[prelude-cvslog] r10517 - prelude-lml/trunk/plugins/pcre/ruleset
noreply at prelude-ids.org
noreply at prelude-ids.org
Wed Apr 23 11:32:23 CEST 2008
Author: yoann
Date: 2008-04-23 11:32:22 +0200 (Wed, 23 Apr 2008)
New Revision: 10517
Modified:
prelude-lml/trunk/plugins/pcre/ruleset/kojoney.rules
prelude-lml/trunk/plugins/pcre/ruleset/ms-sql.rules
prelude-lml/trunk/plugins/pcre/ruleset/netapp-ontap.rules
prelude-lml/trunk/plugins/pcre/ruleset/ntsyslog.rules
prelude-lml/trunk/plugins/pcre/ruleset/pam.rules
prelude-lml/trunk/plugins/pcre/ruleset/proftpd.rules
prelude-lml/trunk/plugins/pcre/ruleset/single.rules
prelude-lml/trunk/plugins/pcre/ruleset/vpopmail.rules
prelude-lml/trunk/plugins/pcre/ruleset/webmin.rules
prelude-lml/trunk/plugins/pcre/ruleset/wu-ftp.rules
Log:
Remove successful/failure keyword from classification (use completion).
Logon -> Login.
Modified: prelude-lml/trunk/plugins/pcre/ruleset/kojoney.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/kojoney.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/kojoney.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -22,7 +22,7 @@
#####
#Ruleset fot the Kojoney SSH Honeypot
-#
+#
#2007/04/12 21:57 CEST [SSHService ssh-userauth on SSHServerTransport,3,88.64.180.35] root trying auth password
#2007/04/12 21:57 CEST [SSHService ssh-userauth on SSHServerTransport,3,88.64.180.35] root authenticated with password
#2007/04/12 21:57 CEST [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,3,88.64.180.35] COMMAND IS : pwd
@@ -48,9 +48,9 @@
#LOG:2007/04/12 21:57 CEST [SSHService ssh-userauth on SSHServerTransport,3,88.64.180.35] root authenticated with password
regex=\[SSHService ssh-userauth on SSHServerTransport,\d+,(\S+)\] (\S+) authenticated with password; \
- classification.text=SSH Login successful; \
+ classification.text=SSH Login; \
id=20001; \
- revision=1; \
+ revision=2; \
analyzer(0).name=Kojoney SSH Honeypot; \
analyzer(0).manufacturer=http://kojoney.sourceforge.net; \
analyzer(0).class=Honeypot; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/ms-sql.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/ms-sql.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/ms-sql.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -24,17 +24,17 @@
#####
#
-# The rules included here were developed using Microsoft SQL Server 2000 SP3a
-# events collected using NTSysLog. Please report any inconsistencies on other
+# The rules included here were developed using Microsoft SQL Server 2000 SP3a
+# events collected using NTSysLog. Please report any inconsistencies on other
# versions to G Ramon Gomez at the address provided above
#
#####
#LOG:Nov 24 14:45:58 testdb.itg.sac.tfs mssqlserver[info] 17055 18456 : Login failed for user 'probe'.
regex=(mssql.+)\[\w+\] \d+ \d+ : Login failed for user '(?!sa)(.+)'; \
- classification.text=Database user login failure; \
+ classification.text=Database user login; \
id=1000; \
- revision=1; \
+ revision=2; \
analyzer(0).name=SQL Server; \
analyzer(0).manufacturer=Microsoft; \
analyzer(0).class=Database; \
@@ -49,9 +49,9 @@
#LOG:Nov 24 14:45:58 testdb.itg.sac.tfs mssqlserver[info] 17055 18456 : Login failed for user 'sa'.
