Update logcheck rules for nftables

author: Hendrik Jäger <hendrik@securosys.ch> 2020-03-14 21:15:20 +0200
committer: Hendrik Jäger <hendrik@securosys.ch> 2020-03-14 21:15:20 +0200
commit: 6f7d757184234365dc0121c68c7009f8b849018a (patch)
tree: 323ee8924d7c77afc8b0a580ede84e122a25f4c0 /files/etc
parent: 5efd4a0d29d58fbbf1b7d122e60da4e82209294b (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-nftables b/files/etc/logcheck/ignore.d.server/local-nftables
index ec83f47..bf63115 100644
--- a/files/etc/logcheck/ignore.d.server/local-nftables
+++ b/files/etc/logcheck/ignore.d.server/local-nftables
@@ -1,6 +1,6 @@
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Bruteforce attack: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]+ SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:digit:]]+ (CWR )?(ECE )?(SYN|ACK|RST)+ (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Blackholing: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]+ SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:digit:]]+ (CWR )?(ECE )?(SYN|ACK|RST) (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal incoming traffic: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(URG )?(SYN|ACK|RST)+ (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal forwarding traffic: IN=[[:alnum:].]+ OUT=[[:alnum:].]+ MACSRC=[[:xdigit:]:]* MACDST=[[:xdigit:]:]* MACPROTO=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132) SPT=[[:digit:]]+ DPT=[[:digit:]]+( SEQ=[[:digit:]]+ ACK=[[:digit:]]+)? (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(SYN|ACK|RST) (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)( OPT \([[:xdigit:]]+\))?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Bruteforce attack: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]+ SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:digit:]]+ (CWR )?(ECE )?(SYN|ACK|RST)+ (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Blackholing: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]+ SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:digit:]]+ (CWR )?(ECE )?(SYN|ACK|RST) (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal incoming traffic: IN=[[:alnum:].]+ OUT= MAC=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+ (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(URG )?(SYN|ACK|RST)+ (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal forwarding traffic: IN=[[:alnum:].]+ OUT=[[:alnum:].]+ MACSRC=[[:xdigit:]:]* MACDST=[[:xdigit:]:]* MACPROTO=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=(TCP|UDP|132|4) SPT=[[:digit:]]+ DPT=[[:digit:]]+( SEQ=[[:digit:]]+ ACK=[[:digit:]]+)? (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(SYN|ACK|RST) (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)( OPT \([[:xdigit:]]+\))?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:][:space:].]+\] Illegal forwarding traffic: IN=[[:alnum:].]+ OUT=[[:alnum:].]+ MACSRC=[[:xdigit:]:]* MACDST=[[:xdigit:]:]* MACPROTO=[[:xdigit:]:]* SRC=[[:xdigit:]:.]+ DST=[[:xdigit:]:.]+ LEN=[[:digit:]]+ (TC=[[:digit:]]+ HOPLIMIT=[[:digit:]]+ FLOWLBL=[[:digit:]]+|TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[[:digit:]]+ ID=[[:digit:]]+) (DF )?PROTO=ICMPv6 TYPE=1 CODE=4 \[SRC=[[:xdigit:]:]+ DST=[[:xdigit:]:]+ LEN=[[:digit:]]+ TC=0 HOPLIMIT=[[:digit:]]+ FLOWLBL=0 PROTO=(TCP|UDP) SPT=[[:digit:]]+ DPT=[[:digit:]]+( SEQ=[[:digit:]]+ ACK=[[:digit:]]+)? (WINDOW=[[:digit:]]+ RES=0x[[:xdigit:]]+ (CWR )?(ECE )?(SYN|ACK|RST) (PSH )?(FIN )?URGP=[[:digit:]]+|LEN=[[:digit:]]+)( OPT \([[:xdigit:]]+\))? \]$
author	Hendrik Jäger <hendrik@securosys.ch>	2020-03-14 21:15:20 +0200
committer	Hendrik Jäger <hendrik@securosys.ch>	2020-03-14 21:15:20 +0200
commit	6f7d757184234365dc0121c68c7009f8b849018a (patch)
tree	323ee8924d7c77afc8b0a580ede84e122a25f4c0 /files/etc
parent	5efd4a0d29d58fbbf1b7d122e60da4e82209294b (diff)