Milter-greylist with p0f ver 3
2012-02-15 by Gary Faith
I downloaded and compiled p0f ( p0f-3.03b.tgz) on SLES 10 SP4 64-bit. I have p0f running in daemon mode and I used milter-greylist (4.2.7) to talk to the p0f socket but p0f is terminating. I changed the command to send the output to p0f.error.
Current Command Line
./p0f -i eth0 -o /var/log/p0f.log -s /var/run/p0frun.sock -u p0f-user 2>>/var/log/p0f.error
milter-greylist config:
p0fsock "/var/run/p0frun.sock"
# safe Windows hosts
racl whitelist p0f "Windows 2003" addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2008" addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2000 SP4" addheader "X-Greylist-OS: %Fx"
# unsafe Windows hosts -- put this line below ALL racl whitelist lines
racl greylist p0f "Windows" \
delay 20m autowhite 4d addheader "X-Greylist-OS: %Fx"
p0f.error log file:
[!] WARNING: Query with bad magic (0xdefaced).
[-] SYSTEM ERROR : read() on API socket fails despite POLLIN.
Location : live_event_loop(), p0f.c:905
OS message : Connection reset by peer
I e-mailed the developer of p0f and he sent me this.
>>> Michal Zalewski <lcamtuf@...> 2/14/2012 11:33 AM >>>
Hey,
You should talk to the maintainers of milter-greylist (milter-greylist@yahoogroups.com?). P0f 3 doesn't support old-style output and this is unlikely to change, so they should probably update their code.
/mz
As a result, I joined the list to ask if this is a know issue and if it will be fixed.
Thanks,
Gary Faith