[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] LogCheck Help, Please

Subject: RE: [cobalt-security] LogCheck Help, Please
From: "FLHQ" <fultonlyons@xxxxxxxxxxxxxx>
Date: Thu, 27 Sep 2001 11:50:17 -0700
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

David:

Thank you for your help, I have a better understanding of it now, and
I've eliminated the entries from my "Security Violations" section yet
they still show up in "Active System Attacks" which seems to have a mind
of its own.

Does anyone know where these violations get triggered from?  I'm going
to check the code again.  I know it's supposed to come from
logcheck.hacking, but I have no matching keywords in there.

Oooof,
~Spanky

> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of David Yates
> Buckley
> Sent: Thursday, September 27, 2001 6:06 AM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] LogCheck Help, Please
>
>
> Hello,
>
> If you read logcheck.sh it shows that it is using grep syntax regexp.
>
> It is quite easy to find the right rules if you start from
> understanding
> that the program is basically doing something like:
>  grep -v -f ./logcheck.ignore /var/log/auth
>
> So now enter  <portsentry.*is already blocked Ignoring> in a
> file called
> boo.tst and try doing a proper grep instead of an exclude grep.
>
> grep -f ./boo.tst /var/log/auth
>
> If you have the right pattern it will show the strings
> otherwise it will not,
> but it is quite easy to test things a bit.
>
> With regards to your specific query I believe a good rule
> would be as follows:
> portsentry.*: attackalert: Host: .* is already blocked Ignoring
>
> Or another one that drove me nuts...
> sendmail.*NOQUEUE: localhost \[127\.0\.0\.1\] did not issue
> MAIL\/EXPN\/VRFY\/ETRN during connection to MTA
>
> . is not concatenation at all you should read some about regular
> expressions. There is a decent
> explanation of them inside the perl documentation and in awk... also
> something in grep.. man grep.
> . is any character... * is 0 or more of the previous
> expression so .* is
> anything.
>
> Hope it helps,
> Yates Buckley
> Unit9 Ltd.
>
> At 07:00 PM 9/26/01 -0700, you wrote:
> >OK, I've RTFM, read the groups, surfed the net and tested
> everything I
> >can to make the following log entries go away:
> >
> >Sep 23 07:48:38 MYSERVER portsentry[10539]: attackalert: Host:
> >pn137.szczecin.sdi.tpnet.pl/217.98.186.137 is already
> blocked Ignoring
> >
> >I removed all keywords in the entry from logcheck.hacking (like
> >'attackalert')
> >
> >I added ignore rules to the logcheck.ignore file like this:
> >
> >portsentry.*is already blocked Ignoring
> >
> >I added it to my violations.ignore too!
> >
> >Basically what I want is to see the inital catch by
> portsentry but not
> >every subsequent hit after that.
> >
> >Can someone more savvy than I give me an example that would take this
> >out?
> >
> >Also, I have yet to find a reference on what the '.' in the logcheck
> >file rules means, or where it needs to go.  It seems to be a
> >concatenator?
> >
> >would this work?
> >
> >portsentry[*]: attackalert: * already blocked Ignoring
> >
> >or do things need esacping:
> >portsentry\[*\]: attackalert: * already blocked Ignoring
> >
> >or does the '.' have to go before each wildcard:
> >portsentry\[.*.\]: attackalert: .*already blocked Ignoring
> >
> >See, none of these seems to help, its like portsentry logs
> are included
> >automagically.  Well, I need some black magic cuz I'm tired
> of 500 lines
> >when I only need 5
> >
> >I'm glad to do the research and testing myself if someone'd
> point me to
> >a definitive document explaining, in detail, the syntax of the rules
> >files.
> >
> >The first person to point my to psionic.com gets flamed and the next
> >person who tells me to read the documentation gets a flamethrower
> >because those docs are so weak.
> >
> >Thanks in advance and sorry for the rant, I've been trying different
> >combos for hours, and that's after surfing most of the
> morning for the
> >answer.
> >
> >-T
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- RE: [cobalt-security] LogCheck Help, Please
  - From: FLHQ

References:
- Re: [cobalt-security] LogCheck Help, Please
  - From: David Yates Buckley

Prev by Date: RE: [cobalt-security] chkrootkit - integer expression expected before -gt
Next by Date: Re: [cobalt-security] Calling all IPChain Gurus
Previous by thread: Re: [cobalt-security] LogCheck Help, Please
Next by thread: RE: [cobalt-security] LogCheck Help, Please

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index