|
List Info
Thread: verify wheter p0f is working - howto
|
|
| verify wheter p0f is working - howto |
 
Germany |
2007-03-29 08:40:50 |
Hello,
today I started to look a bit deeper into p0f(1) and
p0f-analyzer.pl.
Now I expected amavisd to output either some logging or some
X-Amavis-OS-Fingerprint header. But - nothing.
+--------
| # file amavisd.conf:
| $os_fingerprint_method = 'p0f:127.0.0.1:2345';
| $log_level = 5;
+--------
(if I change log_level I get different outputs, which tells
me I am
modifying the right config file)
+-------
| [robtone fpsvr1z150:~]# nc -u localhost 2345
| 211.187.225.233 1234
| 211.187.225.233 1234
| Windows XP SP1+, 2000 SP3, (distance 15, link:
ethernet/modem)
+-------
means: p0f daemon works, p0f-anaylzer.pl, too
+-------
| [rootfpsvr1z150:/home/robtone]# grep -i
"(p0f|fingepr|2345)" /var/log/debug.log
/var/log/maillog /var/log/messages
| [rootfpsvr1z150:/home/robtone]#
+-------
I have no %allowed_added_header_fields in my config
defined.
I have no messages flagged with the header, nor anything in
log.
How do I determine whether and when amavis uses the passive
OS fingerprinting?
How do I enforce it?
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: verify whether p0f is working -
howto |
Germany |
2007-03-29 08:50:37 |
On Thu, Mar 29, 2007 at 03:40:27PM +0200, Robert Felber
wrote:
> Hello,
>
> today I started to look a bit deeper into p0f(1) and
p0f-analyzer.pl.
> Now I expected amavisd to output either some logging or
some
> X-Amavis-OS-Fingerprint header. But - nothing.
>
>
> +--------
> | # file amavisd.conf:
> | $os_fingerprint_method = 'p0f:127.0.0.1:2345';
> | $log_level = 5;
> +--------
>
> (if I change log_level I get different outputs, which
tells me I am
> modifying the right config file)
>
>
> +-------
> | [robtonefpsvr1z150:~]# nc -u localhost 2345
> | 211.187.225.233 1234
> | 211.187.225.233 1234
> | Windows XP SP1+, 2000 SP3, (distance 15, link:
ethernet/modem)
> +-------
>
> means: p0f daemon works, p0f-anaylzer.pl, too
>
>
> +-------
> | [rootfpsvr1z150:/home/robtone]# grep -i
"(p0f|fingepr|2345)" /var/log/debug.log
/var/log/maillog /var/log/messages
> | [rootfpsvr1z150:/home/robtone]#
> +-------
>
>
> I have no %allowed_added_header_fields in my config
defined.
> I have no messages flagged with the header, nor
anything in log.
> How do I determine whether and when amavis uses the
passive OS fingerprinting?
> How do I enforce it?
My grep line was wrong:
+--------
| [rootfpsvr1z150:/home/robtone]# grep -i
"(p0f|fingerpr|2345)" /var/log/debug.log
/var/log/maillog /var/log/messages
| /var/log/maillog:Mar 29 10:00:50 fpsvr1z150 amavis[74994]:
OS_Fingerprint code loaded
| /var/log/maillog:Mar 29 11:22:59 fpsvr1z150 amavis[91929]:
OS_Fingerprint code loaded
| /var/log/messages:Mar 29 10:00:50 fpsvr1z150
amavis[74994]: OS_Fingerprint code loaded
| /var/log/messages:Mar 29 11:22:59 fpsvr1z150
amavis[91929]: OS_Fingerprint code loaded
+---------
Yet, only that the code was loaded is logged, I get no
messages flagged, nor
any signs of p0f operation.
So my questions remain.
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: verify whether p0f is working -
howto |
 
Slovenia |
2007-03-29 09:43:19 |
Robert,
> today I started to look a bit deeper into p0f(1) and
p0f-analyzer.pl.
> Now I expected amavisd to output either some logging or
some
> X-Amavis-OS-Fingerprint header. But - nothing.
[...]
> Yet, only that the code was loaded is logged, I get no
messages flagged,
> nor any signs of p0f operation.
Does Postfix receive client's IP address via XFORWARD?
Is mynetworks_maps configured correctly?
Which version of amavisd-new?
amavisd-new-2.4.3 release notes
- insert X-Amavis-OS-Fingerprint header field (if available)
into a passed
message to local recipients (not just to a message copy
submitted to
SpamAssassin for checking); suggested by Jeff Noxon;
amavisd-new-2.4.0 release notes
* preconditions are: $os_fingerprint_method must be
configured, the
p0f-analyzer.pl process must be running, and amavisd
must be receiving
client IP address information from MTA, which in a
Postfix case means
the XFORWARD protocol extension to SMTP must be enabled
in the Postfix
service feeding mail to amavisd, e.g. "-o
smtp_send_xforward_command=yes",
or in a sendmail/milter setup the more sophisticated
AM.PDP protocol
must be used;
At log level 2 you could search for 'OS_fingerprint:'.
At higher log levels there are also entries matching
'Fingerprint' string.
Mark
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: verify whether p0f is working -
howto |
Germany |
2007-03-29 09:53:51 |
On Thu, Mar 29, 2007 at 04:42:56PM +0200, Mark Martinec
wrote:
> Robert,
>
> > today I started to look a bit deeper into p0f(1)
and p0f-analyzer.pl.
> > Now I expected amavisd to output either some
logging or some
> > X-Amavis-OS-Fingerprint header. But - nothing.
> [...]
> > Yet, only that the code was loaded is logged, I
get no messages flagged,
> > nor any signs of p0f operation.
>
> Does Postfix receive client's IP address via XFORWARD?
Was not the case, have added
smtp_amavis unix - - y - 3 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
just before I read your reply, and I have seen some success
> Is mynetworks_maps configured correctly?
It's not configured at all.
Will do. (I don't know from which version my config file
originates).
> Which version of amavisd-new?
amavisd-new-2.4.5_1,1 (sorry for not mentioning)
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
[1-4]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|