[Logcheck-devel] Bug#450874: logcheck-database: bind patterns need to match IPv6
Ross Boylan
RossBoylan at stanfordalumni.org
Sun Nov 11 21:04:47 UTC 2007
Package: logcheck-database
Version: 1.2.63
Severity: normal
The patterns for bind match IP addresses with
[.[:digit:]]+
which matches IP4 only. I believe the correct pattern is
[.:[:xdigit:]]+
although I stole this from another pattern for courier that used
[.:[:alnum:]]+
I think the courier pattern is overly broad, but I might be wrong.
The particular new rule that I need is
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unexpected RCODE \((FORMERR|SERVFAIL|NXDOMAIN|NOTIMP|REFUSED|YXDOMAIN|YXRRSET|NXRRSET|NOTAUTH|NOTZONE|BADVERS|<rcode [[:digit:]]+>|[[:digit:]]+)\) resolving '[^[:space:]]+': [.:[:xdigit:]]+#[0-9]+$
but the problem seems general (probably other packages have this problem too).
The absence of matching on IPv6 was causing a loop with this report
named[21563]: unexpected RCODE (REFUSED) resolving 'palmcoastcondo.com/NS/IN': ::1#53
When logcheck ran it reported this as a security event. Spamassassin
scanned the message (arguably it shouldn't), and in so doing tried to
lookup the domain again. The domain is misconfigured (the original
message was spam) and reports that ::1 is one of its nameservers.
Thanks to Michael Shuler <michael at pbandjelly.org> for helping me
figure this out.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- debconf information:
logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
logcheck-database/conffile-cleanup: false
More information about the Logcheck-devel
mailing list