From c287979a0e1ad7f7d1af6a5e7a4b6a5d18782a1b Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Wed, 8 Mar 2017 08:31:08 +0100
Subject: [PATCH] =?UTF-8?q?=C3=84nnu=20ett=20antal=20nya=20regler?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 logcheck_debian | 22 +++++++++++++++++++++-
 testlog         |  6 ++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/logcheck_debian b/logcheck_debian
index 05a91fd..151da56 100644
--- a/logcheck_debian
+++ b/logcheck_debian
@@ -326,6 +326,13 @@
 #Mar  4 09:14:31 nada sm-mta[25219]: v248EUKL025219: AUTH decode64 error [-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\\r"\], relay=\[[.:[:digit:]]+\]
 
+#Mar  6 23:47:37 nada sm-mta[11119]: v26MlObG011113: Fixed MIME Content-Type header field (possible attack)
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: Fixed MIME Content-Type header field \(possible attack\)
+
+
+
+
+
 #
 #  SPAMD
 #
@@ -400,7 +407,8 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [-.:[:alnum:]]+
 
 #Mar 14 02:25:08 nada sshd[18347]: fatal: Read from socket failed: Connection reset by peer [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]
+#Mar  6 04:03:02 nada sshd[11959]: fatal: Write failed: Connection reset by peer [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer \[preauth\]
 
 #Mar 13 10:10:06 kvarnen sshd[31901]: Disconnecting: Too many authentication failures for root from 74.74.67.164 port 43335 ssh2 [preauth]
 #Feb  3 11:52:58 nada sshd[16082]: Disconnecting: Too many authentication failures for root [preauth]
@@ -456,6 +464,18 @@ Mar  4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user  [preauth
 #Mar  1 03:03:26 nada sshd[28313]: fatal: Write failed: Broken pipe [preauth]
 \w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe \[preauth\]
 
+#Mar  6 22:43:34 nada sshd[4306]: Disconnecting: Packet corrupt [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Packet corrupt \[preauth\]
+
+#Mar  6 22:43:34 nada sshd[4306]: Bad packet length 4081589265. [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad packet length [[:digit:]]+. \[preauth\]
+
+#Mar  8 03:17:11 nada sshd[23415]: Received disconnect from 91.195.103.166: 11: Client disconnecting normally [preauth]
+#Mar  7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 11: Client disconnecting normally \[preauth\]
+
+
+
 
 #
 # SUHOSIN
diff --git a/testlog b/testlog
index da21e8d..558100b 100644
--- a/testlog
+++ b/testlog
@@ -420,6 +420,12 @@ Mar  5 00:00:01 marconi sudo:  fredrik : TTY=unknown ; PWD=/home/fredrik ; USER=
 Mar  5 07:36:35 marconi nmbd[28262]: [2017/03/05 07:36:35.791823,  0] ../source3/nmbd/nmbd.c:169(nmbd_sig_hup_handler)
 Mar  5 07:36:35 marconi nmbd[28262]: [2017/03/05 07:36:35.792332,  0] ../source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
 Mar  5 07:36:35 marconi nmbd[28262]: [2017/03/05 07:36:35.792760,  0] ../source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
+Mar  6 04:03:02 nada sshd[11959]: fatal: Write failed: Connection reset by peer [preauth]
+Mar  6 22:43:34 nada sshd[4306]: Bad packet length 4081589265. [preauth]
+Mar  6 22:43:34 nada sshd[4306]: Disconnecting: Packet corrupt [preauth]
+Mar  6 23:47:37 nada sm-mta[11119]: v26MlObG011113: Fixed MIME Content-Type header field (possible attack)
+Mar  8 03:17:11 nada sshd[23415]: Received disconnect from 91.195.103.166: 11: Client disconnecting normally [preauth]
+Mar  7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth]
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
 Aug 23 18:39:24 nada fredrik[1713]: Sista raden