regex=(mssql.+)\[\w+\] \d+ \d+ : Login failed for user 'sa'; \
- classification.text=Database admin login failure; \
+ classification.text=Database admin login; \
id=1001; \
- revision=1; \
+ revision=2; \
analyzer(0).name=SQL Server; \
analyzer(0).manufacturer=Microsoft; \
analyzer(0).class=Database; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/netapp-ontap.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/netapp-ontap.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/netapp-ontap.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -24,7 +24,7 @@
#####
#
# The rules included here were developed using NetApp ONTAP 6.4.4R1 on a
-# F820 Filer. Please report any inconsistencies on other versions to G
+# F820 Filer. Please report any inconsistencies on other versions to G
# Ramon Gomez at the address provided above
#
#####
@@ -60,9 +60,9 @@
#LOG:Jul 15 10:55:40 cahco3 Thu Jul 15 10:51:52 PDT [httpd_slowproc:warning]: HTTP Authentication from 12.34.56.78 to realm Administration failed
regex=\[httpd_slowproc:warning\]: HTTP Authentication from ([\d\.]+) to realm \w+ failed; \
- classification.text=Web administration admin login failed; \
+ classification.text=Web administration admin login; \
id=3902; \
- revision=1; \
+ revision=2; \
analyzer(0).name=ONTAP; \
analyzer(0).manufacturer=NetApp; \
analyzer(0).class=Storage; \
@@ -81,9 +81,9 @@
#LOG:Jul 15 10:57:55 cahco3 Thu Jul 15 10:54:07 PDT [telnet_0:info]: clark logged in from host: localhost
regex=\[telnet_\d+:info\]: (\S+) logged in from host: ([\w\-\.]+); \
- classification.text=Remote control admin login succeeded; \
+ classification.text=Remote control admin login; \
id=3903; \
- revision=1; \
+ revision=2; \
analyzer(0).name=ONTAP; \
analyzer(0).manufacturer=NetApp; \
analyzer(0).class=Storage; \
@@ -117,7 +117,7 @@
last
#LOG:Jul 15 11:39:59 cahco3 Thu Jul 15 11:36:11 PDT [raid.disk.zero.done:notice]: 8.34 (S/N 3FP0H0JE000072074RFP): disk zeroing complete
-regex=\[raid.disk.zero.done:notice]: ([\d\.]+) \(S\/N (\S+)\): disk zeroing complete; \
+regex=\[raid.disk.zero.done:notice]: ([\d\.]+) \(S\/N (\S+)\): disk zeroing complete; \
classification.text=Storage disk zeroed; \
id=3905; \
revision=1; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/ntsyslog.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/ntsyslog.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/ntsyslog.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -1,13 +1,13 @@
#####
#
-# Copyright (C) 2003 Vincent Glaume
+# Copyright (C) 2003 Vincent Glaume
# Currently supported by G Ramon Gomez <gene at gomezbrothers dot com>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
@@ -23,9 +23,9 @@
#####
#############################################################################
-#
-# This ruleset aims at analyzing the logs returned by the ntsyslog
-# application, which converts NT events to syslog.
+#
+# This ruleset aims at analyzing the logs returned by the ntsyslog
+# application, which converts NT events to syslog.
# English logs only.
# TODO:
# * Add all log entries not currently present
@@ -63,13 +63,13 @@
# 1.b 528
#LOG:Jul 11 13:44:11 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 528 SACRAMENTO\ggomez Successful Logon: User Name:ggomez Domain:SACRAMENTO Logon ID:(0x0,0x16AC1854) Logon Type:7 Logon Process:User32 Authentication Package:Negotiate Workstation Name:SMF-ENG-GGOMEZ Logon GUID: {621924db-649e-3b17-b41a-215e55680eb3}
regex=security\[success\] 528 (.*) Successful Logon: User Name:([\w ]+) Domain:(.+) Logon ID:\(.*\) Logon Type:(\d+) Logon Process:(\w+) .* Workstation Name:(\S+); \
- classification.text=Login successful; \
+ classification.text=Login; \
classification.reference(0).origin=vendor-specific; \
classification.reference(0).meaning=Windows Event ID; \
classification.reference(0).name=528; \
classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \
id=1401; \
- revision=2; \
+ revision=3; \
analyzer(0).name=NTsyslog; \
analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
analyzer(0).class=Logging; \
@@ -95,7 +95,7 @@
last
# 1.c 538
-#LOG:Jun 24 15:22:39 bigipnet security[success] 538 NT AUTHORITY\ANONYMOUS LOGON User Logoff: User Name:ANONYMOUS LOGON Domain:NT AUTHORITY Logon ID:(0x0,0x938205) Logon Type:3
+#LOG:Jun 24 15:22:39 bigipnet security[success] 538 NT AUTHORITY\ANONYMOUS LOGON User Logoff: User Name:ANONYMOUS LOGON Domain:NT AUTHORITY Logon ID:(0x0,0x938205) Logon Type:3
regex=security\[success\] 538 .* User Logoff:\s+User Name:([\w ]+) Domain:([\w ]+) Logon ID:\S+ Logon Type:(\d+); \
classification.text=Logoff; \
