ad_user
/
f2b-filters
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

+ filters/

master
Alex 'AdUser' Z 2 years ago
parent
332f547fc6
commit
bb85eead39
10 changed files with 101 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      filters/asterisk.preg
  2. 2
      filters/coturn.preg
  3. 6
      filters/dovecot.preg
  4. 10
      filters/exim.pcre
  5. 3
      filters/gitea.preg
  6. 7
      filters/named.preg
  7. 32
      filters/nginx-bots.pcre
  8. 11
      filters/postfix.preg
  9. 9
      filters/proftpd.preg
  10. 17
      filters/ssh.preg

4
filters/asterisk.preg
Unescape View File

@ -0,0 +1,4 @@
SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9+]+"
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"

2
filters/coturn.preg
Unescape View File

@ -0,0 +1,2 @@
# set: defscore=5
closed \(2nd stage\), user <> .* remote <HOST>:[0-9]+, reason: allocation watchdog determined stale session state

6
filters/dovecot.preg
Unescape View File

@ -0,0 +1,6 @@
pop3-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
imap-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
pop3-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
# set: defscore=5
submission-login: Client has quit the connection \(tried to use disallowed plaintext auth\): .* rip=<HOST>

10
filters/exim.pcre
Unescape View File

@ -0,0 +1,10 @@
# set: defscore=10
SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from .*\[<HOST>\]
SMTP protocol synchronization error \(next input sent too soon: pipelining was not advertised\): rejected .*\[<HOST>\]
rejected [HE][EH]HLO from \[<HOST>\]: syntactically invalid argument
\[<HOST>\] .* host is listed in .+
\[<HOST>\] .* relay not permitted
\[<HOST>\] .* rejected after DATA: This message was detected as possible malware
# set: defscore=5
\[<HOST>\] .* too many connections from that IP address
\[<HOST>\] .* temporarily rejected RCPT \<\S+\>: lowest numbered MX record points to local host

3
filters/gitea.preg
Unescape View File

@ -0,0 +1,3 @@
Failed authentication attempt for [[:print:]]+ from <HOST>
Failed authentication attempt from <HOST>
invalid credentials from <HOST>

7
filters/named.preg
Unescape View File

@ -0,0 +1,7 @@
# set: defscore=10
<HOST>#[0-9]+ .* query \(cache\) '[0-9.]+.in-addr.arpa/(PTR|SOA)/IN' denied
# requests to '.' or top-level domains
<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/ANY/IN' denied
<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/A/IN' denied
# set: defscore=1
<HOST>#[0-9]+ .* query \(cache\) '[0-9a-z.-]+/RRSIG/IN' denied

32
filters/nginx-bots.pcre
Unescape View File

@ -0,0 +1,32 @@
# set: defscore=15
# h4x0rs
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/(shell|cmd|x)\.(php|cgi)
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/w00tw00t
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+Ringing\.at\.your\.dorbell
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*(wget|curl)(\\x|%)20https?://
<HOST> .* "(GET|HEAD|POST) .*/bin/(ba|c|z)?sh( |\\x20|%20)-c
<HOST> .* "(\\x[0-9a-z]{2,6})+" 400
# set: defscore=10
# phpmyadmin and variations
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)?
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]*
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager)
# set: defscore=5
# open proxy search
<HOST> .* "(GET|HEAD|POST) https?://[a-z-\.]+proxyradar\.com
<HOST> .* "CONNECT [a-z-\.]*proxyradar\.com
<HOST> .* "CONNECT [a-z-\.]*proxytest\.zmap\.io
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+testproxy\.php
# set: defscore=2
# search bots
<HOST> .* "(GET|HEAD|POST) .* "python-(requests|urllib)/[0-9\.]+
<HOST> .* "(GET|HEAD|POST) .* "AhrefsBot/[0-9a-z\.]+
<HOST> .* "(GET|HEAD|POST) .* "DotBot/[0-9a-z\.]+
<HOST> .* "(GET|HEAD|POST) .* "MauiBot
<HOST> .* "(GET|HEAD|POST) .* SiteExplorer/[0-9a-z\.]+
<HOST> .* "(GET|HEAD|POST) .* MJ12bot
<HOST> .* "(GET|HEAD|POST) .* WebIndex
# shit-coded php cms
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator

11
filters/postfix.preg
Unescape View File

@ -0,0 +1,11 @@
# set: defscore=10
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 Client host rejected
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[[[:print:]]+\] blocked
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 <[[:print:]]+>: Relay access denied
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 554 5\.7\.1 <[[:print:]]+>: Relay access denied
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 550 5\.1\.1 <[[:print:]]+>: Recipient address rejected: undeliverable address
warning: [[:print:]]+\[<HOST>\]: SASL [A-Z0-9-]+ authentication failed
# set: defscore=5
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 <[[:print:]]+>: Helo command rejected: Host not found
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 504 5\.5\.2 <[[:print:]]+>: Helo command rejected: need fully-qualified hostname
lost connection after AUTH from [[:print:]]+\[<HOST>\]

9
filters/proftpd.preg
Unescape View File

@ -0,0 +1,9 @@
# set: defscore=30
\(.*\[<HOST>\]\): SECURITY VIOLATION: Root login attempted
\(.*\[<HOST>\]\): SECURITY VIOLATION: Passive connection from .* rejected
# set: defscore=15
\(.*\[<HOST>\]\): USER .*: no such user found
\(.*\[<HOST>\]\): USER .* \(Login failed\): Incorrect password
# set: defscore=1
\(.*\[<HOST>\]\): FTP session opened
\(.*\[<HOST>\]\): crypt\(3\) failed

17
filters/ssh.preg
Unescape View File

@ -0,0 +1,17 @@
# set: defscore=15
User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers
User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups
# set: defscore=10
User [[:print:]]+ from <HOST> not allowed because not listed in AllowUsers
User [[:print:]]+ from <HOST> not allowed because not in any group
User [[:print:]]+ from <HOST> not allowed because none of user's groups are listed in AllowGroups
[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)?
[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)?
Failed password for .* from <HOST>
# set: defscore=5
User not known to the underlying authentication module for .* from <HOST>
Invalid user [[:print:]]+ from <HOST>
# set: defscore=3
refused connect from [[:print:]]+ \(<HOST>\)
Did not receive identification string from <HOST>
Connection closed by <HOST>( port [0-9]+)? \[preauth\]
Write Preview
Loading…
Cancel
Save