Hiya - two staged problem / question here...
we use logcheck to monitor our logfiles and are getting a lot of
errors like this being reported:
May 26 10:31:43 named[511]: bad referral (228.165.in-addr.arpa !<
132.228.165.IN-ADDR.ARPA)
May 26 10:31:45 named[511]: bad referral (228.165.in-addr.arpa !<
130.228.165.IN-ADDR.ARPA)
someone on the list suggested that it was a sign that we were having
people trying to hack a bind vulnerability but it doesn't seem like
that to me. These errors seem to happen when users are using netscape
to surf through the squid proxy on the server. Is it likely that
these errors are due to a mis-configuration of named / squid on the
server... how can I stop these appearing in the log files?
the second part to the question is how I can get the logcheck.ignore
file to match the above errors in the log files so that I don't get
them reported to me every 5 minutes... the line I have at the moment
is:
named.*: .*bad referral (.* \!\< .*)
but that doesn't seem to be helping. not being much of a regexp guru
I'm sure that I'm trying to match some screwy stuff there...
I also tried this before:
named.*: .*bad referral.*
but that wasn't happening either - that's why I backslash escaped the
! and < as I thought they may be causing problems...
tia. dan.
--
---------------------------------------------------------------------------
Nitro - 3D Visualisation, Graphics & Animation
Ph (+61 2) 9810 5177 - Fx (+61 2) 9810 0199
http://www.nitro.com.au/
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
