On Tue, 27 Jun 2006 23:00:42 +0100
Jim Cheetham <[EMAIL PROTECTED]> wrote:
> On Wed, Jun 28, 2006 at 07:23:49AM +1200, Steve Holdoway wrote:
> > Jun 28 06:02:18 server sm-mta[7813]: k5RI2I6g007813:
> > 23-52-175-62.user.auna.net [62.175.52.23] (may be forged) did not issue
> > MAIL/EXPN/VRFY/ETRN during connection to MTA
> >
> > I added the following line to /etc/logcheck/ignore.d.server/sendmail:
> >
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]:
> > [[:alnum:]]+:.*did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$
>
> Your regexp looks fine. Try using egrep to run that pattern over the
> original log file and confirm that it matches; if it does then you have
> uncovered a class of match that logcheck is overriding - a common place
> for that to occur is in the attack definitions.
>
> -jim
Hey Jim - how's the windy city???
That was the answer! The keywords VRFY and EXPN were in the file
/etc/logcheck/violations.d/logcheck. You'll probably find SMART in there, Hads
(:
Cheers,
Steve
