[Logcheck-users] Logcheck flagging "RIP" requests from Router
Jamie L. Penman-Smithson
lists@silverdream.org
Fri, 03 Jun 2005 01:37:20 +0100
--=-fkpPVzgrnNPeMikEUvj1
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Thu, 2005-06-02 at 19:20 -0400, Chris wrote:
> I enabled logcheck on a Debian Sarge box and it is including in it's repo=
rts
> hundreds of lines like this:
>=20
> Jun 2 17:56:09 localhost kernel: PUB_IN DROP 4 IN=3Deth0 OUT=3D
> +MAC=3Dff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=3D192.168.13.10
> +DST=3D192.168.13.255 LEN=3D52 TOS=3D0x00 PREC=3D0x00 TTL=3D1 ID=3D20692 =
PROTO=3DUDP SPT=3D520
> +DPT=3D520 LEN=3D32
<snip>
>
> Which I've determined are from my Router broadcasting RIP packets on port=
520.
>=20
> I believe this is harmless (unless there is some other setting I need to =
fix),
> so I want to filter them from the logcheck rules.
You should be able to disable RIP on your router if you don't need it.
> I've tried editing /etc/logcheck/ignore.d.server/kernel and tried adding
> /etc/logcheck/ignore.d.server/local to get an appropriate rule. I'm new =
to
> regex and couldn't find a similar enough expression in the other ignore r=
ules
> to use as a pattern.
You shouldn't add rules to any of the files in ignore.d.server,
ignore.d.workstation etc. as all of your changes will be overwritten
when you upgrade. Instead you should put local changes in a local- file,
in this case local-kernel (FYI they don't have to be prefixed with
local, but it's easier to tell what are your rules and what are provided
with logcheck-database).
> I believe I would either like to assume my router is safe and ignore all =
lines
> from SRC=3D192.168.13.10, or possibly add the SPT=3D520 for clarity.
>=20
> What is the best way to do this?
The regex you're looking for is:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: PUB_IN DROP 4 IN=3Deth0 OUT=3D
MAC=3Dff:ff:ff:ff:ff:ff:00:09:5b:e9:56:a0:08:00 SRC=3D192.168.13.10
DST=3D192.168.13.255 LEN=3D52 TOS=3D0x00 PREC=3D0x00 TTL=3D1 ID=3D[0-9]+ PR=
OTO=3DUDP
SPT=3D520 DPT=3D520 LEN=3D32$
That would only ignore the above lines. It's always best to avoid
ignoring too much in case you miss something important.=20
-j
--=-fkpPVzgrnNPeMikEUvj1
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBCn6ZA0mxM1DK1CAsRAuJaAJoDxasea08BRfUW6klu9uqAtmQK0gCeN3uC
2uBcDL3dsHlas7/zCDs/lAg=
=vvw8
-----END PGP SIGNATURE-----
--=-fkpPVzgrnNPeMikEUvj1--