-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On April 17, 2008 13:48:30 +0200 "Kiss Gabor (Bitman)" <[EMAIL PROTECTED]>
wrote:
| > However I found that other continous profiles are stopped.
| > no more nfcapd.* files are collected but every 5 minutes an
| > nfprofile.* file is created:
|
| Strace shows, that nfprofile process dies:
|
| 7454
open("/usr/local/nfsen/profiles/./MTA-SMTP/c6513/nfprofile.7454",O_RDWR|O_CREAT|O_TRUNC|O_LARGEFILE,
0644) = 3
| 7454 write(3,"\f\245\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
276) = 276
| 7454 chdir("/usr/local/nfsen/profiles/./MTAK-HTTP/c6513") = 0
| 7454
stat64("/usr/local/nfsen/profiles/./MTAK-HTTP/c6513-filter.txt",{st_mode=S_IFREG|0644,
st_size=82, ...}) = 0
| 7454
open("/usr/local/nfsen/profiles/./MTAK-HTTP/c6513-filter.txt",O_RDONLY|O_LARGEFILE)
= 4
| 7454 read(4, "(dstnet 193.224.96.0/24 and dstp"..., 82) = 82
| 7454 close(4) = 0
| 7454 write(2, "line 1: syntax error at \'dstnet\'"..., 33) = 33
| 7454 write(1, "Process line \'.#MTA-SMTP#2#c6513"..., 527) = 527
| 7454 exit_group(254) = ?
|
| Unfortunately stderr of nfprofile is simply discarded.
| (This is why I could find the root of the problem so far.)
|
| File /usr/local/nfsen/profiles/./MTAK-HTTP/c6513-filter.txt contains this:
|
| (dstnet 193.224.96.0/24 and dstport 80) or (srcnet 193.224.96.0/24 and
srcport 80)
There was never a version, which supported that syntax! Which one should that
be?
- Peter
|
| This filter was created under previuos version of nfsen and worked well
| till the upgrade. Did the syntax of filters change?
|
| Gabor
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
| Don't miss this year's exciting event. There's still time to save $100.
| Use priority code J8TL2D2.
| http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBSAdJ5/5AbZRALNr/AQLN3gP7B6eENiTdfFeZGr7+i3a/YQ8Wa1350o7d
6o6yZQrA0sMamXdcXZZE2srpVvtfPy6s0cmMaqRrFlLn912E5ZvXoFIQsQ15Fdl+
WGK7nXylOFDAdkaOIJE5HSt8E141RgytPXhn/jewGF7Vr6YxhZOpJsKkRYaXX2hI
oGppDoN4FGU=
=8YGz
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
