Re: logcheck

To: debian-user@lists.debian.org
Cc: Ross Boylan <RossBoylan@stanfordalumni.org>
Subject: Re: logcheck
From: Rudy Gevaert <rudy@zeus.UGent.be>
Date: Sun, 19 Oct 2003 12:12:01 +0200
Message-id: <[🔎] 20031019101201.GA8721@zeus.UGent.be>
Mail-followup-to: Rudy Gevaert <rudy@zeus.UGent.be>, debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
In-reply-to: <[🔎] 20031018223941.GM1574@wheat.boylan.org>
References: <[🔎] 20031018082058.GA14993@zeus.UGent.be> <[🔎] 20031018095215.GB1352@sven.home.hoaxter.de> <[🔎] 20031018211817.GA29292@zeus.UGent.be> <[🔎] 20031018223941.GM1574@wheat.boylan.org>

On Sat, Oct 18, 2003 at 03:39:41PM -0700, Ross Boylan wrote:
> On Sat, Oct 18, 2003 at 11:18:17PM +0200, Rudy Gevaert wrote:
> > On Sat, Oct 18, 2003 at 11:52:15AM +0200, Sven Hoexter wrote:
> > 
> > > > I find the documentation of logcheck to confusing.
> 
> Me too.  I just spent a lot of time staring at the source and
> submitted a patch with much expanded documentation: see bug 215640.

I've browsed it, I'll have a look at it asap.

> Are you saying the messages are getting flagged despite the above
> setttings?  

Yes.

> That might also happen if some other patterns in
> cracking.d or violations.d are picking them out.  In particular, if
> logcheck (the pattern file, not the program) is picking them out, you
> need to disable it with logcheck-postfix or a local or local-* file
> (logcheck-postfix will only ignore patterns found for the "logcheck"
> file, while local* affects everything.

No entries in cracking.d and no relevant ones in violantions.

I now have this:
schamper:/etc/logcheck# grep -r postfix  *
ignore.d/postfix:postfix.*
ignore.d.paranoid/postfix:postfix.*
ignore.d.server/postfix:postfix.*
ignore.d.workstation/postfix:postfix.*

That are the only files that have someting about postfix in them.

Every file has postfix.* in it.

> 
> What severity are your error reports, i.e., what is the message before
> the section in which they appear?  That indicates whether they are
> from a pattern in cracking.d ("Security Alerts"), violations.d
> ("Security Violations"), or just the residual unrecognized "System
> Events".

The severity is 'Possible Security Violations':  e.g.:

Oct 18 16:21:56 schamper postfix/cleanup[18573]: 0C40D5150: reject: header Subject: dont dare to intimate bcos of ur bro too little? oboebefell; from=<uvhuxj@cybergate.com> to=<annelies@schamper.rug.ac.be>: SecuritySage SPAM-ID: h20030701-45001 Your email had spam-like header contents. To report this message as non-spam, please follow the instructions available at http://www.securitysage.com/spam.html

Because I put "postfix.*" in those files, it should discard everything
of postfix, right?

Thanks in advance
-- 
Rudy Gevaert                rudy@zeus.UGent.be
Web page                    http://www.webworm.org
Schamper sysadmin           http://www.schamper.ugent.be
GNU/Linux user and Savannah hacker http://savannah.gnu.org
Friends may come and go, but enemies accumulate.  - Thomas Jones

Reply to:

Follow-Ups:
- Re: logcheck
  - From: Ross Boylan <RossBoylan@stanfordalumni.org>

References:
- logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>
- Re: logcheck
  - From: Sven Hoexter <sven@timegate.de>
- Re: logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>
- Re: logcheck
  - From: Ross Boylan <RossBoylan@stanfordalumni.org>

Prev by Date: Re: A newbie's confusion about GPL
Next by Date: sed problem
Previous by thread: Re: logcheck
Next by thread: Re: logcheck
Index(es):
- Date
- Thread