Yes, echo "Starting p0f + p0f-analyzer..." nohup /usr/sbin/p0f -i eth1 -l 'tcp dst port 25' 2>&1 | /usr/lib/postfix/p0f-analyzer.pl 2345 &
It worked fine for 2-3 days but something triggered 100% CPU utilization and it never stopped until the process was killed. Justin. On Tue, 9 Jan 2007, Henrik Krohns wrote: > > Are you using it right? > > p0f -l 'dst host 1.2.3.4 and tcp dst port 25' 2>&1 | p0f-analyzer.pl 2345 > > Cheers, > Henrik > > On Tue, Jan 09, 2007 at 04:12:01AM -0500, Justin Piszcz wrote: > > It is an excellent patch, however there is a problem with p0f-analyzer. > > > > top - 04:36:22 up 14:34, 127 users, load average: 1.00, 1.00, 1.00 > > Tasks: 408 total, 2 running, 404 sleeping, 2 stopped, 0 zombie > > Cpu(s): 43.4%us, 15.4%sy, 0.1%ni, 35.8%id, 5.0%wa, 0.1%hi, 0.1%si, > > 0.0%st > > Mem: 3896000k total, 1969832k used, 1926168k free, 0k buffers > > Swap: 8393920k total, 80k used, 8393840k free, 981784k cached > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > > 959 root 25 0 4676 2492 1760 R 99 0.1 871:05.39 p0f-analyzer.pl > > > > It has been chewing CPU for a while, this script has bugs :( > > > > A strace reveals: > > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > time(NULL) = 1168162563 > > read(0, "", 1024) = 0 > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > time(NULL) = 1168162563 > > read(0, "", 1024) = 0 > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > time(NULL) = 1168162563 > > read(0, "", 1024) = 0 > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > time(NULL) = 1168162563 > > read(0, "", 1024) = 0 > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > time(NULL) = 1168162563 > > read(0, "", 1024) = 0 > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > time(NULL) = 1168162563 > > read(0, "", 1024) = 0 > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > time(NULL) = 1168162563 > > read(0, "", 1024) = 0 > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > > > > On Tue, 9 Jan 2007, Robert Felber wrote: > > > > > On Wed, Jan 03, 2007 at 04:13:03PM +0200, Henrik Krohns wrote: > > > > > > > > Hi, I whipped up a patch for policyd-weight-devel. > > > > > > > > It adds p0f scoring support and greylisting (to be exact, user defined > > > > postfix action) by some rules. > > > > > > Thanks. Looks very interesting. I will dive in. > > > > > > > > > -- > > > Robert Felber (PGP: 896CF30B) > > > Munich, Germany > > > > > > ____________________________________________________________ > > > Policyd-weight Mailinglist - http://www.policyd-weight.org/ > > > > > > > ____________________________________________________________ > > Policyd-weight Mailinglist - http://www.policyd-weight.org/ > ____________________________________________________________ Policyd-weight Mailinglist - http://www.policyd-weight.org/
