[1370] in linux-security and linux-alert archive
[linux-security] logwatching
daemon@ATHENA.MIT.EDU (*Hobbit*)
Tue Jan 7 17:39:28 1997
Date: Tue, 7 Jan 1997 07:45:48 -0800 (PST)
From: *Hobbit* <hobbit@avian.org>
To: linux-security@redhat.com
Reply-to: hobbit@avian.org
Resent-From: linux-security@redhat.com
If it's any help, here's a sed script that is reasonably good at pulling out
suspicious-looking items generated by various daemons. Fix appropriately...
_H*
==========
# this should match a buncha different stuff
/ [Pp]ermi/b ff
/ PERMI/b ff
/ [Rr]efuse/b ff
/ REFUSE/b ff
/ [Dd]en[yi]/b ff
/ DEN[YI]/b ff
/[Rr]eject/b ff
/REJECT/b ff
/[Bb]ogus/b ff
/[Pp]assw/b ff
/PASSW/b ff
/[Ff]ail[eu]/b ff
/FAIL[EU]/b ff
/[Mm]ismatc/b ff
/ != /b ff
/[Aa]ttack/b ff
/ATTACK/b ff
/[Aa]ttempt/b ff
/ATTEMPT/b ff
/[Ss]poof/b ff
/SPOOF/b ff
/ twist /b ff
# nuke anything unmatched so far
d
# exclude section:
: ff
/comsat.*localhost/d
# ppp turds
/ pppd[:[]/d
# named loses while primaries are down
/ named.* timed out/d
[mod: If I read this correctly it prints recognized stuff, and
generally discards anything that doesn't match. I disapprove
of this technique: There might be a message that looks innocent
because it doesn't have any of the above trigger words in it,
but is actually a breakin report. You should start out with
an empty script, and match/delete the annonying messages that
keep on clobbering the output. -- REW ]