Bite me. Try reading docs/FAQ - the sections about support. Q. I posted to the list and nobody answered me. A. ntop is open source, and the lists are a community resource. If nobody answered your question, then nobody knew the answers off-hand and nobody wanted to spend THEIR time solving YOUR problem.
Q. Do you offer paid support? A. Yes - contact us through http://www.ntop.org/consultancy.html And: RESPONSES ========= Despite any individual's frequent postings, nobody is "responsible" for answering your question. It's all on a "best efforts" basis. This is equally true of the entries in ntop's Wiki. Our responses may be incomplete, inaccurate, even dead wrong. Caveat Emptor! The only "guarantee" is that free support will be worth what you've paid for it. It may be worth MORE, it won't be worth LESS. Just because you post a question does NOT mean that you are OWED an answer. If nobody answers, then maybe it's because: * Nobody knows. * People are busy. * You've asked the same question multiple times and it's already been answered. * You have been asked for additional information and are unable/unwilling to supply it. or, well, any one of a dozen other reasons. Asking the same question multiple times - or asking it again because you don't like the answer you received - is a slap in the face of the person who took the time to answer you in the first place and will more than likely not get a different response. If you're not sure that your message posted, check the archives to see if your message is there -- please don't just keep reposting it. You can always use gmane (http://www.gmane.org) to see the last 600 or so postings to the lists. Please direct all original postings and subsequent replies to the list, not to someone privately. Most of us will reply solely to the mailing list, unless you specifically request otherwise. If you do request otherwise, the individual you sent it to may choose not to respond. Our posting here is NOT a public invitation to invade our e-mail boxes for your free private support. Or you could get off your butt and try helping yourself - looking for that message in the source finds this in sessions.c: /* This is a brand new session: let's check whether this is not a faked session (i.e. a known protocol is running at an unknown port) */ ... } else if(((sport == IP_TCP_PORT_FTP) || (sport == IP_TCP_PORT_SMTP)) && (!isInitialFtpData(tmpStr))) { if(myGlobals.runningPref.enableSuspiciousPacketDump) { traceEvent(CONST_TRACE_WARNING, "Unknown protocol (no FTP/SMTP) detected (trojan?) " "at port %d %s:%d -> %s:%d [%s]", sport, dstHost->hostResolvedName, dport, srcHost->hostResolvedName, sport, tmpStr); dumpSuspiciousPacket(actualDeviceId); } Where the isInitialFtpData() is in traffic.c: int isInitialFtpData(char* packetData) { /* 220 linux.local FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.16) ready. */ if((strncmp(packetData, "220 ", 4) == 0) || (strncmp(packetData, "530", 3) == 0)) return(1); else return(0); } So, ntop found a packet which was sent to port 21 or 25 and yet didn't look like an SMTP reply. And issued a warning... Could be a bug, could be the data, could be a false positive. It is way better to cry wolf a few times instead of missing the sky falling - that's why we issue WARNINGS - so people will look at their data and maybe catch a bad guy. Or determine it's a false positive. Get over it... Actually, if you look at the RFC, http://www.faqs.org/rfcs/rfc821.html, specifically section 4.2.1. REPLY CODES BY FUNCTION GROUPS, the bug is AOLs, because the 220 message is followed by a space, not a -. 220 <domain> Service ready -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Lay Sent: Monday, November 28, 2005 3:46 PM To: Ntop Subject: [Ntop] 3rd times a charm So I've put this to the list twice...this will be the 3rd and final time I submit this. I think this is a bug in ntop. Below is the result of postfix on this box email someone at AOL: Nov 28 14:42:10 homebox ntop[12396]: **WARNING** Unknown protocol (no FTP/SMTP) detected (trojan?) at port 25 www.slave-tothe-box.net:33387 -> mailin-04.mx.aol.com:25 [220-rly-yh02.mx.aol.com ESMTP mail_relay_in-yh2.7; Mon, 28 Nov 2005 16:42:07 -0500^M 220-America Online (AOL) and its affiliated companies do not^M 220- authorize the use of its proprietary computers and computer^M 220- networks to accept, transmit, ] Two points: 1. This is on port 25, yet Ntop says no SMTP 2. This is a simple MOTD type message that Ntop should really be aware of. Anywhere else I can send this too? Apparently nobody on this list is a developer or cares about this =D Thanks people. James _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
