commit 9dcf5ae67ef01c2ff2108f685d672fd89bae446e
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Nov 9 10:36:52 2016 +0100
Add epylog
roles/epylog/files/epylog-default.cron | 6 +
roles/epylog/files/epylog-merged.cron | 1 +
roles/epylog/files/epylog-web.conf | 15 +
roles/epylog/files/merged/epylog.conf | 32 +
.../files/merged/modules.d/common_unparsed.conf | 14 +
roles/epylog/files/merged/modules.d/kojiload.conf | 10 +
roles/epylog/files/merged/modules.d/logins.conf | 50 ++
roles/epylog/files/merged/modules.d/mail.conf | 20 +
roles/epylog/files/merged/modules.d/notices.conf | 26 +
roles/epylog/files/merged/modules.d/packets.conf | 33 +
roles/epylog/files/merged/modules.d/rsyncd.conf | 16 +
roles/epylog/files/merged/modules.d/selinux.conf | 11 +
roles/epylog/files/merged/modules.d/spamd.conf | 28 +
roles/epylog/files/merged/modules.d/sudo.conf | 11 +
roles/epylog/files/merged/modules.d/weeder.conf | 30 +
roles/epylog/files/merged/notice_dist.xml | 87 ++
roles/epylog/files/merged/notice_local.xml | 94 +++
roles/epylog/files/merged/report_template.html | 22 +
roles/epylog/files/merged/trojans.list | 410 ++++++++++
roles/epylog/files/merged/weed_dist.cf | 179 ++++
roles/epylog/files/merged/weed_local.cf | 369 +++++++++
roles/epylog/files/modules/common_unparsed.conf | 12 +
roles/epylog/files/modules/common_unparsed_mod.py | 118 +++
roles/epylog/files/modules/kojiload.conf | 10 +
roles/epylog/files/modules/kojiload_mod.py | 102 +++
roles/epylog/files/modules/logins_mod.py | 849 ++++++++++++++++++++
roles/epylog/files/modules/rsyncd.conf | 14 +
roles/epylog/files/modules/rsyncd_mod.py | 219 +++++
roles/epylog/files/modules/selinux.conf | 11 +
roles/epylog/files/modules/selinux_mod.py | 116 +++
roles/epylog/files/modules/sudo.conf | 11 +
roles/epylog/files/modules/sudo_mod.py | 191 +++++
roles/epylog/tasks/main.yml | 51 ++
33 files changed, 3168 insertions(+), 0 deletions(-)
---
diff --git a/roles/epylog/files/epylog-default.cron
b/roles/epylog/files/epylog-default.cron
new file mode 100644
index 0000000..33daaae
--- /dev/null
+++ b/roles/epylog/files/epylog-default.cron
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Run epylog daily.
+#
+# just disable this so we don't run the global one anywhere
+# better to run a specific one (or ones)
+#/usr/sbin/epylog --cron
diff --git a/roles/epylog/files/epylog-merged.cron
b/roles/epylog/files/epylog-merged.cron
new file mode 100644
index 0000000..c7a5983
--- /dev/null
+++ b/roles/epylog/files/epylog-merged.cron
@@ -0,0 +1 @@
+30 2,8,14,20 * * * root /usr/sbin/epylog --cron -c /etc/epylog/merged/epylog.conf --last
6h
diff --git a/roles/epylog/files/epylog-web.conf b/roles/epylog/files/epylog-web.conf
new file mode 100644
index 0000000..dc7fe5a
--- /dev/null
+++ b/roles/epylog/files/epylog-web.conf
@@ -0,0 +1,15 @@
+Alias /epylog /srv/web/epylog
+
+# need these to do the auth
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule authn_file_module modules/mod_authn_file.so
+
+<Directory /srv/web/epylog>
+ Options FollowSymLinks Indexes
+ AuthType Basic
+ AuthName "Fedora Log Server"
+ AuthBasicProvider file
+ AuthUserFile /srv/web/epylog/.htpasswd
+ Require valid-user
+</Directory>
+
diff --git a/roles/epylog/files/merged/epylog.conf
b/roles/epylog/files/merged/epylog.conf
new file mode 100644
index 0000000..3236791
--- /dev/null
+++ b/roles/epylog/files/merged/epylog.conf
@@ -0,0 +1,32 @@
+##
+# Main Epylog configuration file. See epylog.conf(5) for more info.
+#
+[main]
+cfgdir = /etc/epylog/merged
+tmpdir = /var/log/tmp
+vardir = /var/lib/epylog/merged
+
+[report]
+title = Merged system events: @@LOCALTIME@@
+template = /etc/epylog/merged/report_template.html
+include_unparsed = yes
+publishers = file
+
+[mail]
+method = mail
+smtpserv = /usr/sbin/sendmail -t
+mailto = sysadmin-logs-members(a)rpmfusion.org
+format = plain
+lynx = /usr/bin/lynx
+include_rawlogs = no
+rawlogs_limit = 200
+
+[file]
+method = file
+path = /srv/web/epylog/merged/
+dirmask = %Y-%b-%d_%a
+filemask = %H%M
+expire_in = 7
+notify = sysadmin-logs-members(a)rpmfusion.org
+smtpserv = /usr/sbin/sendmail -t
+pubroot =
https://admin.rpmfusion.org/epylog/merged
diff --git a/roles/epylog/files/merged/modules.d/common_unparsed.conf
b/roles/epylog/files/merged/modules.d/common_unparsed.conf
new file mode 100644
index 0000000..1369fe4
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/common_unparsed.conf
@@ -0,0 +1,14 @@
+[module]
+desc = Common Unparsed Similar Strings Module
+exec = /usr/share/epylog/modules/common_unparsed_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = no
+internal = yes
+outhtml = yes
+priority = 10
+
+
+[conf]
+# how similar the strings need to be 0-100 - 0 being not at all (bad idea) 100 being
almost exactly.
