I enabled logcheck on a Debian Sarge box and it is including in it's reports hundreds of lines like this: Jun 2 17:56:09 localhost kernel: PUB_IN DROP 4 IN=eth0 OUT+MAC=ff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=192.168.13.10 +DST=192.168.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=20692 PROTO=UDP SPT=520 +DPT=520 LEN=32 Jun 2 17:56:39 localhost kernel: PUB_IN DROP 4 IN=eth0 OUT+MAC=ff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=192.168.13.10 +DST=192.168.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=20694 PROTO=UDP SPT=520 +DPT=520 LEN=32 Jun 2 17:57:09 localhost kernel: PUB_IN DROP 4 IN=eth0 OUT+MAC=ff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=192.168.13.10 +DST=192.168.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=20696 PROTO=UDP SPT=520 +DPT=520 LEN=32 Which I've determined are from my Router broadcasting RIP packets on port 520. I believe this is harmless (unless there is some other setting I need to fix), so I want to filter them from the logcheck rules. I've tried editing /etc/logcheck/ignore.d.server/kernel and tried adding /etc/logcheck/ignore.d.server/local to get an appropriate rule. I'm new to regex and couldn't find a similar enough expression in the other ignore rules to use as a pattern. I believe I would either like to assume my router is safe and ignore all lines from SRC=192.168.13.10, or possibly add the SPT=520 for clarity. What is the best way to do this? Chris ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Jamie L. Penman-Smithson
2005-Jun-03 00:37 UTC
[Logcheck-users] Logcheck flagging "RIP" requests from Router
--=-fkpPVzgrnNPeMikEUvj1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2005-06-02 at 19:20 -0400, Chris wrote:> I enabled logcheck on a Debian Sarge box and it is including in it's reports > hundreds of lines like this: >=20 > Jun 2 17:56:09 localhost kernel: PUB_IN DROP 4 IN=3Deth0 OUT=3D > +MAC=3Dff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=3D192.168.13.10 > +DST=3D192.168.13.255 LEN=3D52 TOS=3D0x00 PREC=3D0x00 TTL=3D1 ID=3D20692 PROTO=3DUDP SPT=3D520 > +DPT=3D520 LEN=3D32<snip>> > Which I've determined are from my Router broadcasting RIP packets on port 520. >=20 > I believe this is harmless (unless there is some other setting I need to fix), > so I want to filter them from the logcheck rules.You should be able to disable RIP on your router if you don't need it.> I've tried editing /etc/logcheck/ignore.d.server/kernel and tried adding > /etc/logcheck/ignore.d.server/local to get an appropriate rule. I'm new to > regex and couldn't find a similar enough expression in the other ignore rules > to use as a pattern.You shouldn't add rules to any of the files in ignore.d.server, ignore.d.workstation etc. as all of your changes will be overwritten when you upgrade. Instead you should put local changes in a local- file, in this case local-kernel (FYI they don't have to be prefixed with local, but it's easier to tell what are your rules and what are provided with logcheck-database).> I believe I would either like to assume my router is safe and ignore all lines > from SRC=3D192.168.13.10, or possibly add the SPT=3D520 for clarity. >=20 > What is the best way to do this?The regex you're looking for is: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PUB_IN DROP 4 IN=3Deth0 OUT=3D MAC=3Dff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=3D192.168.13.10 DST=3D192.168.13.255 LEN=3D52 TOS=3D0x00 PREC=3D0x00 TTL=3D1 ID=3D[0-9]+ PROTO=3DUDP SPT=3D520 DPT=3D520 LEN=3D32$ That would only ignore the above lines. It's always best to avoid ignoring too much in case you miss something important.=20 -j --=-fkpPVzgrnNPeMikEUvj1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCn6ZA0mxM1DK1CAsRAuJaAJoDxasea08BRfUW6klu9uqAtmQK0gCeN3uC 2uBcDL3dsHlas7/zCDs/lAg=vvw8 -----END PGP SIGNATURE----- --=-fkpPVzgrnNPeMikEUvj1--