p0f
Christian Rößner
c at roessner-network-solutions.com
Mon Sep 12 10:37:05 CEST 2016
> Am 11.09.2016 um 15:40 schrieb Benny Pedersen <me at junc.eu>:
>
> On 2016-09-11 10:21, Christian Rößner wrote:
>
>> p0f -i eth0 -u p0f "not src net x.x.x.x/x and port 25" 2>&1 |
>> p0f-analyzer.pl 50000 &
>
> is your pcap filtering here cut ipv6 ?
>
> make it dual stacking not filtering on specifik ips, just port 25
>
> if its not that i dont know why
p0f works. So the question is, why amavisd-new does not care about it.
p0f -i eth0 -u p0f -o /var/log/p0f.log "tcp dst port 25 and (dst host 134.255.226.247 or dst host 2a05:bec0::134:255:226:247)"
--- p0f 3.07b by Michal Zalewski <lcamtuf at coredump.cx> ---
[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from '/etc/p0f.fp'.
[+] Intercepting traffic on interface 'eth0'.
[+] Custom filtering rule enabled: tcp dst port 25 and (dst host 134.255.226.247 or dst host 2a05:bec0::134:255:226:247) [+VLAN]
[+] Log file '/var/log/p0f.log' opened for writing.
[+] Privileges dropped: uid 995, gid 981, root '/var/p0f'.
[+] Entered main event loop.
.-[ x.x.x.x/34813 -> 134.255.226.247/25 (syn) ]-
|
| client = x.x.x.x/34813
| os = Linux 2.2.x
| dist = 6
| params = none
| raw_sig = 4:58+6:0:1460:mss*20,0:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ x.x.x.x/34813 -> 134.255.226.247/25 (mtu) ]-
|
| client = x.x.x.x/34813
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
For Gentoo, I started it the easy way:
/etc/local.d/p0f.start:
----------------------------
#!/bin/bash
cd /tmp
p0f -i eth0 -u p0f -o /var/log/p0f.log "tcp dst port 25 and (dst host 134.255.226.247 or dst host 2a05:bec0::134:255:226:247)" 2>&1 | p0f-analyzer.pl 50000 &
exit 0
----------------------------
Sending a test mail, the log shows that p0f was called from amavisd-new.
Any other ideas, please :-)
Thanks in advance
Christian
--
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, https://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2449 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20160912/4d00a78f/attachment.bin>
More information about the amavis-users
mailing list