[count_virus, type=>code] sub { my ( $rec) = @_; # local %::virus; if( ! defined $rec ) { my $result = ''; foreach my $virus ( sort keys %::virus ) { $result .= "$virus\t$::virus{$virus}\n"; } return $result; } else { my( $virus ) = $rec =~ /infected with virus '(.+)'/; if(! defined $::virus{$virus} ) { $::virus{$virus} = 1; } else { $::virus{$virus}++; } return 1; } } [base, type=>service] A /"wiz"/ A /"WIZ"/ A /"debug"/ A /"DEBUG"/ A /ATTACK/ A /nested/ A /LOGIN root REFUSED/ A /rlogind.*: Connection from .* on illegal port/ A /rshd.*: Connection from .* on illegal port/ A /uucico.*: refused connect from .*/ A /tftpd.*: refused connect from .*/ A /login.*: .*LOGIN FAILURE.* FROM .*root/ A /login.*: .*LOGIN FAILURE.* FROM .*guest/ A /login.*: .*LOGIN FAILURE.* FROM .*bin/ A /login.*: .*LOGIN FAILURE.* FROM .*uucp/ A /login.*: .*LOGIN FAILURE.* FROM .*adm/ A /login.*: .*LOGIN FAILURE.* FROM .*bbs/ A /login.*: .*LOGIN FAILURE.* FROM .*games/ A /login.*: .*LOGIN FAILURE.* FROM .*sync/ A /login.*: .*LOGIN FAILURE.* FROM .*oracle/ A /login.*: .*LOGIN FAILURE.* FROM .*sybase/ A /kernel: Oversized packet received from/ A /attackalert/ W /!=/ W /-ERR Password/ W /ATTACK/ W /BAD/ W /CWD etc/ W /FAILURE/ W /ILLEGAL/ W /LOGIN FAILURE/ W /LOGIN REFUSED/ W /PERMITTED/ W /REFUSED/ W /ROOT LOGIN/ W /"WIZ"/ W /admin / W /alias database/ W /debug/i W /denied/ W /deny/ W /deny host/ W /expn/i W /failed/ W /illegal/ W /kernel: Oversized packet received from/ W /nested/ W /permitted/ W /reject/ W /rexec/ W /rshd/ W /securityalert/ W /setsender/ W /shutdown/ W /smrsh/ W /su root/ W /su: / W /sucked/ W /unapproved/ W /vrfy/i W /attackalert/ W /NOTICE/ #C /Error/ 10 xostfix errors I /CROND/ I /xntpd.*synchronized/ I /STATS: dropped 0/ [ftp, type=>service] W /RETR group/ W /RETR passwd/ W /RETR pwd.db/ W /SITE EXEC/ [http, type=>service] A /cmd.exe/ [sshd, type=>service] I* /Accepted publickey for sarge/ I* /\/var\/log\/lastlog/ [named, type=>service] [postfix, type=>service] I* /smtpd\[.+warning:no MX host/ I* /smtpd\[.+warning: numeric dom/ I* /smtpd\[.+warning: Illlegal address syntax/ I* /smtpd\[.+warning: .+ verification failed: Name or service not known$/ I* /smptd\[.+warning: .+ No address associated with hostname/ I* /smptd\[.+warning: .+ Temporary failure in name resolution/ [amavis, type=service] P /sophie\[.+WARNING.+infected with virus/ count_virus CI /dccproc\[.+: continue not asking DCC/ 5 DCC errors [imp, type=service] I /WEBMAIL\[.+Login success/ [cisco, type=>service] I /test/ [sendmail, type=>service] I / failed: 1/ I /gethostbyaddr.* failed: 1/ I* / Message accepted for delivery/ I / relay=.*\@localhost/ A /sendmail.*: user .* attempted to run daemon/ A /vrfy bbs/i A /vrfy decode/i A /vrfy uudecode/i A /vrfy lp/i A /vrfy demo/i A /vrfy guest/i A /vrfy root/i A /vrfy uucp/i A /vrfy oracle/i A /vrfy sybase/i A /vrfy games/i A /expn decode/i A /expn uudecode/i A /expn wheel/i A /expn root/i [limdaemon, type=>service] I* /lnode attach failed in setuid/ [proftpd, type=>service] I* /proftpd.+ANON anonymous:/ I* / Login successful/ I* /max clients per host 1/ [squid, type=>service] I /not authoritative/ I /dnsserver*: gethostbyaddr/ I /gethostbyaddr/ [socks, type=>service] I* /daemon.notice/ [default, type=>default, email=>hhoffman] include base include sshd [sun, type=>default, email=>hhoffman] include base include sendmail include sshd include limdaemon [linux, type=>default, email=>hhoffman] include base #include postfix include sshd #[bloodnok, type=>host, email=>hhoffman] #include linux #include http #[www.ip-solutions.net, type=>host, email=>hhoffman] #[mailhosta, type=host, email=>hhoffman] #include postfix