OK, I've RTFM, read the groups, surfed the net and tested everything I can to make the following log entries go away: Sep 23 07:48:38 MYSERVER portsentry[10539]: attackalert: Host: pn137.szczecin.sdi.tpnet.pl/217.98.186.137 is already blocked Ignoring I removed all keywords in the entry from logcheck.hacking (like 'attackalert') I added ignore rules to the logcheck.ignore file like this: portsentry.*is already blocked Ignoring I added it to my violations.ignore too! Basically what I want is to see the inital catch by portsentry but not every subsequent hit after that. Can someone more savvy than I give me an example that would take this out? Also, I have yet to find a reference on what the '.' in the logcheck file rules means, or where it needs to go. It seems to be a concatenator? would this work? portsentry[*]: attackalert: * already blocked Ignoring or do things need esacping: portsentry\[*\]: attackalert: * already blocked Ignoring or does the '.' have to go before each wildcard: portsentry\[.*.\]: attackalert: .*already blocked Ignoring See, none of these seems to help, its like portsentry logs are included automagically. Well, I need some black magic cuz I'm tired of 500 lines when I only need 5 I'm glad to do the research and testing myself if someone'd point me to a definitive document explaining, in detail, the syntax of the rules files. The first person to point my to psionic.com gets flamed and the next person who tells me to read the documentation gets a flamethrower because those docs are so weak. Thanks in advance and sorry for the rant, I've been trying different combos for hours, and that's after surfing most of the morning for the answer. -T _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