classification.reference(0).origin=vendor-specific; \
@@ -195,7 +195,7 @@
assessment.impact.completion=succeeded; \
assessment.impact.type=other; \
assessment.impact.description=Service $2 called with the following privileges: $5; \
- source(0).user.category=os-device; \
+ source(0).user.category=os-device; \
source(0).user.user_id(0).type=current-user; \
source(0).user.user_id(0).name=$1; \
source(0).user.user_id(1).type=current-user; \
@@ -234,13 +234,13 @@
# 1.i 680
#LOG:Oct 22 20:57:03 smf-syslog-02 smf-dc-01/smf-dc-01 security[success] Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Account Name: DRankin Workstation: SMF-HLP-16
regex= security\[success\].*Account Used for Logon by: (.+) Account Name: (.+) Workstation: (.+); \
- classification.text=Login successful; \
+ classification.text=Login; \
classification.reference(0).origin=vendor-specific; \
classification.reference(0).meaning=Windows Event ID; \
classification.reference(0).name=680; \
classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com304.html; \
id=1408; \
- revision=2; \
+ revision=3; \
analyzer(0).name=NTsyslog; \
analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
analyzer(0).class=Logging; \
@@ -331,12 +331,12 @@
# 2.a 529 or 534
#LOG:Dec 10 00:23:37 webbrain.itg.sac.tfs security[failure] 529 NT AUTHORITY\SYSTEM Logon Failure: Reason:Unknown user name or bad password User Name:administrator Domain:ITG Logon Type:2 Logon Process:Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:WEBBRAIN
regex=security\[failure\] (529|534) .+ Logon Failure: Reason:(.+) User Name:([\w ]+) Domain:(.+) Logon Type:(\d+) Logon Process:(\w+) Authentication Package:.+ Workstation Name:(.+); \
- classification.text=Login failure; \
+ classification.text=Login; \
classification.reference(0).origin=vendor-specific; \
classification.reference(0).meaning=Windows Event ID; \
classification.reference(0).name=$1; \
id=1412; \
- revision=2; \
+ revision=3; \
analyzer(0).name=NTsyslog; \
analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
analyzer(0).class=Logging; \
@@ -420,13 +420,13 @@
# 2.d 681
# LOG:Dec 10 08:20:07 mrfreeze.itg.sac.tfs security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: tfslegalask at itg.sac.tfs by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: MRFREEZE failed. The error code was: 3221225572
regex=security\[failure\] 681 (.+) The logon to account: (\S+) by:.+ from workstation: (\w+); \
- classification.text=Logon failure; \
+ classification.text=Login; \
classification.reference(0).origin=vendor-specific; \
classification.reference(0).meaning=Windows Event ID; \
classification.reference(0).name=681; \
classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com326.html; \
id=1415; \
- revision=2; \
+ revision=3; \
analyzer(0).name=NTsyslog; \
analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
analyzer(0).class=Logging; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/pam.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/pam.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/pam.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -50,9 +50,9 @@
#LOG:Aug 14 17:32:19 blah su(pam_unix)[17944]: session opened for user root by (uid=123)
#LOG:Dec 9 18:47:10 devel5 sshd(pam_unix)[13189]: session opened for user yyyy by xxxx(uid=0)
regex=session opened for user (\S+) by (\S*)\(uid=(\d*)\); \
- classification.text=User authentication successful; \
+ classification.text=User Authentication; \
id=1; \
- revision=1; \
+ revision=2; \
analyzer(0).name=PAM; \
analyzer(0).class=Authentication; \
assessment.impact.completion=succeeded; \
@@ -71,9 +71,9 @@
# LOG:Dec 21 21:18:46 share2 sshd(pam_unix)[15525]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a.b.c.d user=root
#
regex=authentication failure\; logname=([^ ]*)[ ]*uid=([^ ]*)[ ]*euid=.* tty=([^ ]*)[ ]*ruser=([^ ]*)[ ]*rhost=([^ ]*)[ ]*user=([^ ]*); \
- classification.text=User authentication failed; \
+ classification.text=User Authentication; \
id=2; \
- revision=1; \
+ revision=2; \
analyzer(0).name=PAM; \
analyzer(0).class=Authentication; \
assessment.impact.completion=failed; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/proftpd.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/proftpd.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/proftpd.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -6,7 +6,7 @@
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
@@ -24,9 +24,9 @@
#LOG:Jan 13 22:19:52 (none) proftpd[7804]: leroutier.net (193.249.231.232[193.249.231.232]) - PAM(leroutier): Authentication failure.
