On Wednesday 28 June 2006 12:32, Jim Cheetham wrote: > It's probably a notifiable security condition if someone connects to > your SMTP and tries to VRFY addresses; so don't just remove the > condition, but try refining them so they don't trigger when seeing your > normal log (i.e. make it alert attacks on "VRFY" but not "/VRFY" with > something like [^/]*VRFY and [^/]*ETRN (untested), taking advantage of > the fact that your log entry has a leading / in front of those words, > but that can't be valid in a real SMTP conversation)
According to http://logcheck.org/docs/README.logcheck-database (which I should have read earlier rather than guessing how it worked :) You can override events from violations.d/ by putting the regexs in various files in violations.ignore.d/ I transferred my regex for smartd from ignore.d.server/local to violations.ignore.d/local and it has solved the problem. hads -- When a computer professor asked his students to comment all their programs, he got remarks like: "This program is very nice." "This program is very difficult." "This program is very interesting."
