It looks like starting p0f analyzer using the ports supplied rc.subr
script on Freebsd does something strange.
I installed amavisd-new with p0f via freebsd ports.
(this automatically installed p0f and created an rc.d init file for me)
I verified it worked on command line (I watched the mail log and saw all
sorts of neet messages about Window XP, uptime and distance)
If started by freebsd rc.subr script, I only see this in tcpdump:
14:11:36.208278 IP 127.0.0.1.51333 > 127.0.0.1.2345: UDP, length: 28
0x0000: 4500 0038 069a 0000 4011 7619 7f00 0001
[EMAIL PROTECTED]
0x0010: 7f00 0001 c885 0929 0024 9130 3230 372e
.......).$.0207.
0x0020: 3139 332e 3137 322e 3130 3320 7467 5278
193.172.103.tgRx
0x0030: 4b66 6547 414c 506f KfeGALPo
14:11:36.208460 IP 127.0.0.1.2345 > 127.0.0.1.51333: UDP, length: 31
0x0000: 4500 003b 069b 0000 4011 7615 7f00 0001
E..;[EMAIL PROTECTED]
0x0010: 7f00 0001 0929 c885 0027 671d 3230 372e
.....)...'g.207.
0x0020: 3139 332e 3137 322e 3130 3320 7467 5278
193.172.103.tgRx
0x0030: 4b66 6547 414c 506f 200d 0a KfeGALPo...
(notice, the missing 'Windows XP, etc)
If I start it by hand, it seems to work:
14:18:12.714574 IP 127.0.0.1.2345 > 127.0.0.1.49731: UDP, length: 91
0x0000: 4500 0077 0d76 0000 4011 6efe 7f00 0001
[EMAIL PROTECTED]
0x0010: 7f00 0001 0929 c243 0063 7781 3230 352e
.....).C.cw.205.
0x0020: 3230 362e 3233 312e 3236 2041 634b 5056
206.231.26.AcKPV
0x0030: 514d 6677 692b 6820 4c69 6e75 7820 322e
QMfwi+h.Linux.2.
0x0040: 3420 772f 6f20 7469 6d65 7374 616d 7073
4.w/o.timestamps
0x0050: 2c20 2864 6973 7461 6e63 6520 3133 2c20
,.(distance.13,.
0x0060: 6c69 6e6b 3a20 6574 6865 726e 6574 2f6d
link:.ethernet/m
0x0070: 6f64 656d 290d 0a odem)..
cli start:
p0f -l -i lnc0 tcp port 25 | p0f-analyzer.pl 2345 &
Freebsd flags for rc.conf
amavis_p0fanalyzer_enable="YES"
amavis_p0fanalyzer_p0f_filter="-i lnc0 tcp port 25"
Verified that cli and rc.subr starts produce the same background tasks:
68231 ?? Ss 0:00.18 /usr/local/bin/p0f -l -i lnc0 tcp port 25
68232 ?? Ss 0:00.02 /usr/bin/perl -T
/usr/local/sbin/p0f-analyzer.pl 2345 (perl5.8.8)
Amavisd port is amavisd-new-2.4.3_1,1
OS is Freebsd 5.5,p#8.
It does appear that there is something in rc.subr that is causing p0f to
not product full output?
(even though the -l seems to be there, in fact, -l is added by rc.subr.
If I specified amavis_p0fanalyzer_p0f_filter="-l -i lnc0 tcp port 25"
I would get this in ps -auxww:
/usr/local/bin/p0f -l -l -i lnc0 tcp port 25
--
Michael Scheidell, CTO
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts:
http://www.secnap.com/news
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