+match_percentage = 95
+debug_dump = 0
\ No newline at end of file
diff --git a/roles/epylog/files/merged/modules.d/kojiload.conf
b/roles/epylog/files/merged/modules.d/kojiload.conf
new file mode 100644
index 0000000..c5c7ee5
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/kojiload.conf
@@ -0,0 +1,10 @@
+[module]
+desc = KojiLoad summary
+exec = /usr/share/epylog/modules/kojiload_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]
diff --git a/roles/epylog/files/merged/modules.d/logins.conf
b/roles/epylog/files/merged/modules.d/logins.conf
new file mode 100644
index 0000000..9db7c05
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/logins.conf
@@ -0,0 +1,50 @@
+[module]
+desc = Logins
+exec = /usr/share/epylog/modules/logins_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 0
+
+[conf]
+##
+# Only enable things useful for your configuration to speed things
+# up. The more stuff you enable, the slower matching will be.
+#
+enable_pam = 1
+enable_xinetd = 1
+enable_sshd = 1
+enable_uw_imap = 0
+enable_dovecot = 0
+enable_courier = 0
+enable_imp = 0
+enable_proftpd = 0
+##
+# This is a fun setting. You can list domains that are "safe" here.
+# E.g. if your org's domain is
example.com and you generally don't
+# expect logins from hosts in
example.com domain to be suspicious, you
+# can add "example.com$" as a safe domain. This way anyone logging in from
+# a remote host not matching *.example.com will be flagged in red and the
+# full hostname of the connecting machine will be printed in the report.
+# List multiple values separated by comma.
+# E.g.: safe_domains = example.com$, foo.edu$
+# The default is .*, meaning all domains are considered safe. To turn
+# this off specify something like:
+# safe_domains = !.*
+safe_domains = .*
+##
+# If you have too many systems, wide-scale probing may turn ugly. This
+# will collapse the reports.
+systems_collapse = 10
+
+
+# comma/space separated list of users to ignore - unknown is the internal "no user
given"
+ignore_users = unknown
+# path to where we keep the logins db
+loginsdb_path = /var/lib/epylog/logins_db.sqlite
+# clean up entries in the db which are more than this many days old
+remove_older_than = 14
+# time fuzz - default time (in minutes) which is valid fuzzy match for a login to not be
listed
+time_fuzz = 60
+
diff --git a/roles/epylog/files/merged/modules.d/mail.conf
b/roles/epylog/files/merged/modules.d/mail.conf
new file mode 100644
index 0000000..3b1e93b
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/mail.conf
@@ -0,0 +1,20 @@
+[module]
+desc = Mail Report
+exec = /usr/share/epylog/modules/mail_mod.py
+files = /var/log/merged/mail.log[.#.gz]
+enabled = no
+internal = yes
+outhtml = yes
+priority = 5
+
+[conf]
+##
+# Enable sendmail, postfix, or both
+#
+enable_sendmail = 1
+enable_postfix = 1
+enable_qmail = 0
+##
+# Report at most this many "top things"
+#
+top_report_limit = 5
diff --git a/roles/epylog/files/merged/modules.d/notices.conf
b/roles/epylog/files/merged/modules.d/notices.conf
new file mode 100644
index 0000000..65289cc
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/notices.conf
@@ -0,0 +1,26 @@
+[module]
+desc = Notices
+exec = /usr/share/epylog/modules/notices_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]
+##
+# Where is your notice_dist.xml file?
+#
+notice_dist = /etc/epylog/merged/notice_dist.xml
+##
+# Add your own notices into notice_local.xml, not into notice_dist.xml!
+# This way you don't risk missing future revisions to notice_dist.xml
+#
+notice_local = /etc/epylog/merged/notice_local.xml
+##
+# You can list the ids of <notice> members from notice_dist.xml here
+# namely, or you can use ALL to enable all of them. There is no need
+# to add members from notice_local.xml here -- they will be enabled
+# automatically.
+#
+enable = ALL
diff --git a/roles/epylog/files/merged/modules.d/packets.conf
b/roles/epylog/files/merged/modules.d/packets.conf
new file mode 100644
index 0000000..e1b6192
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/packets.conf
@@ -0,0 +1,33 @@
+[module]
+desc = Packet Filter
+exec = /usr/share/epylog/modules/packets_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 1
+
+[conf]
+##
+# Where to look for the trojans list.
+#
+trojan_list = /etc/epylog/merged/trojans.list
+##
+# If a remote host hits this many systems, then don't list them namely,
+# but collapse them into a nice report, e.g.: [50 hosts]
+#
+systems_collapse = 5
+##
+# Useful for massive portscans. Don't list all the ports namely, but
+# present them in a collapsed view. E.g.: [50 ports]
+ports_collapse = 5
+##
+# Enable iptables, ipchains, ipfilter, or all three.
