[Logcheck-devel] Bug#265588: logcheck-database: coreection to oidentd rules
jonas at mail.kidns.de
jonas at mail.kidns.de
Fri Aug 13 20:52:33 UTC 2004
Package: logcheck-database
Version: 1.2.24
Severity: wishlist
hello,
the current rules for oidentd are to strict, as they require connections
to oidentd to come from port 0:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from \
localhost \(127.0.0.1\):0$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from \
[._[:alnum:]-]+ \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\):0$
anyway, ident lookups seem to come from very different ports, according
to my logs:
Aug 12 13:37:37 host oidentd[2673]: Connection from gluck.debian.org (192.25.206.10):39225
Aug 13 19:30:04 host oidentd[27268]: Connection from run.smurf.noris.de (192.109.102.41):51246
Aug 13 16:23:53 host oidentd[25436]: Connection from spohr.debian.org (128.193.0.4):54192
i suggest to change rules to the following:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from \
localhost \(127.0.0.1\):[0-9]{1,5}$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from \
[._[:alnum:]-]+ \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\):[0-9]{1,5}$
bye
jonas
More information about the Logcheck-devel
mailing list