Was p0f process still running? Maybe it died. Or then it freaked out somehow.
>From what I see, fd 0 is the pipe from p0f command. p0f-analyzer.pl is getting lots of empty lines from there. Could be your perl version is buggy too. If you see that a lot, you should ask about it in amavisd-new mailing list. Cheers, Henrik On Tue, Jan 09, 2007 at 05:00:27AM -0500, Justin Piszcz wrote: > Yes, > > echo "Starting p0f + p0f-analyzer..." > nohup /usr/sbin/p0f -i eth1 -l 'tcp dst port 25' 2>&1 | > /usr/lib/postfix/p0f-analyzer.pl 2345 & > > It worked fine for 2-3 days but something triggered 100% CPU utilization > and it never stopped until the process was killed. > > Justin. > > On Tue, 9 Jan 2007, Henrik Krohns wrote: > > > > > Are you using it right? > > > > p0f -l 'dst host 1.2.3.4 and tcp dst port 25' 2>&1 | p0f-analyzer.pl 2345 > > > > Cheers, > > Henrik > > > > On Tue, Jan 09, 2007 at 04:12:01AM -0500, Justin Piszcz wrote: > > > It is an excellent patch, however there is a problem with p0f-analyzer. > > > > > > top - 04:36:22 up 14:34, 127 users, load average: 1.00, 1.00, 1.00 > > > Tasks: 408 total, 2 running, 404 sleeping, 2 stopped, 0 zombie > > > Cpu(s): 43.4%us, 15.4%sy, 0.1%ni, 35.8%id, 5.0%wa, 0.1%hi, 0.1%si, > > > 0.0%st > > > Mem: 3896000k total, 1969832k used, 1926168k free, 0k buffers > > > Swap: 8393920k total, 80k used, 8393840k free, 981784k cached > > > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > > > 959 root 25 0 4676 2492 1760 R 99 0.1 871:05.39 > > > p0f-analyzer.pl > > > > > > It has been chewing CPU for a while, this script has bugs :( > > > > > > A strace reveals: > > > > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > time(NULL) = 1168162563 > > > read(0, "", 1024) = 0 > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > time(NULL) = 1168162563 > > > read(0, "", 1024) = 0 > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > time(NULL) = 1168162563 > > > read(0, "", 1024) = 0 > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > time(NULL) = 1168162563 > > > read(0, "", 1024) = 0 > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > time(NULL) = 1168162563 > > > read(0, "", 1024) = 0 > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > time(NULL) = 1168162563 > > > read(0, "", 1024) = 0 > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > time(NULL) = 1168162563 > > > read(0, "", 1024) = 0 > > > select(8, [0 3], NULL, NULL, NULL) = 1 (in [0]) > > > > > > > > > On Tue, 9 Jan 2007, Robert Felber wrote: > > > > > > > On Wed, Jan 03, 2007 at 04:13:03PM +0200, Henrik Krohns wrote: > > > > > > > > > > Hi, I whipped up a patch for policyd-weight-devel. > > > > > > > > > > It adds p0f scoring support and greylisting (to be exact, user defined > > > > > postfix action) by some rules. > > > > > > > > Thanks. Looks very interesting. I will dive in. > > > > > > > > > > > > -- > > > > Robert Felber (PGP: 896CF30B) > > > > Munich, Germany > > > > > > > > ____________________________________________________________ > > > > Policyd-weight Mailinglist - http://www.policyd-weight.org/ > > > > > > > > > > ____________________________________________________________ > > > Policyd-weight Mailinglist - http://www.policyd-weight.org/ > > > > ____________________________________________________________ > Policyd-weight Mailinglist - http://www.policyd-weight.org/ ____________________________________________________________ Policyd-weight Mailinglist - http://www.policyd-weight.org/
