thr3ads.net - Logcheck devel - [Logcheck-devel] [PATCH] Re-enabled :port portion of "UDPv4 link" openvpn rule [Jan 2008]

If this information is useful, please help other people find it:
Share via:

Frédéric Brière

2008-Jan-24 22:44 UTC

[Logcheck-devel] [PATCH] Re-enabled :port portion of "UDPv4 link" openvpn rule

I see that this openvpn rule has been modified to no longer attach the
":port" part to "[undef]" -- probably to reflect a recent
change in
openvpn.  Unfortunately, the rule no longer matches in etch, thus
breaking the backport.

Here's a patch to match both versions.


Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net>
---
 rulefiles/linux/ignore.d.server/openvpn |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/rulefiles/linux/ignore.d.server/openvpn
b/rulefiles/linux/ignore.d.server/openvpn
index c57e3cb..1ea6068 100644
--- a/rulefiles/linux/ignore.d.server/openvpn
+++ b/rulefiles/linux/ignore.d.server/openvpn
@@ -19,7 +19,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:(
([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? (Data|Control) Channel
MTU parms \[[[:upper:]:0-9/ ]+\]$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:
Preserving previous TUN/TAP instance: [[:alnum:]-]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:(
([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? (Local|Expected Remote)
Options hash \(VER=V[34]\): '[[:xdigit:]]+'$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:
UDPv4 link (local( \(bound\))?|remote): (\[undef\]|[._[:alnum:]-]+:[0-9]+)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:
UDPv4 link (local( \(bound\))?|remote): (\[undef\]|[._[:alnum:]-]+)(:[0-9]+)?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:(
([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: move_session:
dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:(
([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: move_session:
dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:(
([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS: tls_multi_process:
untrusted session promoted to trusted$
-- 
1.5.3.8

Reasonably Related Threads

Search for more maybe matching threads

Logcheck devel - Jan 2008 - [PATCH] Re-enabled :port portion of "UDPv4 link" openvpn rule

[Logcheck-devel] [PATCH] Re-enabled :port portion of "UDPv4 link" openvpn rule

Reasonably Related Threads

Wisdom of the Ancients