-
Notifications
You must be signed in to change notification settings - Fork 2
/
acl.conf
154 lines (123 loc) · 4.93 KB
/
acl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
: Advanced Color Logs configuration file
: Colors -- black, red, green, yellow, blue, magenta, cyan, white, default
: Attributes -- <none>, bright, blinking, underlined, normal,
: background, beep, hide
:
: Format for this file is
: [ATTRIBUTE(S)]COLOR,primary_match[,secondary_match,...]
:
: attributes can be any ordering of the above attributes. This field is not
: case sensitive; only one color may be used.
: primary_match must be a positive match (must be in line)
: secondary_match(es) can be positive or negative (must NOT be in line)
: negative matches are specified by NOT ('!')
:
: EXAMPLE -
: Display red background text when there someone other than "nobody" opens
: an su session. Note the log entry has (su) so we want to match to
: "(su)" to avoid matches to "superchicken" or anything else with "su".
:
: BackgroundRed,(su),opened,!nobody
:
: Matches are done linearly. First match is the color used. Because of this,
: list matches as most specific to most general. Simple rule of thumb is to
: list matches in order of most number of conditionals to least number of
: conditionals.
:
:
: Patrick Mullen
:
:option, wake
OPTION, syslog
HOST, observer, Cyan
:BrightYellow
HOST, hobar, BrightRed
HOST, lj5m, Yellow
:HOST, ted.tmp.lab, Magenta
TIMESTAMP, Magenta
Service, kernel, BackgroundBrightWhite
Service, modprobe, BackgroundBrightWhite
Service, mail, BrightBlue : So we get sendmail and qmail.
Service, identd, normal
Service, ftpd, BrightGreen : Note this also does tftpd
Service, named, BrightCyan
Service, PAM_pwdb, BrightMagenta
Service, login, BrightYellow
Service, telnetd, Yellow
Service, snort, BrightRed
: High alert stuff
WakeBeepBlinkingBackgroundBrightRed,refused connect
WakeBeepBlinkingBackgroundBrightYellow,romiscuous mode
: snort http://www.clark.net/~roesch/security.html
BackgroundRed,snort,spp_portscan
Red,snort,157.176.213.,157.176.212.
Red,snort,Traceroute
WakeBrightRed,snort,Connection request
WakeBeepBlinkingBackgroundBrightRed,snort
: More alert stuff we want to highlight
BackgroundBrightYellow,Authentication failure
BackgroundBrightYellow,FAILED LOGIN : telnetd
BackgroundBrightYellow,failed login : ftpd
BeepBlinkingBackgroundBrightYellow,repeated login failures : ftpd
: Further down the chain are these messages we don't want to miss.
: If you have a high-traffic site, "background"ing these will probably
: be annoying.
BackgroundGreen, FTP LOGIN
BackgroundYellow,LOGIN
BackgroundYellow,adduser
BackgroundYellow,userdel
BackgroundYellow,connect from
: tcpserver is like tcpwrappers, so highlight it similarly
Yellow,tcpserver,pid,from
BackgroundYellow,tcpserver,!status,!end
Yellow,tcpserver
: Kernel messages generally come in bursts (bootup), but when they
: appear alone it's often cause for concern. Lumping kernel-associated
: messages in with this group.
BackgroundWhite,kernel
BackgroundWhite,modprobe
: PAM_pwdb stuff
Hide,(su),for user nobody : Ignore `su nobody`
:BackgroundMagenta,PAM_pwdb,(su),opened : `su nobody` already fell out
BackgroundMagenta,PAM_pwdb,opened
:Magenta,PAM_pwdb,(su)
Magenta,PAM_pwdb,closed
BrightMagenta,PAM_pwdb : Everything else - passwd changes,
: auth failures, unforeseen things
: Named. The inspiration for this program. Ignore status messages.
: These rules are ordered so expected "abnormality" messages such
: as "LAME SERVER" are given standard foreground colorizing, any
: messages which are not one of these "abnormality" messages and
: are not a "status" message is given background colorizing so we
: notice them easily, then status messages are ignored.
Cyan,named,Lame server
BackgroundCyan,named,!STATS,!Cleaned cache,!USAGE
Hide,named
: qmail stuff.
BeepBackgroundBrightBlue,qmail,delivery,failure
BackgroundBrightBlue,qmail,delivery,to remote
BackgroundBrightBlue,qmail,bounce msg
BackgroundBlue,qmail,delivery,to local
BeepBlinkingBackgroundBrightBlue,qmail,delivery,!success : Alert to unknown messages
BackgroundBlue,qmail,!new msg,!info msg,!status,!end msg,!success
Blue,qmail
: sendmail doesn't have as readable messages as qmail, so just highlight all of it
BackgroundBlue,sendmail
: ftp. Not sure what to highlight here. Failed logins are done at the top,
: so just colourize ftp messages normally for now.
Green,ftpd
: Nessus network security scanner http://www.nessus.org
: I repeat the use of blue, but with my host it cause confusion
BackgroundBrightBlue,nessusd,new attack
BackgroundBlue,nessusd,!launching
Blue,nessusd
: Identd. I don't really care about this, but I do want to
: know when it's requested. Up top, I made identd show in
: normal color. Here, I'm going to make the actual message
: text dark (bright black is really dark grey)
BrightBlack, identd
: With this colourization scheme, other messages, which are displayed
: in the normal colour of white on black, are actually highlighted
: quite nicely. If too many messages appear that way, though, try to
: seperate them out into colours.