regex=[\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - PAM\(([\w\-\.]+)\): Authentication failure; \
- classification.text=FTP logon failed; \
+ classification.text=FTP login; \
id=1600; \
- revision=1; \
+ revision=2; \
analyzer(0).name=ProFTPD; \
analyzer(0).manufacturer=www.proftpd.org; \
analyzer(0).class=Service; \
@@ -49,9 +49,9 @@
#LOG:Jan 13 22:19:58 (none) proftpd[7805]: leroutier.net (193.249.231.232[193.249.231.232]) - no such user 'uh'
regex=[\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - no such user '(\S+)'; \
- classification.text=FTP logon failed; \
+ classification.text=FTP login; \
id=1601; \
- revision=1; \
+ revision=2; \
analyzer(0).name=ProFTPD; \
analyzer(0).manufacturer=www.proftpd.org; \
analyzer(0).class=Service; \
@@ -71,12 +71,12 @@
target(0).user.user_id(0).name=$2; \
last;
-#LOG:Jan 13 22:39:03 (none) proftpd[8023]: leroutier.net (193.249.231.232[193.249.231.232]) - USER rr: no such user found from 193.249.231.232 [193.249.231.232] to 81.91.66.90:21
+#LOG:Jan 13 22:39:03 (none) proftpd[8023]: leroutier.net (193.249.231.232[193.249.231.232]) - USER rr: no such user found from 193.249.231.232 [193.249.231.232] to 81.91.66.90:21
regex=[\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - USER (\S+): no such user found from [\w\-\.]+ \[[\w\-\.]+\] to ([\w\-\.]+):(\d+); \
- classification.text=FTP logon failed; \
+ classification.text=FTP login; \
id=1602; \
- revision=1; \
+ revision=2; \
analyzer(0).name=ProFTPD; \
analyzer(0).manufacturer=www.proftpd.org; \
analyzer(0).class=Service; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/single.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/single.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/single.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -26,7 +26,7 @@
# Copyright (C) 2004 Yoann Vandoorselaere <yoann at prelude-ids.org>
# All Rights Reserved
-#LOG:Mar 28 12:30:01 gtsdmzuxids1 kernel: device eth1 entered promiscuous mode
+#LOG:Mar 28 12:30:01 gtsdmzuxids1 kernel: device eth1 entered promiscuous mode
regex=device (\S+) entered promiscuous mode; \
classification.text=Promiscuous mode detected; \
id=400; \
@@ -165,7 +165,7 @@
analyzer(0).manufacturer=D-Link; \
analyzer(0).class=Firewall; \
assessment.impact.severity=medium; \
- assessment.impact.description=A packet was dropped by D-Link rule "$7".; \
+ assessment.impact.description=A packet was dropped by D-Link rule "$7".; \
source(0).interface=$2; \
source(0).service.iana_protocol_name=$1; \
source(0).node.address(0).category=ipv4-addr; \
@@ -233,9 +233,9 @@
#LOG:May 10 15:24:21 mighty pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [asdfasdf]
regex=([\d\.]+)\) \[WARNING\] Authentication failed for user \[(.+)\]; \
- classification.text=FTP logon failed; \
+ classification.text=FTP login; \
id=410; \
- revision=1; \
+ revision=2; \
analyzer(0).name=PureFTPD; \
analyzer(0).manufacturer=www.pureftpd.org; \
analyzer(0).class=Service; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/vpopmail.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/vpopmail.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/vpopmail.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -6,7 +6,7 @@
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
@@ -49,9 +49,9 @@
#LOG:Jan 14 17:24:54 spotk vpopmail[28359]: vchkpw: password fail xxx at spotk.net:127.0.0.1
