> Giampaolo, > > > 1) it could consume even less cpu and memory; > > 2) using a pipe to vector data to the p0f-analyzer.pl is an ugly > technique > [...] > > I have nothing against extending p0f to satisfy queries with missing > port > numbers, actually I'm very happy someone decided to do this eventually. > > Writing p0f-analyzer.pl was just my quick solution to an immediate > problem.
I know. And it works, too. > If p0f will provide an UDP-based query protocol (or some other > mechanism > to be able to answer queries from a remote host) and be able to supply > the information, I can easily adjust client code in amavisd-new to take > advantage of it. Great, thank you. > I chose UDP because it is very lightweight and does > not require making up and tearing down sessions, or keeping evidence > of clients in the server's IP stack. A potential packet loss is not > serious, and is rare on the same LAN. I'm heading toward the very same direction, Mark. Also, clients issuing a query to p0f are often inside the same LAN boundaries in which the server lies (if not running in the very same node) and the kind of data gathered and eventually replied by p0f are not that security-sensible. Thereby, a simple UDP-base client/server protocol is a perfect choice to me. > > > Make sure to consider IPv6 addresses in new development work. > > Actually, p0f is not designed to sample any activity on the IPv6 > stack > > I know, and that is quite unfortunate, as we are missing p0f info on > mail that arrives over IPv6. I just wanted to put you in the right > direction when devising a protocol, so that it won't need to be changed > when p0f eventually starts supporting snooping on IPv6. Hint, hint... Mmmh... I see. Unfortunately, I guess there are some difficulties in designing a "stable" IPv4+6 query protocol: apart different address sizes, there are too many further data available in a IPv6 packet that may (unpredictably to me) influence the structure of a response packet. Giampaolo > > It will be dst-address/dst-port/src-address/src-port/nonce. > > Wildcards can be applied to the src-port field. > > Perfect. > > Mark > > ----------------------------------------------------------------------- > -- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVD > EV > _______________________________________________ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
