Re: [AMaViS-user] maRBL on Debian

Tue, 02 Jan 2007 11:34:51 -0800 

On Tue, 2 Jan 2007, Gary V wrote:

> I installed maRBL 1.1 on a Debian system and it appears to be
> working. Oddly however the log output looks like:
>
> marbl: p0f query: %s port=%s %s %s
> marbl: p0f collect: max_wait=%.3f, %.35s... => %s
> marbl: Action for %s (%s => %s): %s
>
> As opposed to a Fedora system:
> marbl: p0f query: 127.0.0.1 port=2345 192.168.1.41 43130150
> marbl: p0f collect: max_wait=0.050, 192.168.1.41 43130150 Windows XP/20... => 
> Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] Signature: 
> [10384:128:1:52:M1380,N,W1,N,N,S:.:Windows:?], (distance 0, link: GPRS, T1, 
> FreeS/WAN)
> marbl: Action for 192.168.1.41 ([EMAIL PROTECTED] => [EMAIL PROTECTED]): 
> greylisting
>
> any Perl gurus see the reason? I changed p0f from version 2.0.5 to
> 2.0.8 but that did not make a difference.

I am not Perl guru and I did not run maRBL, so my information may be lame 
:)

>From your Debian log, it looks like line 90 of maRBL 1.1:

   $self->{net_server}->log(2, "p0f query: %s port=%s %s %s",
                              $host,$port,$query,$nonce);
did not get the right parameter.

It either can be the sub p0f_init did not get the right parameter, see 
line 189,190:

     189       my $os_fingerprint_obj = $self->p0f_init($p0f_service, 0.050,
     190                                                $cl_ip, $nonce);

or sub p0f_init did not parse the parameter right:

Try to change line 87 and line 89 to:
      87   $hostport =~ /^(?: inet: )? ([^:]*)  : ([^:]*) /six
      88     or die "Bad p0f method syntax: $hostport";
      89   my($host,$port) = ($1, $2);  my($sock);

and see if it make any difference.

If it is not maRBL problem, then make sure p0f capture the packet right at 
command line:
p0f -i eth0 -l 'tcp dst port 25' 2>&1

I once forgot to run p0f with -l option (outputs data in line-per-record 
style) and p0f-analyzer would not parse the p0f packet information right.

Hope that helps

Vincent Li
http://bl0g.blogdns.com

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to