On Fri, 6 Jun 2025 at 05:51, Kiss Gabor (Bitman) <ki...@probatbicol.hu> wrote:
> On Thu, 5 Jun 2025, Richard Lewis wrote:
> It seems grep regards differently the command line pattern and the
> -f patternfile.
this looks like a bug in grep. perhaps you could report it to grep --
i suppose they never tested invalid lines with -f
(but the other issues below we should still fix)
> Command
> for f in * ; do echo $f================; grep -E -f $f /dev/null 2>&1 ; done
> reports only two problems:
> ...
> login================
> grep: login:8: Unmatched ( or \(
> ...
> systemd================
> grep: systemd:21: Unmatched ( or \(
> ...
>
> But both comes from comments:
> # old messages, no longer seen (?)
> # services with Restart=always ((eg console-getty.service)
that's good in the sense that we dont need to urgently fix this for
trixie (although the first one doesnt look unmatched!) -- commented
lines are dropped by logcheck anyway,
> IMHO the most cases the problem is that literal square brackets
> are unescaped. E.g.
>
> | courier================
> | grep: Unmatched [, [^, [:, [., or [=
> | ^(w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
> ((imap|pop3)(login|d-ssl)|couriertcpd): (LOGOUT|TIMEOUT|DISCONNECTED),
> ip=[[.:[:alnum:]]+](, port=[[[:digit:]]+])?, headers=[[:digit:]]+,
> body=[[:digit:]]+$
>
> ip=[[.:[:alnum:]]+] and port=[[[:digit:]]+] are suspicious.
> I guess they should be ip=\[[.:[:alnum:]+]\] and \[[[:digit:]+]\] .
i think you are be right
> | cron-apt================
> | grep: Invalid range end
> | ^(w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ cron-apt: CRON-APT
> RUN [[-[:alnum:]/]+]: w{3} w{3} [ [:digit:]]+ [:[:digit:]]{8} w{3,4}
> [[:digit:]]{4}$
>
> [[-[:alnum:]/]+] should be \[[-[:alnum:]/]+\] .
yes - this one is already corrected in the rules that will be in
trixie, i think
> | dovecot================
> | grep: Unmatched [, [^, [:, [., or [=
> | ^(w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ (dovecot:
> )?(imap|pop3)-login: Disconnected [[.:[:xdigit:]]+]$
>
> I bet on \[[.:[:xdigit:]]+\] .
looks like it
>
> | exim4================
> | grep: Unmatched [, [^, [:, [., or [=
> | ^[-0-9]{10} [0-9:]{8} [-[:alnum:]]+ [=-]> [@._[:alnum:]-]+
> <?[@._[:alnum:]-]+>? R=dnslookup T=remote_smtp H=[._[:alnum:]-]+
> [[.0-9]{7,15}]$
>
> [[.0-9]{7,15}] is probably \[[.0-9]{7,15}\] .
this file has other issues -- the helo logging format is quite
complex, and you can have an ip in or outside [...].
this file is on the "revise in forky" list anyway i think -- i believe
that it's not actualy matching anything at the moment, because these
lines only go in exim4's log, which is not checked by default
>
> | horde3================
> | grep: Unmatched [, [^, [:, [., or [=
> | ^(w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ .+[[0-9]+]: [horde]
> Login success for [@._[:alnum:]-]+ [[.0-9]{7,15}] to Horde [on line [0-9]+ of
> ".+"]$
>
> \[[.0-9]{7,15}] to Horde [on line [0-9]+ of ".+"\]
i beleive horde3 is no longer in debian, so this whole file should be
dropped instead
