On Tuesday 03 October 2006 14:14, you wrote:
> Hello Janne,
>
> On Tue, 3 Oct 2006, Janne Pikkarainen wrote:
> > I just ran rkhunter (v1.2.8) and noticed this:
>
> Uh. Please upgrade to 1.2.9, out since 2006/09/30 and re-release available
> since 2006/10/02.
Oh, ok. I emerged rkhunter from Gentoo Portage and also checked out rootkit.nl
downloads page, which only had 1.2.8, so I assumed it was the latest version.
I just learned that rkhunter lives nowadays in rkhunter.sf.net. Ah well. :-)
> I added this to the SF tracker as "1569896 Syslog-NG remote logging
> detection" and update it in CVS. Does this regex:
> logtoremote=`grep "^destination.*{.[ut].*(" /etc/syslog-ng/syslog-ng.conf`
> work, or am I missing something?
Your regexp seems to be a bit greedy and returns both a false positive and the
correct result for me:
---
[EMAIL PROTECTED] ~ % grep "^destination.*{.[ut].*("
/etc/syslog-ng/syslog-ng.conf
destination console { usertty("root"); };
destination myloghost { udp("my.log.server"); };
---
If you're willing to use egrep, then this might be better:
---
egrep "^destination.*{.(udp|tcp).*\(" /etc/syslog-ng/syslog-ng.conf
---
> Any formatting or other issues we should be aware off?
Now that you mentioned it - syslog-ng configuration file can be indented and
formatted at will, so someone might have lines like
---
destination someloghost {
udp("some.log.server");
};
---
... which of course is a bit pain to catch, too.
Best regards,
Janne Pikkarainen
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