regex=vchkpw: password fail (\S+):([\d\.]+); \
- classification.text=Mail server user login failed; \
+ classification.text=Mail server user login; \
id=2101; \
- revision=2; \
+ revision=3; \
analyzer(0).name=vpopmail; \
analyzer(0).manufacturer=inter7; \
analyzer(0).class=Administration; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/webmin.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/webmin.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/webmin.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -24,17 +24,17 @@
#####
#
-# The rules included here were developed using Webmin 1.130. Please
-# report any inconsistencies on other versions to G Ramon Gomez at the
+# The rules included here were developed using Webmin 1.130. Please
+# report any inconsistencies on other versions to G Ramon Gomez at the
# address provided above
#
#####
-#LOG:Mar 14 15:18:22 gtsproduxlvs1 webmin[27244]: Successful login as root from 12.34.56.78
+#LOG:Mar 14 15:18:22 gtsproduxlvs1 webmin[27244]: Successful login as root from 12.34.56.78
regex=Successful login as (.+) from ([\d\.]+); \
- classification.text=Web administration admin login successful; \
+ classification.text=Web administration admin login; \
id=2900; \
- revision=1; \
+ revision=2; \
analyzer(0).name=Webmin; \
analyzer(0).manufacturer=www.webmin.com; \
analyzer(0).class=Administration; \
@@ -53,9 +53,9 @@
#LOG:Mar 17 19:18:32 gtsdmzuxids1 webmin[28655]: Invalid login as root from 10.100.17.38
regex=Invalid login as (.+) from ([\d\.]+); \
- classification.text=Web administration admin login failed; \
+ classification.text=Web administration admin login; \
id=2901; \
- revision=1; \
+ revision=2; \
analyzer(0).name=Webmin; \
analyzer(0).manufacturer=www.webmin.com; \
analyzer(0).class=Administration; \
Modified: prelude-lml/trunk/plugins/pcre/ruleset/wu-ftp.rules
===================================================================
--- prelude-lml/trunk/plugins/pcre/ruleset/wu-ftp.rules 2008-04-23 09:32:00 UTC (rev 10516)
+++ prelude-lml/trunk/plugins/pcre/ruleset/wu-ftp.rules 2008-04-23 09:32:22 UTC (rev 10517)
@@ -25,16 +25,16 @@
#####
#
# The rules included here were developed using WU-ftpd 2.6.2. Please report
-# any inconsistencies on other versions to G Ramon Gomez at the address provided
+# any inconsistencies on other versions to G Ramon Gomez at the address provided
# above
#
#####
#LOG:Oct 28 20:38:47 www.tyco-training.stag ftpd[12781]: ANONYMOUS FTP LOGIN FROM p508ee95a.dip.t-dialin.net [80.142.233.90], Igpuser at home.com
regex=ANONYMOUS FTP LOGIN FROM ([\w\-\.]+) \[([\d\.)]+)\], (\S+); \
- classification.text=Anonymous FTP logon; \
+ classification.text=Anonymous FTP login; \
id=2300; \
- revision=2; \
+ revision=3; \
analyzer(0).name=WU-FTPD; \
analyzer(0).manufacturer=www.wu-ftpd.org; \
analyzer(0).class=Service; \
@@ -59,9 +59,9 @@
#LOG:Oct 28 20:38:48 itguxweb2 ftpd[19188]: FTP LOGIN FAILED (cannot set guest privileges) for p508ee95a.dip.t-dialin.net [80.142.233.90], ftp
regex=FTP LOGIN FAILED \(([\w\s]+)\) for ([\w\-\.]+) \[([\d\.)]+)\], (\S+); \
- classification.text=FTP logon failed; \
+ classification.text=FTP login; \
id=2301; \
- revision=2; \
+ revision=3; \
analyzer(0).name=WU-FTPD; \
analyzer(0).manufacturer=www.wu-ftpd.org; \
analyzer(0).class=Service; \
More information about the Prelude-cvslog
mailing list