+#
+enable_iptables = 1
+enable_ipchains = 1
+enable_ipfilter = 0
+##
+# Sort by any of the following: packets, source, system, port
+#
+sortby=port
diff --git a/roles/epylog/files/merged/modules.d/rsyncd.conf
b/roles/epylog/files/merged/modules.d/rsyncd.conf
new file mode 100644
index 0000000..ea46539
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/rsyncd.conf
@@ -0,0 +1,16 @@
+[module]
+desc = Rsyncd
+exec = /usr/share/epylog/modules/rsyncd_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]
+##
+# Report this many "top ranking hosts"
+#
+report_top = 10
+ignore_hosts =
hv01.online.rpmfusion.org
+
diff --git a/roles/epylog/files/merged/modules.d/selinux.conf
b/roles/epylog/files/merged/modules.d/selinux.conf
new file mode 100644
index 0000000..45e4d87
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/selinux.conf
@@ -0,0 +1,11 @@
+[module]
+desc = SELinux Report
+exec = /usr/share/epylog/modules/selinux_mod.py
+files = /var/log/merged/messages.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 5
+
+[conf]
+enable_selinux = 1
diff --git a/roles/epylog/files/merged/modules.d/spamd.conf
b/roles/epylog/files/merged/modules.d/spamd.conf
new file mode 100644
index 0000000..61e6ae1
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/spamd.conf
@@ -0,0 +1,28 @@
+[module]
+desc = Spamassassin
+exec = /usr/share/epylog/modules/spamd_mod.py
+files = /var/log/merged/mail.log[.#.gz]
+enabled = no
+internal = yes
+outhtml = yes
+priority = 7
+
+[conf]
+##
+# Report this many "top ranking users"
+#
+report_top = 10
+##
+# Consider this the spam threshold when reporting the scores.
+# Anything above this will be flagged as spam. The last column shows
+# the score and then non-spam/spam in the parenthesis. E.g.:
+# -1.3 (10/3) -- the mean score is -1.3, 10 messages under spam_threshold,
+# and 3 messages over it.
+#
+spam_threshold = 5
+##
+# Rank the top users according to this parameter. Valid entries are:
+# "most spammed" -- sorts by users with the topmost score
+# "most messages" -- sorts by users who received most messages
+#
+sort_by = most spammed
diff --git a/roles/epylog/files/merged/modules.d/sudo.conf
b/roles/epylog/files/merged/modules.d/sudo.conf
new file mode 100644
index 0000000..fef8676
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/sudo.conf
@@ -0,0 +1,11 @@
+[module]
+desc = Sudo Report
+exec = /usr/share/epylog/modules/sudo_mod.py
+files = /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 5
+
+[conf]
+enable_sudo = 1
diff --git a/roles/epylog/files/merged/modules.d/weeder.conf
b/roles/epylog/files/merged/modules.d/weeder.conf
new file mode 100644
index 0000000..160a131
--- /dev/null
+++ b/roles/epylog/files/merged/modules.d/weeder.conf
@@ -0,0 +1,30 @@
+[module]
+desc = Weedeater
+exec = /usr/share/epylog/modules/weeder_mod.py
+files = /var/log/merged/messages.log[.#.gz], /var/log/merged/secure.log[.#.gz]
+enabled = yes
+internal = yes
+outhtml = yes
+priority = 9
+
+[conf]
+##
+# Where to look for a weed_dist.cf file.
+#
+weed_dist = /etc/epylog/merged/weed_dist.cf
+##
+# Where to look for a weed_local.cf file
+#
+weed_local = /etc/epylog/merged/weed_local.cf
+##
+# This is where it gets interesting.
+# If you look into weed_dist.cf, you will notice that the entries
+# are listed by section titles. List here only the sections that are
+# relevant to your setup to speed things up. The more sections you
+# enable, the slower matching will go, as it has to try more
+# regexes. Note that [ADD] and [REMOVE] sections in weed_local are
+# special, any other sections in that file will be ignored.
+#
+# You can use 'ALL' to enable all sections.
+#
+enable = ALL
diff --git a/roles/epylog/files/merged/notice_dist.xml
b/roles/epylog/files/merged/notice_dist.xml
new file mode 100644
index 0000000..c717280
--- /dev/null
+++ b/roles/epylog/files/merged/notice_dist.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0"?>
+<!--
+
+ CAUTION:
+ It is not advised to edit this file! You may miss any future
+ revisions made to it. Instead, create/edit notice_local.xml and
+ add your rules to it following the same XML layout as presented in
+ this file. All members of notice_local.xml will be added
+ indiscriminately, i.e. you don't have to specify the id of the
+ <notice> in notices.conf: any notices added in notice_local.xml
+ will be enabled in the module automatically.
