Alex 'AdUser' Z
2 years ago
14 changed files with 4 additions and 103 deletions
@ -0,0 +1,2 @@
|
||||
- Where have all filters gone? |
||||
- Now it located in their own repository, for convinient maintenance |
@ -1,4 +0,0 @@
|
||||
SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+" |
||||
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9+]+" |
||||
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+" |
||||
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+" |
@ -1,2 +0,0 @@
|
||||
# set: defscore=5 |
||||
closed \(2nd stage\), user <> .* remote <HOST>:[0-9]+, reason: allocation watchdog determined stale session state |
@ -1,6 +0,0 @@
|
||||
pop3-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST> |
||||
imap-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST> |
||||
pop3-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST> |
||||
imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST> |
||||
# set: defscore=5 |
||||
submission-login: Client has quit the connection \(tried to use disallowed plaintext auth\): .* rip=<HOST> |
@ -1,10 +0,0 @@
|
||||
# set: defscore=10 |
||||
SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from .*\[<HOST>\] |
||||
SMTP protocol synchronization error \(next input sent too soon: pipelining was not advertised\): rejected .*\[<HOST>\] |
||||
rejected [HE][EH]HLO from \[<HOST>\]: syntactically invalid argument |
||||
\[<HOST>\] .* host is listed in .+ |
||||
\[<HOST>\] .* relay not permitted |
||||
\[<HOST>\] .* rejected after DATA: This message was detected as possible malware |
||||
# set: defscore=5 |
||||
\[<HOST>\] .* too many connections from that IP address |
||||
\[<HOST>\] .* temporarily rejected RCPT \<\S+\>: lowest numbered MX record points to local host |
@ -1,3 +0,0 @@
|
||||
Failed authentication attempt for [[:print:]]+ from <HOST> |
||||
Failed authentication attempt from <HOST> |
||||
invalid credentials from <HOST> |
@ -1,7 +0,0 @@
|
||||
# set: defscore=10 |
||||
<HOST>#[0-9]+ .* query \(cache\) '[0-9.]+.in-addr.arpa/(PTR|SOA)/IN' denied |
||||
# requests to '.' or top-level domains |
||||
<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/ANY/IN' denied |
||||
<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/A/IN' denied |
||||
# set: defscore=1 |
||||
<HOST>#[0-9]+ .* query \(cache\) '[0-9a-z.-]+/RRSIG/IN' denied |
@ -1,32 +0,0 @@
|
||||
# set: defscore=15 |
||||
# h4x0rs |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/(shell|cmd|x)\.(php|cgi) |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/w00tw00t |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+Ringing\.at\.your\.dorbell |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*(wget|curl)(\\x|%)20https?:// |
||||
<HOST> .* "(GET|HEAD|POST) .*/bin/(ba|c|z)?sh( |\\x20|%20)-c |
||||
<HOST> .* "(\\x[0-9a-z]{2,6})+" 400 |
||||
# set: defscore=10 |
||||
# phpmyadmin and variations |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)? |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]* |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager) |
||||
# set: defscore=5 |
||||
# open proxy search |
||||
<HOST> .* "(GET|HEAD|POST) https?://[a-z-\.]+proxyradar\.com |
||||
<HOST> .* "CONNECT [a-z-\.]*proxyradar\.com |
||||
<HOST> .* "CONNECT [a-z-\.]*proxytest\.zmap\.io |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+testproxy\.php |
||||
# set: defscore=2 |
||||
# search bots |
||||
<HOST> .* "(GET|HEAD|POST) .* "python-(requests|urllib)/[0-9\.]+ |
||||
<HOST> .* "(GET|HEAD|POST) .* "AhrefsBot/[0-9a-z\.]+ |
||||
<HOST> .* "(GET|HEAD|POST) .* "DotBot/[0-9a-z\.]+ |
||||
<HOST> .* "(GET|HEAD|POST) .* "MauiBot |
||||
<HOST> .* "(GET|HEAD|POST) .* SiteExplorer/[0-9a-z\.]+ |
||||
<HOST> .* "(GET|HEAD|POST) .* MJ12bot |
||||
<HOST> .* "(GET|HEAD|POST) .* WebIndex |
||||
# shit-coded php cms |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php |
||||
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator |
@ -1,11 +0,0 @@
|
||||
# set: defscore=10 |
||||
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 Client host rejected |
||||
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[[[:print:]]+\] blocked |
||||
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 <[[:print:]]+>: Relay access denied |
||||
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 554 5\.7\.1 <[[:print:]]+>: Relay access denied |
||||
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 550 5\.1\.1 <[[:print:]]+>: Recipient address rejected: undeliverable address |
||||
warning: [[:print:]]+\[<HOST>\]: SASL [A-Z0-9-]+ authentication failed |
||||
# set: defscore=5 |
||||
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 <[[:print:]]+>: Helo command rejected: Host not found |
||||
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 504 5\.5\.2 <[[:print:]]+>: Helo command rejected: need fully-qualified hostname |
||||
lost connection after AUTH from [[:print:]]+\[<HOST>\] |
@ -1,9 +0,0 @@
|
||||
# set: defscore=30 |
||||
\(.*\[<HOST>\]\): SECURITY VIOLATION: Root login attempted |
||||
\(.*\[<HOST>\]\): SECURITY VIOLATION: Passive connection from .* rejected |
||||
# set: defscore=15 |
||||
\(.*\[<HOST>\]\): USER .*: no such user found |
||||
\(.*\[<HOST>\]\): USER .* \(Login failed\): Incorrect password |
||||
# set: defscore=1 |
||||
\(.*\[<HOST>\]\): FTP session opened |
||||
\(.*\[<HOST>\]\): crypt\(3\) failed |
@ -1,17 +0,0 @@
|
||||
# set: defscore=15 |
||||
User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers |
||||
User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups |
||||
# set: defscore=10 |
||||
User [[:print:]]+ from <HOST> not allowed because not listed in AllowUsers |
||||
User [[:print:]]+ from <HOST> not allowed because not in any group |
||||
User [[:print:]]+ from <HOST> not allowed because none of user's groups are listed in AllowGroups |
||||
[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)? |
||||
[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)? |
||||
Failed password for .* from <HOST> |
||||
# set: defscore=5 |
||||
User not known to the underlying authentication module for .* from <HOST> |
||||
Invalid user [[:print:]]+ from <HOST> |
||||
# set: defscore=3 |
||||
refused connect from [[:print:]]+ \(<HOST>\) |
||||
Did not receive identification string from <HOST> |
||||
Connection closed by <HOST>( port [0-9]+)? \[preauth\] |
Loading…
Reference in new issue