Package: logcheck-database
Version: 1.2.63
Severity: normal
The patterns for bind match IP addresses with
[.[:digit:]]+
which matches IP4 only. I believe the correct pattern is
[.:[:xdigit:]]+
although I stole this from another pattern for courier that used
[.:[:alnum:]]+
I think the courier pattern is overly broad, but I might be wrong.
The particular new rule that I need is
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unexpected RCODE
\((FORMERR|SERVFAIL|NXDOMAIN|NOTIMP|REFUSED|YXDOMAIN|YXRRSET|NXRRSET|NOTAUTH|NOTZONE|BADVERS|<rcode
[[:digit:]]+>|[[:digit:]]+)\) resolving '[^[:space:]]+':
[.:[:xdigit:]]+#[0-9]+$
but the problem seems general (probably other packages have this problem too).
The absence of matching on IPv6 was causing a loop with this report
named[21563]: unexpected RCODE (REFUSED) resolving 'palmcoastcondo.com/NS/IN':
::1#53
When logcheck ran it reported this as a security event. Spamassassin
scanned the message (arguably it shouldn't), and in so doing tried to
lookup the domain again. The domain is misconfigured (the original
message was spam) and reports that ::1 is one of its nameservers.
Thanks to Michael Shuler <[EMAIL PROTECTED]> for helping me
figure this out.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- debconf information:
logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
logcheck-database/conffile-cleanup: false
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
