# custom rules for egressive
# 20080215 henry@egressive.com
# modified rob@egressive.com 20080216 - removed hard coded hostname, allowed for arbitrary length pids
# modified henry@egressive.com 20080218 - added named, dhcpd and some more mailscanner rules
# modified henry@egressive.com 20080221 - added upsd, dovecot inital rules. and also added a cople new mailscanner and postfix rules
# modified henry@egressive.com 20080401 - added new rule for MailScanner
# modified henry@egressive.com 20080409 - added squid rules and one dovecot one and a postfix one
# modified henry@egressive.com 20080414 - corrected a numbering mistake and added 2 more to MialScanner also dccifd
# modified henry@egressive.com 20080415 - Added a dovecot rule to ignore the imap logins
# modified henry@egressive.com 20080418 - added 5 sshd rules to remove the rejected hacking attacks.
# modified henry@egressive.com 20080418 - added lots of rules for mail scanner and a few for pam_telly/postfix
#MailScanner
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Expired [0-9]+ records from the SpamAssassin cache$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin cache hit for message \w{10}\.\w{5}$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Logging message \w{10}\.\w{5} to SQL$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: \w{10}\.\w{5}: Logged to MailWatch SQL$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Blacklist refresh time reached$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Starting up SQL Blacklist$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Read [0-9]+ blacklist entries$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Config: calling custom end function SQLBlacklist$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Config: calling custom init function MailWatchLogging$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Read [0-9]+ hostnames from the phishing whitelist$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Config: calling custom end function MailWatchLogging$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Config: calling custom init function SQLBlacklist$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Started SQL Logging child$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using SpamAssassin results cache$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Connected to SpamAssassin cache database$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Enabling SpamAssassin auto-whitelist functionality...$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Message \w{10}\.\w{5} from .*is too big for spam checks.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Closing down by-domain spam blacklist$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and have disarmed web bug, phishing tags in HTML message in [0-9A-F]{10}\.[0-9A-F]{5} from .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Found phishing fraud from .* claiming to be .* in [0-9A-F]{10}\.[0-9A-F]{5}$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Closing down by-domain spam blacklist$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Found [0-9]+ messages waiting$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Read [0-9]+ hostnames from the phishing blacklist$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin temporary working directory is.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: I have found clamav scanners installed, and will use them all by default.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Filename Checks: Found possible filename hiding (.*)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Saved infected ".*" to /var/spool/MailScanner/quarantine/.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: (Cleaned|Sender Warnings): Delivered [0-9]+ (warnings to virus senders|cleaned messages)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Notices: Warned about [0-9]+ messages$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Bayes database rebuild is due$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin Bayes database rebuild (starting|completed)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner child dying after Bayes rebuild$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and have disarmed web bug tags in HTML message in \w{10}\.\w{5} from .*$
#Postfix(MailScanner)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [._[:alnum:]-]+: hold: header Received: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: \w{10}: enabling PIX workarounds:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: lost connection after CONNECT from .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: address not listed for hostname.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(|local|smtp)\[[0-9]+\]: .*status=sent.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: \w{10}: to=<.*\@.*>, relay=(local|none), delay=[0-9]+,.*Host or domain name not found. Name service error for name=.*Host not found, try again\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: \w{7}: reject: RCPT from .*Recipient address rejected: User unknown in local recipient table; from=<.*> to=<.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: lost connection after DATA \(0 bytes\) from .*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: RCPT from .*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*Recipient address rejected: User unknown in local recipient table.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to .*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].* Connection timed out$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: Anonymous TLS connection established from .*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]: TLSv[0-2] with cipher .*$
#named
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client .*: updating zone '.*': deleting an RR$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+#[0-9]+: updating zone '.*': adding an RR at '.*' (A|TXT)$
#dhcpd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: if .*\" rrset exists and .* rrset exists delete .*: success\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: if .* IN A rrset doesn't exist delete .*\": success\.$
#dovecot(IMAP)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: IMAP(.*): Connection closed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: IMAP(.*): Connection closed: Broken pipe$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: pop3(.*): Logout. .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: imap-login: (Login|Aborted login): user=<.*>, method=(plain|PLAIN), rip=.*, lip=.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot-auth\[[0-9]+\]: \(pam_unix\) authentication failure;.*[^(egressive)]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot: pop3-login: Disconnected: user=<.*>, method=.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dovecot-auth\[[0-9]+\]: \(pam_unix\) check pass; user unknown$
#syslog
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd 1\.[0-9]\..*ubuntu[0-9]: restart\.$
#upsd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ upsd\[[0-9]+\]: Data for UPS \[.*\] is stale - check driver$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ upsd\[[0-9]+\]: UPS \[.*\] data is no longer stale$
#squid
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ squid\[[0-9]+\]: CACHEMGR: <unknown>\@127\.0\.0\.1.*$
#dccifd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccifd\[[0-9]+\]: [0-9]\.[0-9]+\.[0-9]+ detected [0-9]+ spam, ignored for [0-9]+, rejected for [0-9]+, and discarded for [0-9]+ targets among [0-9]+ total messages for [0-9]+ targets since [0-9]+/[0-9]+/[0-9]+ [0-9]+:[0-9]+:[0-9]+$
#sshd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_unix\) authentication failure;.*[^(egressive)]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for invalid user [^(egressive)].*from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ port [0-9]+ ssh2$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User .* from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ not allowed because none of user's groups are listed in AllowGroups$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user .* from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_unix\) check pass; user unknown$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Invalid user admin from .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for invalid user .* from .* port .*$
#pam_tally
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_tally\[[0-9]+\]: .* no such user
#smartd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/.*SMART Usage Attribute: [0-9]+ Temperature_Celsius changed from [0-9]+ to ([5-9][0-9]|1[0-9][0-9])$