From b9a6b622cc34c719a8cab34dbb773ecec76f70a9 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 18 Nov 2011 11:55:46 -0500
Subject: [PATCH] Adding log samples accumulated in Debian branch

---
 files/logs/apache-overflows |  2 ++
 files/logs/dovecot          |  1 +
 files/logs/named-refused    |  5 +++++
 files/logs/pam-generic      |  7 +++++++
 files/logs/proftpd          |  5 +++++
 files/logs/pure-ftpd        |  2 ++
 files/logs/sasl             |  5 +++++
 files/logs/sshd             | 26 ++++++++++++++++++++++++++
 files/logs/vsftpd           |  7 +++++++
 9 files changed, 60 insertions(+)
 create mode 100644 files/logs/apache-overflows
 create mode 100644 files/logs/dovecot
 create mode 100644 files/logs/named-refused
 create mode 100644 files/logs/pam-generic
 create mode 100644 files/logs/proftpd
 create mode 100644 files/logs/pure-ftpd
 create mode 100644 files/logs/sasl
 create mode 100644 files/logs/sshd
 create mode 100644 files/logs/vsftpd

diff --git a/files/logs/apache-overflows b/files/logs/apache-overflows
new file mode 100644
index 00000000..18a44bfc
--- /dev/null
+++ b/files/logs/apache-overflows
@@ -0,0 +1,2 @@
+[Tue Mar 16 15:39:29 2010] [error] [client 58.179.109.179] Invalid URI in request \xf9h\xa9\xf3\x88\x8cXKj \xbf-l*4\x87n\xe4\xfe\xd4\x1d\x06\x8c\xf8m\\rS\xf6n\xeb\x8
+[Mon Mar 15 15:44:47 2010] [error] [client 121.222.2.133] Invalid URI in request n\xed*\xbe*\xab\xefd\x80\xb5\xae\xf6\x01\x10M?\xf2\xce\x13\x9c\xd7\xa0N\xa7\xdb%0\xde\xe0\xfc\xd2\xa0\xfe\xe9w\xee\xc4`v\x9b[{\x0c:\xcb\x93\xc6\xa0\x93\x9c`l\\\x8d\xc9
diff --git a/files/logs/dovecot b/files/logs/dovecot
new file mode 100644
index 00000000..b975e808
--- /dev/null
+++ b/files/logs/dovecot
@@ -0,0 +1 @@
+@400000004c91b044077a9e94 imap-login: Info: Aborted login (auth failed, 1 attempts): user=<martin@waschbuesch.de>, method=CRAM-MD5, rip=80.187.101.33, lip=80.254.129.240, TLS
diff --git a/files/logs/named-refused b/files/logs/named-refused
new file mode 100644
index 00000000..6608ae2f
--- /dev/null
+++ b/files/logs/named-refused
@@ -0,0 +1,5 @@
+Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied
+Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied
+Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied
+Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied
+Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied
diff --git a/files/logs/pam-generic b/files/logs/pam-generic
new file mode 100644
index 00000000..d84ab153
--- /dev/null
+++ b/files/logs/pam-generic
@@ -0,0 +1,7 @@
+Feb  7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1 
+May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com  user=root
+May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
+May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62  user=mark
+Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
+Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
+Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
diff --git a/files/logs/proftpd b/files/logs/proftpd
new file mode 100644
index 00000000..def8a83e
--- /dev/null
+++ b/files/logs/proftpd
@@ -0,0 +1,5 @@
+Jan 10 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username (Login failed): User in /etc/ftpusers
+Feb 1 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username: no such user found from 123.123.123.123 [123.123.123.123] to 234.234.234.234:21 
+
+
+
diff --git a/files/logs/pure-ftpd b/files/logs/pure-ftpd
new file mode 100644
index 00000000..4b4e3455
--- /dev/null
+++ b/files/logs/pure-ftpd
@@ -0,0 +1,2 @@
+Jan 31 16:54:07 desktop pure-ftpd: (?@24.79.92.194) [WARNING] Authentication failed for user [Administrator]
+Nov 5 18:54:02 pure-ftpd: (?@server202181210195.ixlink.net) [WARNING] Authentication failed for user [Administrator] 
diff --git a/files/logs/sasl b/files/logs/sasl
new file mode 100644
index 00000000..18c5ff14
--- /dev/null
+++ b/files/logs/sasl
@@ -0,0 +1,5 @@
+#1 Example from postfix from dbts #507990
+Dec  2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+
+#2 Example from postfix from dbts #573314
+Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure
+
diff --git a/files/logs/sshd b/files/logs/sshd
new file mode 100644
index 00000000..02d33bac
--- /dev/null
+++ b/files/logs/sshd
@@ -0,0 +1,26 @@
+#1
+Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
+May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
+
+#2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345
+
+#3
+Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
+
+#4
+Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
+
+
+#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
+Mar  3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
+Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
+
+#6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
+Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)
+
+#7 added exclamation mark to BREAK-IN
+Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT
+Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
diff --git a/files/logs/vsftpd b/files/logs/vsftpd
new file mode 100644
index 00000000..a8b6a4cf
--- /dev/null
+++ b/files/logs/vsftpd
@@ -0,0 +1,7 @@
+#1 PAM based
+Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67
+Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1
+
+#2 Internal
+Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98"
+