+
+ $Revision: 1.4.2.5 $
+
+-->
+<notices>
+ <notice id="gconfd">
+ <regex>gconfd.*: Failed to get lock.*Failed to create</regex>
+ <regex>gconfd.*: Error releasing lockfile</regex>
+ <regex>gconfd.*: .* Could not lock temporary file</regex>
+ <regex>gconfd.*: .* another process has the lock</regex>
+ <report>GConf locking errors</report>
+ </notice>
+
+ <notice id="fatalx">
+ <regex>Fatal X error</regex>
+ <report>Fatal X errors</report>
+ </notice>
+
+ <notice id="floppy">
+ <regex>floppy0:|\(floppy\)</regex>
+ <report>Misc floppy errors</report>
+ </notice>
+
+ <notice id="ypserv">
+
<regex>ypserv.*:\srefused\sconnect\sfrom\s(\S+):\d+\sto\sprocedure\s(\S+)</regex>
+ <report>%s denied for %s</report>
+ </notice>
+
+ <notice id="linux_boot" critical="yes">
+ <regex>kernel:\sLinux\sversion\s(\S*)</regex>
+ <report>Rebooted with Linux kernel %s</report>
+ </notice>
+
+ <notice id="cdrom_vfs">
+ <regex>VFS: busy inodes on changed media</regex>
+ <report>dirty CDROM mount</report>
+ </notice>
+
+ <notice id="cdrom">
+ <regex>kernel: cdrom: This disc doesn</regex>
+ <regex>kernel: .*Make sure there is a disc in the drive.</regex>
+ <report>Misc CDROM errors</report>
+ </notice>
+
+ <notice id="dirty_floppy">
+ <regex>attempt to access beyond end of device</regex>
+ <regex>rw=\d+, want=\d+, limit=\d+</regex>
+ <regex>Directory sread .* failed</regex>
+ <regex>kernel: bread in fat_access failed</regex>
+ <report>Dirty floppy mount [non-indicative]</report>
+ </notice>
+
+ <notice id="nfs_timeout" critical="yes">
+ <regex>nfs: server (\S+) not responding</regex>
+ <regex>nfs: server (\S+) OK</regex>
+ <report>NFS timeouts to server %s</report>
+ </notice>
+
+ <notice id="insmod">
+ <regex>insmod: Hint: insmod errors</regex>
+ <report>insmod errors</report>
+ </notice>
+
+ <notice id="selinux-denied">
+
<regex>audit\S+:\s+avc:\s+denied\s+\{\s([^\}]+)\s\}.*exe=(\S+).*scontext=(\S+)</regex>
+ <report>SELinux: denied "%s" for "%s"
(scontext=%s)</report>
+ </notice>
+
+ <notice id="crond">
+ <regex>CROND\S+: \((\S+)\) CMD \(([^\)]+)\)</regex>
+ <regex>crond\S+: \((\S+)\) CMD \(([^\)]+)\)</regex>
+ <report>Cron: user '%s' (%s)</report>
+ </notice>
+
+</notices>
+
diff --git a/roles/epylog/files/merged/notice_local.xml
b/roles/epylog/files/merged/notice_local.xml
new file mode 100644
index 0000000..7091913
--- /dev/null
+++ b/roles/epylog/files/merged/notice_local.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0"?>
+<!--
+
+This is where you should put your own notice rules. The format is
+simple:
+ <notice id="uniqueid" [critical="yes"]>
+ <regex>python compliant regex string</regex>
+ <regex>another regex, if more than one string is needed</regex>
+ <report>What should go into the report</report>
+ </notice>
+
+See notice_dist.xml for examples. Any custom notices you add here do
+not need to be added into the notices.conf file, as they will be
+enabled automatically.
+
+-->
+
+<notices>
+ <notice id="oom-killer">
+ <regex>kernel: (\S+) invoked oom-killer.*</regex>
+ <report>%s invoked oom-killer - see unparsed</report>
+ </notice>
+
+ <notice id="kerneltrace" critical="yes">
+ <regex>kernel: Call Trace</regex>
+ <report>kernel call trace - see unparsed for details</report>
+ </notice>
+<!--
+ <notice id="auditd-down" critical="yes">
+ <regex>kernel: type=.*audit\(.*</regex>
+ <report>auditd appears to be down</report>
+ </notice>
+-->
+
+ <notice id="Rootkit-hunter-warning" critical="yes">
+ <regex>Rootkit Hunter:.*Please inspect this machine, because it may be
infected.*</regex>
+ <report>Rootkit Hunter has noticed a potential issue</report>
+ </notice>
+ <notice id="brokenpuppetnodetyaml">
+ <regex>puppet_yamltest: cleaning damaged puppet yaml file:(.*)</regex>
+ <report>Corrupted yaml file %s</report>
+ </notice>
+ <notice id="nf_conntrack" critical="yes">
+ <regex>kernel: nf_conntrack: table full.*</regex>
+ <report>Connection tracking table full.</report>
+ </notice>
+
+ <notice id="openvpn_reconnect" critical="yes">
+ <regex>openvpn\[\d+\]: .*:\d+ \[(.*)\] Peer Connection Initiated with
.*:\d+</regex>
+ <report>openvpn [re]connect from %s.</report>
+ </notice>
+
+ <notice id="openvpn_tls_failed" critical="yes">
+ <regex>openvpn\[\d+\]: (.*)/.* TLS Error: TLS handshake failed</regex>
+ <report>openvpn TLS handshake failed: %s</report>
+ </notice>
+ <notice id="openvpn_tls_failed_time" critical="yes">
+ <regex>openvpn\[\d+\]: (.*)/.* TLS Error: TLS key negotiation failed ot occur
within.*</regex>
+ <report>openvpn TLS handshake failed - timeout: %s</report>
+ </notice>
+ <notice id="openvpn_bad_packet_id" critical="yes">
+ <regex>openvpn\[\d+\]: (.*)/.* Authenticate/Decrypt packet error: bad packet
ID.*</regex>
+ <report>openvpn auth/decrypt - bad packet id: %s</report>
+ </notice>
+
+ <notice id="stunnel_websocket" critical="no">
+ <regex>stunnel:.*websockets accepted connection from (.*):.*</regex>
+ <report>stunnel: websocket connection from %s</report>
+ </notice>
+
+ <notice id="nagios_alerts" critical="yes">
+ <regex>nagios:.*HOST.*ALERT:.*</regex>
+ <report>nagios alerts: </report>
+ </notice>
+
+ <notice id="nagios_pages" critical="yes">
+ <regex>nagios:.*HOST.*NOTIFICATION:.*kevin-emergency.*</regex>
+ <report>nagios pages: </report>
+ </notice>
+
+<notice id="totp-success">
+ <regex>totp\.cgi.*: Success: user=(\S+),.*host=(\S+),</regex>
+ <report>totpcgi: %s from %s (Success)</report>
+</notice>
+<notice id="totp-failure" critical="yes">
+ <regex>totp\.cgi.*: Failure: user=(\S+),.*host=(\S+),</regex>
+ <report>totpcgi: %s from %s (Failure)</report>
+</notice>
+<notice id="EXT4-error" critical="yes">
+ <regex>kernel:.* EXT4-fs error.*</regex>
+ <report>EXT4 Error/disk failure noticed</report>
+</notice>
+</notices>
+
diff --git a/roles/epylog/files/merged/report_template.html
b/roles/epylog/files/merged/report_template.html
new file mode 100644
index 0000000..4d60b38
--- /dev/null
+++ b/roles/epylog/files/merged/report_template.html
@@ -0,0 +1,22 @@
+<html>
+ <head>
+ <title>@@TITLE@@</title>
+ <style type="text/css">
+ h1 {color: gray; border-bottom: 3px double silver}
+ h2,h3 {color: gray; border-bottom: 1px solid silver}
+ </style>
+ </head>
+ <body>
+ <h1>@@HOSTNAME@@</h1>
+ <p>First event: <strong>@@STARTTIME@@</strong><br />
+ Last event: <strong>@@ENDTIME@@</strong></p>
+ <hr />
+ @@MODULE_REPORTS@@
+ <hr />
+ <h2>Unparsed Strings:</h2>
+ @@UNPARSED_STRINGS@@
+ <hr />
+ <p align="right">Brought to you by
+ <a
href="http://linux.duke.edu/projects/epylog/">@@VERSION@@<...
