[Logcheck-devel] Bug#546004: logcheck-database: logcheck kernel "Treason uncloaked" filter doesn't catch ipv6 addresses.
Tim Small
tim at buttersideup.com
Thu Sep 10 16:12:40 UTC 2009
Package: logcheck-database
Version: 1.2.69
Severity: normal
Tags: patch
kernel log lines of the form:
...kernel: [1933150.816604] TCP: Treason uncloaked!
Peer 0000:0000:0000:0000:0000:ffff:d04e:3f6b:4038/80 shrinks window
2491430013:2491430014. Repaired.
are not caught by the current rules.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31-rc5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-- no debconf information
-------------- next part --------------
--- /tmp/kernel.old 2009-09-10 17:08:58.000000000 +0100
+++ /etc/logcheck/ignore.d.server/kernel 2009-09-10 17:09:24.000000000 +0100
@@ -5,7 +5,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? icmpv6_send: no reply to icmp error$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? [[:alnum:]]+: link up\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ADDRCONF\(NETDEV_CHANGE\): [[:alnum:]]+: link becomes ready$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? TCP: Treason uncloaked! Peer [.[:digit:]]{7,15}:[[:digit:]]{1,5}/[[:digit:]]{1,5} shrinks window [[:digit:]]+:[[:digit:]]+\. Repaired\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? TCP: Treason uncloaked! Peer [[:xdigit:].:]{3,39}:[[:digit:]]{1,5}/[[:digit:]]{1,5} shrinks window [[:digit:]]+:[[:digit:]]+\. Repaired\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? device-mapper: [-.[:alnum:]]+ \([-[:digit:]]{10}\) initialised: dm-devel at redhat\.com$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ACPI: PCI interrupt for device [[:alnum:]:.]+ disabled$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? ACPI: PCI Interrupt [[:alnum:]:.]+\[[AB]\] (-> Link \[LNK[AB]\] )?-> GSI [0-9]+ \(level, low\) -> IRQ [0-9]+$
More information about the Logcheck-devel
mailing list