Ross Boylan
2007-Nov-11 21:04 UTC
[Logcheck-devel] Bug#450874: logcheck-database: bind patterns need to match IPv6
Package: logcheck-database
Version: 1.2.63
Severity: normal
The patterns for bind match IP addresses with
[.[:digit:]]+
which matches IP4 only. I believe the correct pattern is
[.:[:xdigit:]]+
although I stole this from another pattern for courier that used
[.:[:alnum:]]+
I think the courier pattern is overly broad, but I might be wrong.
The particular new rule that I need is
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unexpected RCODE
\((FORMERR|SERVFAIL|NXDOMAIN|NOTIMP|REFUSED|YXDOMAIN|YXRRSET|NXRRSET|NOTAUTH|NOTZONE|BADVERS|<rcode
[[:digit:]]+>|[[:digit:]]+)\) resolving '[^[:space:]]+':
[.:[:xdigit:]]+#[0-9]+$
but the problem seems general (probably other packages have this problem too).
The absence of matching on IPv6 was causing a loop with this report
named[21563]: unexpected RCODE (REFUSED) resolving
'palmcoastcondo.com/NS/IN': ::1#53
When logcheck ran it reported this as a security event. Spamassassin
scanned the message (arguably it shouldn't), and in so doing tried to
lookup the domain again. The domain is misconfigured (the original
message was spam) and reports that ::1 is one of its nameservers.
Thanks to Michael Shuler <michael at pbandjelly.org> for helping me
figure this out.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (990, 'stable'), (50,
'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- debconf information:
logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
logcheck-database/conffile-cleanup: false
Debian Bug Tracking System
2008-Jul-07 18:09 UTC
[Logcheck-devel] Bug#450874: marked as done (logcheck-database: bind patterns need to match IPv6)
Your message dated Mon, 7 Jul 2008 20:06:22 +0200 with message-id <20080707180622.GA14140 at edna.gwendoline.at> and subject line Re: Bug#450874: logcheck-database: bind patterns need to match IPv6 has caused the Debian Bug report #450874, regarding logcheck-database: bind patterns need to match IPv6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 450874: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=450874 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Ross Boylan <RossBoylan at stanfordalumni.org> Subject: logcheck-database: bind patterns need to match IPv6 Date: Sun, 11 Nov 2007 13:04:47 -0800 Size: 3632 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080707/14bbf1c1/attachment.eml -------------- next part -------------- An embedded message was scrubbed... From: Gerfried Fuchs <rhonda at deb.at> Subject: Re: Bug#450874: logcheck-database: bind patterns need to match IPv6 Date: Mon, 7 Jul 2008 20:06:22 +0200 Size: 2507 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080707/14bbf1c1/attachment-0001.eml