[Logcheck-devel] Bug#486440: logcheck-database: postfix false positives: hostname verification and anonymous TLS
Justin Larue
debbugs at ziz.org
Mon Jun 16 05:07:34 UTC 2008
Package: logcheck-database
Version: 1.2.64
Severity: wishlist
Tags: patch
Logcheck provides false negatives against the postfix package for lines
such as the following:
Jun 15 20:11:15 gamma postfix/smtpd[28071]: Anonymous TLS connection established from fractal.kaosol.net[216.150.215.72]: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
(This one would be caught without the word "Anonymous")
and
Jun 15 20:19:10 gamma postfix/smtpd[28321]: warning: 122.3.215.225: hostname 122.3.215.225.pldt.net verification failed: Name or service not known
(There does not appear to be an existing line related to this message.)
A patch to properly ignore both of these lines is attached.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing'), (300, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
-- debconf information:
* logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
logcheck-database/conffile-cleanup: false
-------------- next part --------------
--- ignore.d.server/postfix.old 2008-06-15 23:02:49.000000000 -0600
+++ ignore.d.server/postfix 2008-06-15 22:55:20.000000000 -0600
@@ -19,7 +19,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: cert has expired$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Peer|Server) certificate could not be verified$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: smtpd_peer_init: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+: address not listed for hostname [._[:alnum:]-]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: TLS connection established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+ \([/0-9]+ bits\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: (Anonymous )?TLS connection established (to|from) [^[:space:]]+: (TLSv1|SSLv[23]) with cipher [^[:space:]]+ \([/0-9]+ bits\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: setting up TLS connection (to|from) [._[:alnum:]-]+(\[[0-9a-f.:]{3,39}\])?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: fingerprint=([0-9A-F]{2}:){15}[0-9A-F]{2}$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd?\[[0-9]+\]: Verified: subject_CN=.*, issuer=.*$
@@ -126,3 +126,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: gethostby\*\.getanswer: asked for "([-_.[:alnum:]]+)", got "\1"$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: discarding EHLO keywords:( [[:upper:]]+)+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: milter-discard: END-OF-MESSAGE from [-._[:alnum:]]+\[[.[:digit:]]+\]: milter triggers DISCARD action; from=<[^[:space:]]*> to=<[^[:space:]]*> proto=E?SMTP helo=<[^[:space:]]+>$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [0-9.]{7,15}: hostname [^[:space:]]+ verification failed: Name or service not known$
More information about the Logcheck-devel
mailing list