From bb85eead391f0063fb04c48afb716b13cc2844bf Mon Sep 17 00:00:00 2001
From: Alex 'AdUser' Z <ad_user@runbox.com>
Date: Mon, 23 Jan 2023 15:16:37 +1000
Subject: [PATCH] + filters/

---
 filters/asterisk.preg   |  4 ++++
 filters/coturn.preg     |  2 ++
 filters/dovecot.preg    |  6 ++++++
 filters/exim.pcre       | 10 ++++++++++
 filters/gitea.preg      |  3 +++
 filters/named.preg      |  7 +++++++
 filters/nginx-bots.pcre | 32 ++++++++++++++++++++++++++++++++
 filters/postfix.preg    | 11 +++++++++++
 filters/proftpd.preg    |  9 +++++++++
 filters/ssh.preg        | 17 +++++++++++++++++
 10 files changed, 101 insertions(+)
 create mode 100644 filters/asterisk.preg
 create mode 100644 filters/coturn.preg
 create mode 100644 filters/dovecot.preg
 create mode 100644 filters/exim.pcre
 create mode 100644 filters/gitea.preg
 create mode 100644 filters/named.preg
 create mode 100644 filters/nginx-bots.pcre
 create mode 100644 filters/postfix.preg
 create mode 100644 filters/proftpd.preg
 create mode 100644 filters/ssh.preg

diff --git a/filters/asterisk.preg b/filters/asterisk.preg
new file mode 100644
index 0000000..f2ccd44
--- /dev/null
+++ b/filters/asterisk.preg
@@ -0,0 +1,4 @@
+SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
+SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9+]+"
+SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
+SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
diff --git a/filters/coturn.preg b/filters/coturn.preg
new file mode 100644
index 0000000..54c9ef7
--- /dev/null
+++ b/filters/coturn.preg
@@ -0,0 +1,2 @@
+# set: defscore=5
+closed \(2nd stage\), user <> .* remote <HOST>:[0-9]+, reason: allocation watchdog determined stale session state
diff --git a/filters/dovecot.preg b/filters/dovecot.preg
new file mode 100644
index 0000000..0d0c71f
--- /dev/null
+++ b/filters/dovecot.preg
@@ -0,0 +1,6 @@
+pop3-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
+imap-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
+pop3-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
+imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
+# set: defscore=5
+submission-login: Client has quit the connection \(tried to use disallowed plaintext auth\): .* rip=<HOST>
diff --git a/filters/exim.pcre b/filters/exim.pcre
new file mode 100644
index 0000000..98fcbea
--- /dev/null
+++ b/filters/exim.pcre
@@ -0,0 +1,10 @@
+# set: defscore=10
+SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from .*\[<HOST>\]
+SMTP protocol synchronization error \(next input sent too soon: pipelining was not advertised\): rejected .*\[<HOST>\]
+rejected [HE][EH]HLO from \[<HOST>\]: syntactically invalid argument
+\[<HOST>\] .* host is listed in .+
+\[<HOST>\] .* relay not permitted
+\[<HOST>\] .* rejected after DATA: This message was detected as possible malware
+# set: defscore=5
+\[<HOST>\] .* too many connections from that IP address
+\[<HOST>\] .* temporarily rejected RCPT \<\S+\>: lowest numbered MX record points to local host
diff --git a/filters/gitea.preg b/filters/gitea.preg
new file mode 100644
index 0000000..7b3be5b
--- /dev/null
+++ b/filters/gitea.preg
@@ -0,0 +1,3 @@
+Failed authentication attempt for [[:print:]]+ from <HOST>
+Failed authentication attempt from <HOST>
+invalid credentials from <HOST>
diff --git a/filters/named.preg b/filters/named.preg
new file mode 100644
index 0000000..d568699
--- /dev/null
+++ b/filters/named.preg
@@ -0,0 +1,7 @@
+# set: defscore=10
+<HOST>#[0-9]+ .* query \(cache\) '[0-9.]+.in-addr.arpa/(PTR|SOA)/IN' denied
+# requests to '.' or top-level domains
+<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/ANY/IN' denied
+<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/A/IN' denied
+# set: defscore=1
+<HOST>#[0-9]+ .* query \(cache\) '[0-9a-z.-]+/RRSIG/IN' denied
diff --git a/filters/nginx-bots.pcre b/filters/nginx-bots.pcre
new file mode 100644
index 0000000..b457284
--- /dev/null
+++ b/filters/nginx-bots.pcre
@@ -0,0 +1,32 @@
+# set: defscore=15
+# h4x0rs
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/(shell|cmd|x)\.(php|cgi)
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/w00tw00t
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+Ringing\.at\.your\.dorbell
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*(wget|curl)(\\x|%)20https?://
+<HOST> .* "(GET|HEAD|POST) .*/bin/(ba|c|z)?sh( |\\x20|%20)-c
+<HOST> .* "(\\x[0-9a-z]{2,6})+" 400
+# set: defscore=10
+# phpmyadmin and variations
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)?