+ </body>
+</html>
diff --git a/roles/epylog/files/merged/trojans.list
b/roles/epylog/files/merged/trojans.list
new file mode 100644
index 0000000..09b795b
--- /dev/null
+++ b/roles/epylog/files/merged/trojans.list
@@ -0,0 +1,410 @@
+1/udp Sockets des Troie
+2/tcp Death
+30/tcp Agent 40421
+31/tcp Agent 31
+41/tcp Deep Throat
+48/tcp DRAT
+58/tcp DMSetup
+59/tcp DMSetup
+79/tcp CDK
+81/tcp RemoConChubo
+99/tcp Hidden Port
+121/tcp Attack Bot
+133/tcp Farnaz
+142/tcp NetTaxi
+146/tcp Infector
+146/udp Infector
+170/tcp A-trojan
+334/tcp Backage
+411/tcp Backage
+420/tcp Breach
+421/tcp TCP Wrappers trojan
+455/tcp Fatal Connections
+456/tcp Hackers Paradise
+513/tcp Grlogin
+514/tcp RPC Backdoor
+531/tcp Net666, Rasmin
+555/tcp Seven-Eleven
+605/tcp Secret Service
+666/tcp The Ripperz
+667/tcp SniperNet
+669/tcp DP trojan
+692/tcp GayOL
+777/tcp AimSpy
+808/tcp WinHole
+911/tcp Dark Shadow
+999/tcp Deep Throat
+1000/tcp Der Spaeher
+1001/tcp Der Spaeher
+1010/tcp Doly Trojan
+1011/tcp Doly Trojan
+1012/tcp Doly Trojan
+1015/tcp Doly Trojan
+1016/tcp Doly Trojan
+1020/tcp Vampire
+1024/tcp NetSpy
+1025/tcp Remote Storm
+1025/udp Remote Storm
+1035/tcp Multidropper
+1042/tcp BLA trojan
+1045/tcp Rasmin
+1049/tcp /sbin/initd
+1050/tcp MiniCommand
+1053/tcp The Thief
+1054/tcp AckCmd
+1080/tcp WinHole
+1081/tcp WinHole
+1082/tcp WinHole
+1083/tcp WinHole
+1090/tcp Xtreme
+1095/tcp RAT
+1097/tcp RAT
+1098/tcp RAT
+1099/tcp RAT
+1150/tcp Orion
+1151/tcp Orion
+1170/tcp PSS
+1200/udp NoBackO
+1201/udp NoBackO
+1207/tcp SoftWAR
+1208/tcp Infector
+1212/tcp Kaos
+1234/tcp SubSeven
+1243/tcp BackDoor-G
+1245/tcp VooDoo Doll
+1255/tcp Scarab
+1256/tcp Project nEXT
+1269/tcp Matrix
+1272/tcp The Matrix
+1313/tcp NETrojan
+1338/tcp Millenium Worm
+1349/tcp Bo dll
+1394/tcp GoFriller
+1441/tcp Remote Storm
+1492/tcp FTP99CMP
+1524/tcp Trinoo
+1568/tcp Remote Hack
+1600/tcp Shivka-Burka
+1703/tcp Exploiter
+1777/tcp Scarab
+1807/tcp SpySender
+1966/tcp Fake FTP
+1967/tcp WM FTP Server
+1969/tcp OpC BO
+1981/tcp Bowl, Shockrave
+1999/tcp SubSeven
+2000/tcp Der Spaeher
+2001/tcp Der Sp�her
+2023/tcp Ripper Pro
+2080/tcp WinHole
+2115/tcp Bugs
+2130/udp Mini Backlash
+2140/tcp The Invasor
+2140/udp Deep Throat
+2155/tcp Illusion Mailer
+2255/tcp Nirvana
+2283/tcp Hvl RAT
+2300/tcp Xplorer
+2311/tcp Studio 54
+2330/tcp Contact
+2331/tcp Contact
+2332/tcp Contact
+2333/tcp Contact
+2334/tcp Contact
+2335/tcp Contact
+2336/tcp Contact
+2337/tcp Contact
+2338/tcp Contact
+2339/tcp Contact
+2339/udp Voice Spy
+2345/tcp Doly Trojan
+2565/tcp Striker trojan
+2583/tcp WinCrash
+2600/tcp Digital RootBeer
+2716/tcp The Prayer
+2773/tcp SubSeven
+2774/tcp SubSeven
+2801/tcp Phineas Phucker
+2989/udp RAT
+3000/tcp Remote Shut
+3024/tcp WinCrash
+3031/tcp Microspy
+3128/tcp Ringzero
+3129/tcp Masters Paradise
+3150/tcp The Invasor
+3150/udp Deep Throat
+3456/tcp Terror trojan
+3459/tcp Eclipse 2000
+3700/tcp Portal of Doom
+3777/tcp PsychWard
+3791/tcp Total Solar Eclypse
+3801/tcp Total Solar Eclypse
+4000/tcp SkyDance
+4092/tcp WinCrash
+4242/tcp VHM
+4321/tcp BoBo
+4444/tcp Prosiak
+4567/tcp File Nail
