[Logcheck-commits] CVS logcheck/rulefiles/linux/ignore.d.server

CVS User maks-guest logcheck-devel@lists.alioth.debian.org
Thu, 21 Apr 2005 21:20:22 +0000 

Update of /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server
In directory haydn:/tmp/cvs-serv27340/rulefiles/linux/ignore.d.server

Modified Files:
	jabberd rsync scponly squid ssh 
Log Message:

add weasel rules for jabberd, rsync squid and ssh.
while beeing at it fix scponly user match.

the ssh rule ignores dump scanning by nmap and co,
it may have been contestable in the past,
but nowadays it's just noise.


--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/jabberd	2004/12/20 21:57:31	1.3
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/jabberd	2005/04/21 21:20:22	1.4
@@ -16,6 +16,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] closing connection$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] dns lookup for [._[:alnum:]-]+ timed out$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: connection to [._[:alnum:]-]+ timed out$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/s2s\[[0-9]+\]: \[[0-9]+\] \[[0-9.]{7,15}, port=[0-9]+\] error: XML parse error \((syntax error|junk after document element)\)$
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ jabberd/sm\[[0-9]+\]: session (replaced|ended|started): jid=[._[:alnum:]-]+@[._[:alnum:]-]+/[._[:alnum:]-]+$
 
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/rsync	2005/04/10 17:19:34	1.2
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/rsync	2005/04/21 21:20:22	1.3
@@ -1,3 +1,6 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsync\[[0-9]+\]: connect from [0-9.]{7,15} \([0-9.]{7,15}\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync on [[:alnum:]/._-]+ from [._[:alnum:]-]+ \([0-9.]{7,15}\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: wrote [0-9]+ bytes  read [0-9]+ bytes  total size [0-9]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync error: some files could not be transferred \(code 23\) at main.c\([0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: unknown module 'pub' tried from [._[:alnum:]-]+ \([0-9.]{7,15}\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyncd\[[0-9]+\]: rsync error: received SIGUSR1 or SIGINT \(code 20\) at rsync.c\([0-9]+\)$
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/scponly	2005/01/12 13:01:12	1.5
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/scponly	2005/04/21 21:20:22	1.6
@@ -1 +1 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ \[[0-9]+\]: running: /(usr/)?bin/(groups|ls|mkdir|mv|pwd|rm|rsync|scp).* \(username: [_[:alnum:]-]+\([0-9]+\), IP/port: [.:[:alnum:]]+ [0-9]+ 22\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ \[[0-9]+\]: running: /(usr/)?bin/(groups|ls|mkdir|mv|pwd|rm|rsync|scp).* \(username: [._[:alnum:]-]+\([0-9]+\), IP/port: [.:[:alnum:]]+ [0-9]+ 22\)$
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/squid	2004/10/19 14:58:52	1.6
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/squid	2005/04/21 21:20:22	1.7
@@ -49,5 +49,8 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: storeLateRelease: released [0-9]+ objects$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: +[0-9]+ entries written so far\.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: urlParse: Illegal character in hostname '.*'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: httpReadReply: Excess data from "GET .*"$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: WARNING: found whitespace in HTTP header name {Cache Control: no-cache}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: ctx: exit level  0$
 # squidguard
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: helperOpenServers: Starting [0-9]+ 'squidGuard' processes$
--- /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/ssh	2005/03/22 22:39:39	1.9
+++ /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/ssh	2005/04/21 21:20:22	1.10
@@ -8,3 +8,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from [:[:alnum:].]+ \([:[:alnum:].]+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: Timeout before authentication for [:[:alnum:].]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from ::ffff:[0-9.]{7,15}$