Am 28.11.2011 15:22, schrieb sean darcy:
> On 11/28/2011 12:37 AM, Dudi Goldenberg wrote:
>> -napt|grep 3310
>
> Thanks for the suggestion, but:
>
> netstat -napt|grep 3310
> tcp 0 0 127.0.0.1:3310 0.0.0.0:*
> LISTEN 3270/clamd.clamd-ma
>
> clamav is listening.
>
> Any other thoughts?
>
You may want to check /var/log/clamav/clamav.log (or wherever your
clamav logs to). Here are a few representative lines from a working
installation:
Mon Nov 21 11:15:12 2011 -> Accepted connection from 127.0.0.1 on port
1919, fd 10
Mon Nov 21 11:24:42 2011 -> SelfCheck: Database status OK.
Mon Nov 21 11:24:42 2011 -> Accepted connection from 127.0.0.1 on port
1795, fd 10
Mon Nov 21 11:26:49 2011 -> Accepted connection from 127.0.0.1 on port
1111, fd 10
Mon Nov 21 11:30:42 2011 -> Accepted connection from 127.0.0.1 on port
1734, fd 10
Mon Nov 21 11:37:24 2011 -> Accepted connection from 127.0.0.1 on port
1767, fd 10
Mon Nov 21 11:55:48 2011 -> Accepted connection from 127.0.0.1 on port
1124, fd 10
Mon Nov 21 11:56:53 2011 -> Accepted connection from 127.0.0.1 on port
1803, fd 10
Mon Nov 21 11:56:58 2011 -> Accepted connection from 127.0.0.1 on port
1210, fd 10
Mon Nov 21 11:56:58 2011 -> stream(127.0.0.1@1210):
Sanesecurity.Phishing.Bank.17009.UNOFFICIAL(dbfbdc668a29117bcd94e683d1cfcba3:11176)
FOUND
Mon Nov 21 12:01:55 2011 -> Accepted connection from 127.0.0.1 on port
1086, fd 10
Mon Nov 21 12:07:19 2011 -> Accepted connection from 127.0.0.1 on port
1404, fd 10
Mon Nov 21 12:09:36 2011 -> Accepted connection from 127.0.0.1 on port
1076, fd 10
Mon Nov 21 12:19:03 2011 -> Reading databases from /var/lib/clamav
Mon Nov 21 12:19:07 2011 -> Database correctly reloaded (1288744 signatures)
In the worst case, check whether there actually is any communication on
port 3310:
root@bender:~# tcpdump -i lo -nX -s 1000 tcp port 3310
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 1000 bytes
15:34:40.649785 IP 127.0.0.1.49063 > 127.0.0.1.3310: Flags [S], seq
4245782264, win 32792, options [mss 16396,sackOK,TS val 1184189240 ecr
0,nop,wscale 7], length 0
0x0000: 4500 003c 35c0 4000 4006 06fa 7f00 0001 E..<5.@.@.......
0x0010: 7f00 0001 bfa7 0cee fd11 7ef8 0000 0000 ..........~.....
0x0020: a002 8018 b51f 0000 0204 400c 0402 080a ..........@.....
0x0030: 4695 4b38 0000 0000 0103 0307 F.K8........
15:34:40.649835 IP 127.0.0.1.3310 > 127.0.0.1.49063: Flags [S.], seq
4253107702, ack 4245782265, win 32768, options [mss 16396,sackOK,TS val
1184189240 ecr 1184189240,nop,wscale 7], length 0
You don't have to make sense of the output -- but there should be
something happening while mail is being virus-checked... otherwise this
would indicate that for some reason, dspam is not communicating with clamav.
HTH
Chris
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Dspam-user mailing list
Dspam-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-user
