Logcheck devel - Aug 2006 - Bug#383112: logcheck generates a security alert for bind FORMERR entries, regardless of regex

Package: logcheck
Version: 1.2.47
Severity: normal


Even when using an ignore regex of ^.+$ or ^.+named.+$ in
/etc/logcheck/ignore.d.*/, logcheck generates a security alert entry
for bind FORMERR log messages, causing every logcheck email to be
flagged as an alert:

# sudo -u logcheck logcheck -o -t
This email is sent by logcheck. If you wish to no-longer receive it,
you can either deinstall the logcheck package or modify its
configuration file (/etc/logcheck/logcheck.conf).

Security Alerts
=-=-=-=-=-=-=-Aug 14 23:02:06 kadath named[6955]: FORMERR resolving
'attacker.com/NS/IN': 216.152.252.8#53
Aug 14 23:02:07 kadath named[6955]: FORMERR resolving
'attacker.com/NS/IN': 64.250.235.139#53



-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-1-vserver-amd64-k8
Locale: LANG=C, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages logcheck depends on:
ii  adduser          3.96                    Add and remove users and groups
ii  cron             3.0pl1-95               management of regular background p
ii  debconf [debconf 1.5.3                   Debian configuration management sy
ii  grep             2.5.1.ds2-5             GNU grep, egrep and fgrep
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logtail          1.2.47                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20050715cvs-1 A simple mail user agent
ii  postfix [mail-tr 2.3.2-1                 A high-performance mail transport 
ii  syslog-ng [syste 2.0rc1-2                Next generation logging daemon

Versions of packages logcheck recommends:
ii  logcheck-database             1.2.47     database of system log rules for t

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

Your message dated Thu, 04 Sep 2008 19:29:25 +0000
with message-id <8826379950.20080904192412 at djmk.net>
and subject line Expert: 'Hybrid' Creatture Is Just a  Dog
has caused the Debian Bug report #383112,
regarding logcheck generates a security alert for bind FORMERR entries,
regardless of regex
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
383112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383112
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Michael Gurski <debianbugs at gurski.org>
Subject: logcheck generates a security alert for bind FORMERR entries,
 regardless of regex
Date: Tue, 15 Aug 2006 00:04:33 -0400
Size: 3448
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080904/bfe57b77/attachment.eml
-------------- next part --------------
An embedded message was scrubbed...
From: "Inclan Beras" <flankers at djmk.net>
Subject: Expert: 'Hybrid' Creatture Is Just a  Dog
Date: Thu, 04 Sep 2008 19:29:25 +0000
Size: 5450
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080904/bfe57b77/attachment-0001.eml