# A=alert, W=warn, I=ignore I*=ignore no matter what
[base, type=>service]
A	/"wiz"/
A	/"WIZ"/
A	/"debug"/
A	/"DEBUG"/
A	/ATTACK/
A	/nested/
A	/LOGIN root REFUSED/
A	/rlogind.*: Connection from .* on illegal port/
A	/rshd.*: Connection from .* on illegal port/
A	/uucico.*: refused connect from .*/
A	/tftpd.*: refused connect from .*/
A	/login.*: .*LOGIN FAILURE.* FROM .*root/
A	/login.*: .*LOGIN FAILURE.* FROM .*guest/
A	/login.*: .*LOGIN FAILURE.* FROM .*bin/
A	/login.*: .*LOGIN FAILURE.* FROM .*uucp/
A	/login.*: .*LOGIN FAILURE.* FROM .*adm/
A	/login.*: .*LOGIN FAILURE.* FROM .*bbs/
A	/login.*: .*LOGIN FAILURE.* FROM .*games/
A	/login.*: .*LOGIN FAILURE.* FROM .*sync/
A	/login.*: .*LOGIN FAILURE.* FROM .*oracle/
A	/login.*: .*LOGIN FAILURE.* FROM .*sybase/
A	/kernel: Oversized packet received from/
A	/attackalert/
W	/!=/
W	/-ERR Password/
W	/ATTACK/
W	/BAD/
W	/CWD etc/
W	/FAILURE/
W	/ILLEGAL/
W	/LOGIN FAILURE/
W	/LOGIN REFUSED/
W	/PERMITTED/
W	/REFUSED/
W	/ROOT LOGIN/
W	/"WIZ"/
W	/admin /
W	/alias database/
W	/debug/i
W	/denied/
W	/deny/
W	/deny host/
W	/expn/i
W	/failed/
W	/illegal/
W	/kernel: Oversized packet received from/
W	/nested/
W	/permitted/
W	/reject/
W	/rexec/
W	/rshd/
W	/securityalert/
W	/setsender/
W	/shutdown/
W	/smrsh/
W	/su root/
W	/su: /
W	/sucked/
W	/unapproved/
W	/vrfy/i
W	/attackalert/
W	/NOTICE/
I	/CROND/
I	/.*lnode sshd: lnode attach failed in setuid/
I	/xntpd.*synchronized/
[ftp, type=>service] 
W	/RETR group/
W	/RETR passwd/
W	/RETR pwd.db/
W	/SITE EXEC/
[http, type=>service]
A	/cmd.exe/
[sshd, type=>service]
[named, type=>service]
[sendmail, type=>service]
I	/ failed: 1/
I	/gethostbyaddr.* failed: 1/
A	/sendmail.*: user .* attempted to run daemon/
A	/vrfy bbs/i
A	/vrfy decode/i
A	/vrfy uudecode/i
A	/vrfy lp/i
A	/vrfy demo/i
A	/vrfy guest/i
A	/vrfy root/i
A	/vrfy uucp/i
A	/vrfy oracle/i
A	/vrfy sybase/i
A	/vrfy games/i
A	/expn decode/i
A	/expn uudecode/i
A	/expn wheel/i
A	/expn root/i
[proftpd, type=>service]
I	/proftpd.+ANON anonymous:/
[squid, type=>service]
I	/not authoritative/
I	/dnsserver*: gethostbyaddr/
I	/gethostbyaddr/
[default, type=>default, email=>hhoffman]
include base
include sendmail
include sshd
[net.domain.com, type=>host]
include base
include named
I	/SNMP-3-AUTHFAIL/
I	/LINK-[0-9]-UPDOWN/
[host1, type=>host, email=>hhoffman]
include base
I	/snort:.*no IPv4 address assigned/
[www2.domain.com, type=>host]
include base
include proftpd
I	/Limit access denies login/
[proxy.domain.com, type=>host]
include base
include squid
I	/squid.*/
[imap.domain.com, type=>host]
include base
include sendmail
I	/DBERROR/