On Sat, Oct 18, 2003 at 03:39:41PM -0700, Ross Boylan wrote:
> On Sat, Oct 18, 2003 at 11:18:17PM +0200, Rudy Gevaert wrote:
> > On Sat, Oct 18, 2003 at 11:52:15AM +0200, Sven Hoexter wrote:
> >
> > > > I find the documentation of logcheck to confusing.
>
> Me too. I just spent a lot of time staring at the source and
> submitted a patch with much expanded documentation: see bug 215640.
I've browsed it, I'll have a look at it asap.
> Are you saying the messages are getting flagged despite the above
> setttings?
Yes.
> That might also happen if some other patterns in
> cracking.d or violations.d are picking them out. In particular, if
> logcheck (the pattern file, not the program) is picking them out, you
> need to disable it with logcheck-postfix or a local or local-* file
> (logcheck-postfix will only ignore patterns found for the "logcheck"
> file, while local* affects everything.
No entries in cracking.d and no relevant ones in violantions.
I now have this:
schamper:/etc/logcheck# grep -r postfix *
ignore.d/postfix:postfix.*
ignore.d.paranoid/postfix:postfix.*
ignore.d.server/postfix:postfix.*
ignore.d.workstation/postfix:postfix.*
That are the only files that have someting about postfix in them.
Every file has postfix.* in it.
>
> What severity are your error reports, i.e., what is the message before
> the section in which they appear? That indicates whether they are
> from a pattern in cracking.d ("Security Alerts"), violations.d
> ("Security Violations"), or just the residual unrecognized "System
> Events".
The severity is 'Possible Security Violations': e.g.:
Oct 18 16:21:56 schamper postfix/cleanup[18573]: 0C40D5150: reject: header Subject:
dont dare to intimate bcos of ur bro too little? oboebefell; from=<[EMAIL PROTECTED]>
to=<[EMAIL PROTECTED]>: SecuritySage SPAM-ID: h20030701-45001 Your email had spam-like
header contents. To report this message as non-spam, please follow the instructions
available at http://www.securitysage.com/spam.html
Because I put "postfix.*" in those files, it should discard everything
of postfix, right?
Thanks in advance
--
Rudy Gevaert [EMAIL PROTECTED]
Web page http://www.webworm.org
Schamper sysadmin http://www.schamper.ugent.be
GNU/Linux user and Savannah hacker http://savannah.gnu.org
Friends may come and go, but enemies accumulate. - Thomas Jones
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