+4590/tcp ICQ Trojan
+4950/tcp ICQ Trogen (Lm)
+5000/tcp Back Door Setup
+5001/tcp Back Door Setup
+5002/tcp cd00r
+5010/tcp Solo
+5011/tcp OOTLT
+5025/tcp WM Remote KeyLogger
+5031/tcp Net Metropolitan
+5032/tcp Net Metropolitan
+5321/tcp Firehotcker
+5333/tcp Backage
+5343/tcp wCrat
+5400/tcp Back Construction
+5401/tcp Back Construction
+5402/tcp Back Construction
+5512/tcp Illusion Mailer
+5534/tcp The Flu
+5550/tcp Xtcp
+5555/tcp ServeMe
+5556/tcp BO Facil
+5557/tcp BO Facil
+5569/tcp Robo-Hack
+5637/tcp PC Crasher
+5638/tcp PC Crasher
+5742/tcp WinCrash
+5760/tcp Portmap Remote Root Linux Exploit
+5880/tcp Y3K RAT
+5882/tcp Y3K RAT
+5882/udp Y3K RAT
+5888/tcp Y3K RAT
+5888/udp Y3K RAT
+5889/tcp Y3K RAT
+6000/tcp The Thing
+6006/tcp Bad Blood
+6272/tcp Secret Service
+6400/tcp The Thing
+6661/tcp TEMan
+6666/tcp Dark Connection Inside
+6667/tcp Dark FTP
+6669/tcp Host Control, Vampire
+6670/tcp BackWeb Server
+6711/tcp BackDoor-G
+6712/tcp Funny trojan
+6713/tcp SubSeven
+6723/tcp Mstream
+6771/tcp Deep Throat
+6776/tcp 2000 Cracks
+6838/udp Mstream
+6883/tcp Delta Source DarkStar (??)
+6912/tcp Shit Heep
+6939/tcp Indoctrination
+6969/tcp GateCrasher
+6970/tcp GateCrasher
+7000/tcp Exploit Translation Server
+7001/tcp Freak88
+7215/tcp SubSeven
+7300/tcp NetMonitor
+7301/tcp NetMonitor
+7306/tcp NetMonitor
+7307/tcp NetMonitor
+7308/tcp NetMonitor
+7424/tcp Host Control
+7424/udp Host Control
+7597/tcp Qaz
+7626/tcp Glacier
+7777/tcp God Message, Tini
+7789/tcp Back Door Setup, ICKiller
+7891/tcp The ReVeNgEr
+7983/tcp Mstream
+8080/tcp Brown Orifice
+8787/tcp Back Orifice 2000
+8988/tcp BacHack
+8989/tcp Rcon
+9000/tcp Netministrator
+9325/udp Mstream
+9400/tcp InCommand
+9872/tcp Portal of Doom
+9873/tcp Portal of Doom
+9874/tcp Portal of Doom
+9875/tcp Portal of Doom
+9876/tcp Cyber Attacker, Rux
+9878/tcp TransScout
+9989/tcp Ini-Killer
+9999/tcp The Prayer
+10000/tcp OpwinTRojan
+10005/tcp OpwinTRojan
+10067/udp Portal of Doom
+10085/tcp Syphillis
+10086/tcp Syphillis
+10100/tcp Control Total
+10101/tcp BrainSpy
+10167/udp Portal of Doom
+10520/tcp Acid Shivers
+10528/tcp Host Control
+10607/tcp Coma
+10666/udp Ambush
+11000/tcp Senna Spy Trojan Generator
+11050/tcp Host Control
+11051/tcp Host Control
+11223/tcp Progenic trojan
+12076/tcp Gjamer
+12223/tcp Hack-99 KeyLogger
+12345/tcp Ashley
+12346/tcp Fat Bitch
+12349/tcp BioNet
+12361/tcp Whack-a-mole
+12362/tcp Whack-a-mole
+12363/tcp Whack-a-mole
+12623/udp DUN Control
+12624/tcp ButtMan
+12631/tcp Whack Job
+12754/tcp Mstream
+13000/tcp Senna Spy
+13010/tcp Hacker Brasil - HBR
+13013/tcp PsychWard
+13014/tcp PsychWard
+13223/tcp Hack�99 KeyLogger
+13473/tcp Chupacabra
+14500/tcp PC Invader
+14501/tcp PC Invader
+14502/tcp PC Invader
+14503/tcp PC Invader
+15000/tcp NetDemon
+15092/tcp Host Control
+15104/tcp Mstream
+15382/tcp SubZero
+15858/tcp CDK
+16484/tcp Mosucker
+16660/tcp Stacheldraht
+16772/tcp ICQ Revenge
+16959/tcp SubSeven
+16969/tcp Priority
+17166/tcp Mosaic
+17300/tcp Kuang2 the virus
+17449/tcp Kid Terror
+17499/tcp CrazzyNet
+17500/tcp CrazzyNet
+17569/tcp Infector
+17593/tcp Audiodoor
+17777/tcp Nephron
