[Logcheck-users] Logcheck flagging "RIP" requests from Router
Chris
linux-logcheck@nosnhoj.net
Thu, 02 Jun 2005 19:20:44 -0400
I enabled logcheck on a Debian Sarge box and it is including in it's reports
hundreds of lines like this:
Jun 2 17:56:09 localhost kernel: PUB_IN DROP 4 IN=eth0 OUT=
+MAC=ff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=192.168.13.10
+DST=192.168.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=20692 PROTO=UDP SPT=520
+DPT=520 LEN=32
Jun 2 17:56:39 localhost kernel: PUB_IN DROP 4 IN=eth0 OUT=
+MAC=ff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=192.168.13.10
+DST=192.168.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=20694 PROTO=UDP SPT=520
+DPT=520 LEN=32
Jun 2 17:57:09 localhost kernel: PUB_IN DROP 4 IN=eth0 OUT=
+MAC=ff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=192.168.13.10
+DST=192.168.13.255 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=20696 PROTO=UDP SPT=520
+DPT=520 LEN=32
Which I've determined are from my Router broadcasting RIP packets on port 520.
I believe this is harmless (unless there is some other setting I need to fix),
so I want to filter them from the logcheck rules.
I've tried editing /etc/logcheck/ignore.d.server/kernel and tried adding
/etc/logcheck/ignore.d.server/local to get an appropriate rule. I'm new to
regex and couldn't find a similar enough expression in the other ignore rules
to use as a pattern.
I believe I would either like to assume my router is safe and ignore all lines
from SRC=192.168.13.10, or possibly add the SPT=520 for clarity.
What is the best way to do this?
Chris
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.