Re: [Patch] p0f and selective greylisting

Henrik Krohns Tue, 09 Jan 2007 01:58:40 -0800

Are you using it right?

p0f -l 'dst host 1.2.3.4 and tcp dst port 25' 2>&1 | p0f-analyzer.pl 2345


Cheers,
Henrik

On Tue, Jan 09, 2007 at 04:12:01AM -0500, Justin Piszcz wrote:
> It is an excellent patch, however there is a problem with p0f-analyzer.
> 
> top - 04:36:22 up 14:34, 127 users,  load average: 1.00, 1.00, 1.00
> Tasks: 408 total,   2 running, 404 sleeping,   2 stopped,   0 zombie
> Cpu(s): 43.4%us, 15.4%sy,  0.1%ni, 35.8%id,  5.0%wa,  0.1%hi,  0.1%si,  
> 0.0%st
> Mem:   3896000k total,  1969832k used,  1926168k free,        0k buffers
> Swap:  8393920k total,       80k used,  8393840k free,   981784k cached
> 
>   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>   959 root      25   0  4676 2492 1760 R   99  0.1 871:05.39 p0f-analyzer.pl
> 
> It has been chewing CPU for a while, this script has bugs :(
> 
> A strace reveals:
> 
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> time(NULL)                              = 1168162563
> read(0, "", 1024)                       = 0
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> time(NULL)                              = 1168162563
> read(0, "", 1024)                       = 0
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> time(NULL)                              = 1168162563
> read(0, "", 1024)                       = 0
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> time(NULL)                              = 1168162563
> read(0, "", 1024)                       = 0
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> time(NULL)                              = 1168162563
> read(0, "", 1024)                       = 0
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> time(NULL)                              = 1168162563
> read(0, "", 1024)                       = 0
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> time(NULL)                              = 1168162563
> read(0, "", 1024)                       = 0
> select(8, [0 3], NULL, NULL, NULL)      = 1 (in [0])
> 
> 
> On Tue, 9 Jan 2007, Robert Felber wrote:
> 
> > On Wed, Jan 03, 2007 at 04:13:03PM +0200, Henrik Krohns wrote:
> > > 
> > > Hi, I whipped up a patch for policyd-weight-devel.
> > > 
> > > It adds p0f scoring support and greylisting (to be exact, user defined
> > > postfix action) by some rules.
> > 
> > Thanks. Looks very interesting. I will dive in.
> > 
> > 
> > -- 
> >     Robert Felber (PGP: 896CF30B)
> >     Munich, Germany
> > 
> > ____________________________________________________________
> > Policyd-weight Mailinglist - http://www.policyd-weight.org/
> > 
> 
> ____________________________________________________________
> Policyd-weight Mailinglist - http://www.policyd-weight.org/

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/

Re: [Patch] p0f and selective greylisting

Reply via email to