+18753/udp Shaft
+19864/tcp ICQ Revenge
+20000/tcp Millenium
+20001/tcp Millenium
+20002/tcp AcidkoR
+20005/tcp Mosucker
+20023/tcp VP Killer
+20034/tcp NetBus
+20203/tcp Chupacabra
+20331/tcp BLA trojan
+20432/tcp Shaft
+20433/udp Shaft
+21544/tcp GirlFriend, Kid Terror
+21554/tcp Exploiter
+22222/tcp Donald Dick
+23005/tcp NetTrash
+23006/tcp NetTrash
+23023/tcp Logged
+23032/tcp Amanda
+23432/tcp Asylum
+23456/tcp Evil FTP
+23476/tcp Donald Dick
+23476/udp Donald Dick
+23477/tcp Donald Dick
+23777/tcp InetSpy
+24000/tcp Infector
+25685/tcp Moonpie
+25686/tcp Moonpie
+25982/tcp Moonpie
+26274/udp Delta Source
+26681/tcp Voice Spy
+27374/tcp Bad Blood
+27444/udp Trinoo
+27573/tcp SubSeven
+27665/tcp Trinoo
+28678/tcp Exploiter
+29104/tcp NetTrojan
+29369/tcp ovasOn
+29891/tcp The Unexplained
+30000/tcp Infector
+30001/tcp ErrOr32
+30003/tcp Lamers Death
+30029/tcp AOL trojan
+30100/tcp NetSphere
+30101/tcp NetSphere
+30102/tcp NetSphere
+30103/tcp NetSphere
+30103/udp NetSphere
+30133/tcp NetSphere
+30303/tcp Sockets des Troie
+30947/tcp Intruse
+30999/tcp Kuang2
+31335/tcp Trinoo
+31336/tcp Bo Whack, Butt Funnel
+31337/tcp Back Fire
+31337/udp Back Orifice
+31338/tcp Back Orifice
+31338/udp Deep BO
+31339/tcp NetSpy (DK)
+31666/tcp BOWhack
+31785/tcp Hack�a�Tack
+31787/tcp Hack�a�Tack
+31788/tcp Hack�a�Tack
+31789/udp Hack�a�Tack
+31790/tcp Hack�a�Tack
+31791/udp Hack�a�Tack
+31792/tcp Hack�a�Tack
+32001/tcp Donald Dick
+32100/tcp Peanut Brittle
+32418/tcp Acid Battery
+33270/tcp Trinity
+33333/tcp Blakharaz
+33577/tcp Son of PsychWard
+33777/tcp Son of PsychWard
+33911/tcp Spirit 2000
+34324/tcp Big Gluck
+34444/tcp Donald Dick
+34555/udp Trinoo
+35555/udp Trinoo
+37237/tcp Mantis
+37651/tcp Yet Another Trojan - YAT
+40412/tcp The Spy
+40421/tcp Agent 40421
+40422/tcp Masters Paradise
+40423/tcp Masters Paradise
+40425/tcp Masters Paradise
+40426/tcp Masters Paradise
+41337/tcp Storm
+41666/tcp RBT
+44444/tcp Prosiak
+44575/tcp Exploiter
+47262/udp Delta Source
+49301/tcp OnLine KeyLogger
+50130/tcp Enterprise
+50505/tcp Sockets des Troie
+50766/tcp Fore
+51966/tcp Cafeini
+52317/tcp Acid Battery 2000
+53001/tcp RWS
+54283/tcp SubSeven
+54320/tcp Back Orifice 2000
+54321/tcp Back Orifice 2000
+55165/tcp File Manager trojan
+55166/tcp WM Trojan Generator
+57341/tcp NetRaider
+58339/tcp Butt Funnel
+60000/tcp Deep Throat
+60001/tcp Trinity
+60068/tcp Xzip 6000068
+60411/tcp Connection
+61348/tcp Bunker-Hill
+61466/tcp TeleCommando
+61603/tcp Bunker-Hill
+63485/tcp Bunker-Hill
+64101/tcp Taskman
+65000/tcp Devil
+65390/tcp Eclypse
+65421/tcp Jade
+65432/tcp The Traitor (= th3tr41t0r)
+65432/udp The Traitor (= th3tr41t0r)
+65534/tcp /sbin/initd
+65535/tcp RC1 trojan
diff --git a/roles/epylog/files/merged/weed_dist.cf
b/roles/epylog/files/merged/weed_dist.cf
new file mode 100644
index 0000000..dd87e2d
--- /dev/null
+++ b/roles/epylog/files/merged/weed_dist.cf
@@ -0,0 +1,179 @@
+##
+# NOTE:
+# Editing this file is not recommended. If you do, you might miss newer
+# revisions of this list in the future versions.
+# See weed_local.cf for instructions on how to add or delete rules.
