thr3ads.net - Logcheck devel - [Logcheck-devel] Bug#410453: logcheck-database: filter kernel messages for UDP as well as TCP/IP traffic [Feb 2007]

If this information is useful, please help other people find it:
Share via:

Matt Corks

2007-Feb-10 19:09 UTC

[Logcheck-devel] Bug#410453: logcheck-database: filter kernel messages for UDP as well as TCP/IP traffic

Package: logcheck-database
Version: 1.2.53
Severity: normal


logcheck is generating messages like this:

Feb 10 13:31:09 waterloo kernel: IN=ppp0 OUT= MAC= SRC=216.58.8.243
DST=239.255.67.250 LEN=176 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=34554
DPT=16680 LEN=156

the closest match to this is the following rule:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: BANDWIDTH_IN:IN=[[:alnum:]]+ OUT=
MAC=[:[:xdigit:]]+ SRC=[.0-9]{7,15} DST=[.0-9]{7,15} LEN=[0-9]+
TOS=0x[[:xdigit:]]+ PREC=0x[[:xdigit:]]+ TTL=[0-9]+ ID=[0-9]+ (DF )?PROTO=TCP
SPT=[0-9]+ DPT=[0-9]+ WINDOW=[0-9]+ RES=0x[[:xdigit:]]+ ACK (PSH )?URGP=[0-9]+$

but it only handles TCP/IP traffic.  logcheck should filter normal UDP inbound
& outbound traffic.

thanks,
matt

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]         1.5.11     Debian configuration management sy

logcheck-database recommends no packages.

-- debconf information:
  logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:
  logcheck-database/conffile-cleanup: false

Logcheck devel - Feb 2007 - Bug#410453: logcheck-database: filter kernel messages for UDP as well as TCP/IP traffic

[Logcheck-devel] Bug#410453: logcheck-database: filter kernel messages for UDP as well as TCP/IP traffic