###
###	NcFTPd messages
### $Id: ncftpd.txt,v 1.1 2002/03/09 18:26:23 emf Exp $
###

'^.{15,} (.*) NcFTPd: Too many login failures from (.*); usernames used were: (.*)' - - - 0
	pipe "/usr/local/bin/surfmailer -r root -S \"NcFTPd FAILED LOGINS from $3\""

'^.{15,} (.*) NcFTPd: Anonymous user logged in' - - - 0 
	open "$2 NcFTPd:" - 2500 10800 3600
	ignore
'^.{15,} (.*) NcFTPd: Downloading \[(.*)\]' - - - 0 ignore

'^.{15,} (.*) NcFTPd: Uploading \[(.*)\]' - - - 0 
	rule before
	'^.{15,} (.*) NcFTPd: Anonymous user logged out' - '.*' - 3600
		report "/usr/local/bin/surfmailer -r root -S \"NcFTPd File UPLOAD on $2\"" "$2 NcFTPd:"

#
#	There is a bug here. If the user is using a web browser that performs
#	many login/logouts quickly, this will match and collect them all
#	in a context, even if they haven't done anything interesting on the
#	server.  We need to fix this so that it only matches NcFTPd messages
#	but NOT the "Anonymous user logged out message"
#
'^.{15,} (.*) NcFTPd:' - - - 0
	rule before
	'^.{15,} (.*) NcFTPd: Anonymous user logged out' - '.*' - 3600
		report "/usr/local/bin/surfmailer -r root -S \"NcFTPd problems on $2\"" "$2 NcFTPd:"

'^.{15,} (.*) NcFTPd: Anonymous user logged out' - - - 0
	delete "$2 NcFTPd:"

