[Logwatch-Devel] Re: [Logwatch-Announce] Logwatch 4.1 has been released

James Wysynski wysynskij@yahoo.com
Sat, 19 Oct 2002 12:28:01 -0700 (PDT)


After taking a quick look, I have a few
questions/comments.

1) The search was made more greedy as one of the
reasons the iptables parsing wasn't working in the
first place was that it was too restrictive.  The only
thing it really depends on at the moment is the order
in which the elements occur.  

2) The only ICMP messages I've seen in my logs are of
this format, which is presumably why it's not working
with yours.  The ICMP messages are formatted the same
as everything else is.

Oct 18 15:13:01 tilt kernel: ICMP drop IN=eth0 OUT=
MAC=00:03:47:05:49:33:00:10:67:00:b2:50:08:00
SRC=64.14.42.16 DST=67.115.101.130 LEN=64 TOS=0x00
PREC=0x00 TTL=51 ID=28365 PROTO=ICMP TYPE=8 CODE=0
ID=52994 SEQ=0 

I'm running RedHat 7.3.  Do you have a Linux kernel,
or something else?

3) Right now I parse prefix, in, out, src, dst, proto.
 For your case it looks like I need to add some logic
which will catch prefix, in, out, proto, src, dst (and
possibly the square brackets).  It's hard to tell
without the full log message.

-James    

--- mark@winksmith.com wrote:
> oh yeah... i haven't downloaded it yet, but was the
> pattern matching
> fixed for ICMP rejections for iptables kernel
> service?  my host is
> mail.airtux.net, but it's been logging failures on
> the INPUT chain
> *from* my host... clearly impossible.
> 
>    From mail.airtux.net (216.181.159.137).
>       To never.just.net (63.122.103.20).
>          Port: domain (udp,eth0,,FAILED INPUT:) - 1
> packet(s).
>       Total of 1 packet(s).
> 
> if you take a closer look at the class of the actual
> message it contains a
> summary of the original packet that failed bracketed
> with '[]'.  my guess
> is that the search pattern is matching the wrong
> thing (greedy search).
> 
> 	Oct 13 07:39:05 mail kernel: FAILED INPUT: IN=eth0
> OUT= ... PROTO=ICMP TYPE=3 CODE=3
> [SRC=216.181.159.137 DST=192.41.162.160 LEN=86
> TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP
> SPT=32768 DPT=53 LEN=46 ]
> 
> On Fri, Oct 18, 2002 at 04:37:24PM -0400, Kirk Bauer
> wrote:
> > This is not a big release, just some cleanup from
> 4.1 and a few
> > enhancements.  If you are using 4.X already, I
> would recommend
> > upgrading.
> > 
> > - Fixed IP lookup bug in kernel script
> > - Sendmail improvements sent in from Alex K
> <Alex@wtwf.com>
> > - Just some more cleanup as I wanted to get a new
> stable release out there
> > - Fixed Perl warning in Pluto filter
> > - applied some changes from Eric Gerbier
> <eric.gerbier@meteo.fr> for proftpd filter
> > - Removed use of /bin/date from all scripts
> (thanks Mark D. Nagel <mnagel@willingminds.com>)
> > - Added afpd service filter
> 
> -- 
> Mark Smith
> mark at winksmith dot com
> mark at tux dot org
> _______________________________________________
> Logwatch-Devel mailing list
> Logwatch-Devel@logwatch.org
>
http://list.logwatch.org/lists/listinfo/logwatch-devel


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/