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]*
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager)
+# set: defscore=5
+# open proxy search
+<HOST> .* "(GET|HEAD|POST) https?://[a-z-\.]+proxyradar\.com
+<HOST> .* "CONNECT [a-z-\.]*proxyradar\.com
+<HOST> .* "CONNECT [a-z-\.]*proxytest\.zmap\.io
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+testproxy\.php
+# set: defscore=2
+# search bots
+<HOST> .* "(GET|HEAD|POST) .* "python-(requests|urllib)/[0-9\.]+
+<HOST> .* "(GET|HEAD|POST) .* "AhrefsBot/[0-9a-z\.]+
+<HOST> .* "(GET|HEAD|POST) .* "DotBot/[0-9a-z\.]+
+<HOST> .* "(GET|HEAD|POST) .* "MauiBot
+<HOST> .* "(GET|HEAD|POST) .* SiteExplorer/[0-9a-z\.]+
+<HOST> .* "(GET|HEAD|POST) .* MJ12bot
+<HOST> .* "(GET|HEAD|POST) .* WebIndex
+# shit-coded php cms
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php
+<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator
diff --git a/filters/postfix.preg b/filters/postfix.preg
new file mode 100644
index 0000000..22b7abb
--- /dev/null
+++ b/filters/postfix.preg
@@ -0,0 +1,11 @@
+# set: defscore=10
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 Client host rejected
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[[[:print:]]+\] blocked
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 <[[:print:]]+>: Relay access denied
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 554 5\.7\.1 <[[:print:]]+>: Relay access denied
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 550 5\.1\.1 <[[:print:]]+>: Recipient address rejected: undeliverable address
+warning: [[:print:]]+\[<HOST>\]: SASL [A-Z0-9-]+ authentication failed
+# set: defscore=5
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 <[[:print:]]+>: Helo command rejected: Host not found
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 504 5\.5\.2 <[[:print:]]+>: Helo command rejected: need fully-qualified hostname
+lost connection after AUTH from [[:print:]]+\[<HOST>\]
diff --git a/filters/proftpd.preg b/filters/proftpd.preg
new file mode 100644
index 0000000..4aff490
--- /dev/null
+++ b/filters/proftpd.preg
@@ -0,0 +1,9 @@
+# set: defscore=30
+\(.*\[<HOST>\]\): SECURITY VIOLATION: Root login attempted
+\(.*\[<HOST>\]\): SECURITY VIOLATION: Passive connection from .* rejected
+# set: defscore=15
+\(.*\[<HOST>\]\): USER .*: no such user found
+\(.*\[<HOST>\]\): USER .* \(Login failed\): Incorrect password
+# set: defscore=1
+\(.*\[<HOST>\]\): FTP session opened
+\(.*\[<HOST>\]\): crypt\(3\) failed
diff --git a/filters/ssh.preg b/filters/ssh.preg
new file mode 100644
index 0000000..e675875
--- /dev/null
+++ b/filters/ssh.preg
@@ -0,0 +1,17 @@
+# set: defscore=15
+User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers
+User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups
+# set: defscore=10
+User [[:print:]]+ from <HOST> not allowed because not listed in AllowUsers
+User [[:print:]]+ from <HOST> not allowed because not in any group
+User [[:print:]]+ from <HOST> not allowed because none of user's groups are listed in AllowGroups
+[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)?
+[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)?
+Failed password for .* from <HOST>
+# set: defscore=5
+User not known to the underlying authentication module for .* from <HOST>
+Invalid user [[:print:]]+ from <HOST>
+# set: defscore=3
+refused connect from [[:print:]]+ \(<HOST>\)
+Did not receive identification string from <HOST>
+Connection closed by <HOST>( port [0-9]+)? \[preauth\]