> -----Messaggio originale----- > Da: Vincent Li [mailto:[EMAIL PROTECTED] > Inviato: martedì 6 marzo 2007 19.22 > A: Giampaolo Tomassoni > Cc: amavis-user@lists.sourceforge.net > Oggetto: RE: [AMaViS-user] Why p0f-analyzer.pl? > > On Thu, 15 Feb 2007, Giampaolo Tomassoni wrote: > > > From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of > Vincent > >> > >> On Fri, 26 Jan 2007, Giampaolo Tomassoni wrote: > >> > >>> Why does the p0f-analyzer.pl script exists? > >>> > >>> I see that the p0f tool is capable of caching a specified > >> amount of request, and then reply to queries issues through a unix > socket. > >>> > >>> This in native C-language, which often means reduced size and > >> increased performance with respect to perl's p0f-analyzer.pl. > >>> > >>> Giampaolo. > >> > >> If I understand correctly, when you are running p0f with -Q (unix > socket) > >> option, there is no easy way to get the tcp source port and put it > in > >> the query packets to get the correct cached result. I don't know if > there > >> is MTA or smtp implementation to cache smtp client tcp source port. > > > > There is something new in p0f-2.0.8: the source port can be > "wildcarded" using the value 0. > > > > p0f has to be run with the '-0' flag to enable this mode. > > > > A new SA p0f plugin "personality" could be worked out in order to by- > pass p0f-analyzer.pl. > > > > Is anybody working on this? > > > > Cheers, > > > > Giampaolo > > > > Hi Giampaolo, > > I have made SpamAssassin plugin to query a local stream socket when run > p0f with -Q option. > > The limitation is that SA and Amavisd-new has to > run on MX server because the socket can only listen on local socket > stream, not like p0f-analyzer can listen on UDP stream. > > You can check the tarball from here: > > http://bl0g.blogdns.com/code2007/sa-p0f-plugin.tar > > Cheers, > > Vincent
Thank you Vincent. I figured this out some days ago. The fact is that a perl broker seems pretty useless to me since the p0f's team is pretty open to suggestions and patch submissions. I'm working on a udp-based version of the p0f's query interface (among other things, it has to deal with client and server mismatches in word endianess, which is not needed using Unix sockets), but I can't really devote the time I wish to it. When, sometime in the future, I will be able to submit my patch to p0f, would you be interested in being notified about it and eventually figuring out how to adapt the actual SA plugin to the new protocol? I can't simply adapt the p0f protocol to the p0f-analyzer.pl one, since the latter is too much specific to the amavis needs. Thanks again, Giampaolo > http://bl0g.blogdns.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
