From a5f19dfd7658c901ca763b187ef94fd36de15ee8 Mon Sep 17 00:00:00 2001
From: Alex 'AdUser' Z <ad_user@runbox.com>
Date: Tue, 15 Mar 2016 13:32:20 +1000
Subject: [PATCH] * sample filters

---
 docs/filters/asterisk.preg |  4 ++++
 docs/filters/postfix.preg  |  3 +++
 docs/filters/ssh.preg      | 13 +++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 docs/filters/asterisk.preg
 create mode 100644 docs/filters/postfix.preg
 create mode 100644 docs/filters/ssh.preg

diff --git a/docs/filters/asterisk.preg b/docs/filters/asterisk.preg
new file mode 100644
index 0000000..f2ccd44
--- /dev/null
+++ b/docs/filters/asterisk.preg
@@ -0,0 +1,4 @@
+SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
+SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9+]+"
+SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
+SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
diff --git a/docs/filters/postfix.preg b/docs/filters/postfix.preg
new file mode 100644
index 0000000..8caa378
--- /dev/null
+++ b/docs/filters/postfix.preg
@@ -0,0 +1,3 @@
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[[[:print:]]+\] blocked
+NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 554 5\.7\.1 .*
+warning: [[:print:]]+\[<HOST>\]: SASL [A-Z0-9-]+ authentication failed
diff --git a/docs/filters/ssh.preg b/docs/filters/ssh.preg
new file mode 100644
index 0000000..cb6e945
--- /dev/null
+++ b/docs/filters/ssh.preg
@@ -0,0 +1,13 @@
+[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)?
+[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)?
+User not known to the underlying authentication module for .* from <HOST>
+refused connect from [[:print:]]+ \(<HOST>\)
+Received disconnect from <HOST>: [0-9]*: [[:print:]]: Auth fail
+Did not receive identification string from <HOST>
+Invalid user [[:print:]]+ from <HOST>
+Connection closed by <HOST> \[preauth\]
+User [[:print:]]+ from <HOST> not allowed because not listed in AllowUsers
+User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers
+User [[:print:]]+ from <HOST> not allowed because not in any group
+User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups
+User [[:print:]]+ from <HOST> not allowed because none of user's groups are listed in AllowGroups