-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathextra
More file actions
54 lines (39 loc) · 3.03 KB
/
extra
File metadata and controls
54 lines (39 loc) · 3.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
^su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:(?!root)[_[:alnum:]-]+$
^su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user (?!root)[[:alnum:]-]+ by \(uid=[0-9]+\)$
^su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user (?!root)[[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$
^sudo:[[:space:]]+[_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+|tty[0-9]+) ; PWD=.+ ; USER=(?!root)[^[:space:]]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$
^postfix/(local|pipe|virtual)\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, (orig_to=[^[:space:]]+, |)relay=[^[:space:]]+, delay=[0-9]+, status=sent \(.*\)$
^postfix/smtp\[[0-9]+\]: [[:alnum:]]+: conversation with \S+ timed out
^postfix/smtp\[[0-9]+\]: [[:alnum:]]+: lost connection with \S+ while
^postfix/smtp\[[0-9]+\]: [[:alnum:]]+: host \S+ refused to talk to me: 4
# The 11 means SSH2_DISCONNECT_BY_APPLICATION
^sshd\[[0-9]+\]: Received disconnect from \S+: 11: Terminating connection$
^exim\[[0-9]+\]: [0-9-]+ [0-9:]+ Start queue run: pid=[0-9]+$
# This appears to be one of those bizarre issues we can do nothing about
# http://www.uwsg.iu.edu/hypermail/linux/kernel/0307.3/0947.html
^kernel: udp v4 hw csum failure\.$
^kernel: hw tcp v4 csum failed$
^kernel: icmp v4 hw csum failure$
^kernel: NET: [0-9]+ messages suppressed\.$
# Some nonsense we get from our Redhat machines
^crond\[[0-9]+\]: \([[:alnum:]]+\) CMD
^sendmail\[[0-9]+\]: [[:alnum:]]+: from=[^[:space:]]+, size=[0-9]+, class=[0-9]+, nrcpts=[0-9]+, msgid=[^[:space:]]+,( proto=ESMTP,)?( daemon=MTA,)? relay=
^sendmail\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, ctladdr=[^[:space:]]+ \(0\/0\), delay=[0-9:]+, xdelay=[0-9:]+, mailer=(relay|local), pri=[0-9]+(, relay=.+)?, dsn=[0-9.]+, stat=Sent
# We don't use shared folders on the IMAP server
^imaplogin: /etc/courier/shared/index: No such file or directory$
# More general than the usual one.
^smartd\[[0-9]+\]: Device: /dev/[[:lower:]]+, SMART Usage Attribute: 194 Temperature_Celsius changed from
# This is a form of lame server log message. You can also remove it entirely
# by changing the logging settings for bind.
^named\[[0-9]+\]: unexpected end of input resolving '
^kernel: firewall
# One of our users forwards onto mac.com, but they make you wait a lot.
^postfix/qmgr\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+@mac.com>, orig_to=<[^[:space:]]+@tardis.ed.ac.uk>, relay=none, delay=[0-9]+, status=deferred \(delivery temporarily suspended: host [^[:space:]]+.mac.com\[[0-9.]+\] refused to talk to me: 452 try later\)$
# The unix pam failures aren't interesting - users are in ldap
^dovecot-auth: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=[0-9.]+ user=
# Google love plaintext, silly buggers
^dovecot: pop3-login: Login failed: Plaintext authentication disabled:
# Replacement for dodgy pattern
^named\[[0-9]+\]: lame server resolving '[^[:space:]]+' \(in '[^[:space:]]+'\?\): [0-9.]+#[0-9]+$
# Refined version of an existing rule
^postgrey(\[[0-9]+\])?:( [0-9A-F]+:)? action=.+, reason=.+,( delay=.+,)?( client_name=.+,)? client_address=.+,( sender=.*,)? recipient=.+