-9] <.+>: User unknown in local recipient table; from=<[^[:space:]]*> to=<[^[:space:]]+> proto=(ESMTP|SMTP) helo=<[^[:space:]]+>$
-------------- next part --------------
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}->[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$

More information about the Logcheck-devel mailing list