+#
+
+[pam]
+\(pam_unix\).*: session closed for
+\(pam_unix\).*: check pass;
+
+[dhcpd]
+dhcpd: DHCPREQUEST
+dhcpd: DHCPACK
+dhcpd: DHCPDISCOVER
+dhcpd: DHCPOFFER
+dhcpd: DHCPRELEASE
+dhcpd: DHCPINFORM
+
+[rpc]
+rpc.mountd: authenticated mount request from
+rpc.mountd: authenticated unmount request
+rpc.statd.*: Version .* Starting
+rpc.statd.*: Caught signal 15, un-registering and exiting
+
+[automount]
+automount.*: expired
+automount.*: attempting to mount entry
+automount.*: lookup\(file\): .* failed
+automount.*: starting automounter
+automount.*: using kernel protocol
+automount.*: shutting down
+automount.*: .* No such key in map
+
+[crond]
+CROND.*: \(mailman\) CMD \(/usr/bin/python
+CROND.*: \(root\) CMD \(.*/sbin/rmmod -as\)
+CROND.*: \(root\) CMD \(/usr/lib/sa/sa\d
+CROND.*: \(root\) CMD \(run-parts
+anacron.*: Updated timestamp for job
+
+[bind]
+named.*: lame server resolving
+named.*: .* NS points to CNAME
+named.*: Response from unexpected source
+named.*: .* All possible A RR's lame
+named.*: bad referral
+named.*: Cleaned cache
+named.*: USAGE
+named.*: NSTATS
+named.*: XSTATS
+named.*: .* points to a CNAME
+named.*: denied update from
+named.*: .* Bogus LOOPBACK
+
+[gnome]
+gnome-name-server.*: input condition is:
+gnome-name-server.*: name server starting
+gnome-name-server.*: starting
+gnome-name-server.*: name server was running
+gconfd.*: Resolved address
+gconfd.*: GConf server is not in use
+gconfd.*: Exiting
+gconfd.*: starting
+gconfd.*: .* shutting down cleanly
+gdm.*: Couldn't authenticate user
+xscreensaver.*: FAILED LOGIN
+
+[sshd]
+sshd.*: Generating new .* key.
+sshd.*: .* key generation complete
+sshd.*: Connection closed
+sshd.*: Could not reverse map address
+sshd.*: Received disconnect from
+sshd.*: error: Could not get shadow information for
+sshd.*: Invalid user .* from
+
+[xinetd]
+xinetd.*: .* Transport endpoint is not connected
+xinetd.*: EXIT:
+
+[uw-imap]
+imapd.*: AUTHENTICATE
+imapd.*: Logout
+imapd.*: Killed
+imapd.*: imap.*service init
+imapd.*: Command stream end of file
+imapd.*: Autologout
+imapd.*: Connection reset by peer
+ipop3d.*: AUTHENTICATE
+ipop3d.*: Logout
+ipop3d.*: Killed
+ipop3d.*: Autologout
+ipop3d.*: pop3.*service init
+
+[courier-imap]
+imapd.*: Connection, ip=\[\S+\]
+imapd.*: LOGOUT, user=\S+, ip=\[\S+\]
+imapd.*: Disconnected, ip=\[\S+\]
+imapd.*: DISCONNECTED, user=\S+, ip=\[\S+\]
+imapd.*: LOGOUT, ip=\[\S+\]
+pop3d.*: Connection, ip=\[\S+\]
+pop3d.*: LOGOUT, user=\S+, ip=\[\S+\]
+pop3d.*: Disconnected, ip=\[\S+\]
+pop3d.*: DISCONNECTED, user=\S+, ip=\[\S+\]
+pop3d.*: LOGOUT, ip=\[\S+\]
+
+[postfix]
+postfix/smtp\[\d+\]: connect to
+postfix/smtp\[\d+\]: warning: no MX host
+postfix/smtp\[\d+\]: warning: numeric domain name in resource data
+postfix/smtp\[\d+\]: warning: host .* with my own hostname
+postfix/smtpd.*: connect from
+postfix/smtpd.*: disconnect from
+postfix/smtpd.*: TLS connection established
+postfix/smtpd.*: lost connection
+postfix/cleanup
+postfix/pickup
+
+[sendmail]
+sendmail\[.*:.*NOQUEUE: Null connection from
+sendmail\[.*:.*timeout waiting for input
+
+[qmail]
+qmail:.* new msg
+qmail:.* end msg
+qmail:.* status:
+
+[spamd]
+spamd\[.*: info:
+spamd\[.*: processing message
+spamd\[.*: checking message
+spamd\[.*: connection from
+spamd\[.*: Creating default_prefs
+
+[printer]
+printer: ready to print
+printer: status change
+printer: printing
+printer: peripheral low-power state
+
+[pumpd]
+pumpd.*: renewed lease for interface
+pumpd.*: configured interface
+
+[afpd]
+afpd.*: ASIP session:
+afpd.*: afp_flushfork:
+afpd.*: .*B read,.*B written
+
+[ntpd]
+ntpd.*: kernel time discipline status change
+
+[kernel]
+kernel: application .* uses obsolete OSS audio interface
+kernel: SELinux: initialized
+kernel: device .* left promiscuous mode
+kernel: .*: disabled promiscuous mode
+usb-uhci.c: interrupt, status
+PCI: Found IRQ
+PCI: Sharing IRQ
+PCI: Setting latency timer
+kernel: agpgart: Found
+kernel: agpgart: Putting
+
+[misc]
+modprobe: Can't locate module
+logger: punching nameserver .* through the firewall
+HORDE\[\S*\s*\[imp\] Logout
+LOGIN ON tty.
+dhclient: DHCPREQUEST
+dhclient: DHCPACK
+dhclient: DHCP