Milter-greylist

Hi,

tried to build milter-greylist with p0f support. I downloaded the debian 
source package p0f-2.0.8, unpacked it and set --with-p0f-src= to that 
source path in rules file. Building is fine, but when starting the 
milter I get the error that "p0f support not compiled in".

Beside that: does p0f help a lot or does a "dialin RBL" make more sense? 
Andy experience on live hosts?

Ciao
Marcus

I’ve gotten absolutely no benefit from have p0f running… but then again I don’t run a high traffic mail server.

Since June 19th:
2932 ‘cache miss’es
4 identified…

--- p0f 3.08b by Michal Zalewski <lcamtuf@...> ---


Bill

> On Sep 12, 2016, at 11:07 AM, Marcus Schopen lists-yahoogroups@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
> 
> Hi,
> 
> tried to build milter-greylist with p0f support. I downloaded the debian 
> source package p0f-2.0.8, unpacked it and set --with-p0f-src= to that 
> source path in rules file. Building is fine, but when starting the 
> milter I get the error that "p0f support not compiled in".
> 
> Beside that: does p0f help a lot or does a "dialin RBL" make more sense? 
> Andy experience on live hosts?
> 
> Ciao
> Marcus
> 
> 
> 
> ------------------------------------
> Posted by: Marcus Schopen <lists-yahoogroups@...>
> ------------------------------------
> 
> 
> ------------------------------------
> 
> Yahoo Groups Links
> 
> 
>

12 \u0441\u0435\u043d\u0442\u044f\u0431\u0440\u044f 2016�\u0433. 20:07:58 CEST, "Marcus Schopen lists-yahoogroups@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>Hi,
>
>tried to build milter-greylist with p0f support. I downloaded the
>debian 
>source package p0f-2.0.8, unpacked it and set --with-p0f-src= to that 
>source path in rules file. Building is fine, but when starting the 
>milter I get the error that "p0f support not compiled in".
>
>Beside that: does p0f help a lot or does a "dialin RBL" make more
>sense? 
>Andy experience on live hosts?
>
>Ciao
>Marcus

We use p0f (3.06b, 3.08b iirc is last) coerced to compile under solarish oses that we use (tweaks should be on my github). Depending on platform release we had libpcap issues that it processed packets by larger buffers at once, so p0f might not yet have answers when needed. 

Dialin rbl's work to an extent, but corrupted office workstations on commercial IPs are just as noisy ;p So p0f makes sense as one more factor to consider in our scoring setup. 
--
Typos courtesy of K-9 Mail on my Samsung Android

On Mon, 12 Sep 2016, Jim Klimov jimklimov@... [milter-greylist] wrote:
>
> We use p0f (3.06b, 3.08b iirc is last) coerced to compile under 
> solarish oses that we use (tweaks should be on my github). Depending 
> on platform release we had libpcap issues that it processed packets 
> by larger buffers at once, so p0f might not yet have answers when 
> needed.

Does using the p0f feature increase the opportunity for a security 
weakness so it is more likely that the host machine can be 
compromised?

Can it work in VMs, containers, or Solaris zones, which are not 
allowed access to raw packets due to network security concerns?

Bob
-- 
Bob Friesenhahn
bfriesen@..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

13 \u0441\u0435\u043d\u0442\u044f\u0431\u0440\u044f 2016�\u0433. 19:26:59 CEST, "Bob Friesenhahn bfriesen@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>On Mon, 12 Sep 2016, Jim Klimov jimklimov@... [milter-greylist]
>wrote:
>>
>> We use p0f (3.06b, 3.08b iirc is last) coerced to compile under 
>> solarish oses that we use (tweaks should be on my github). Depending 
>> on platform release we had libpcap issues that it processed packets 
>> by larger buffers at once, so p0f might not yet have answers when 
>> needed.
>
>Does using the p0f feature increase the opportunity for a security 
>weakness so it is more likely that the host machine can be 
>compromised?
>
>Can it work in VMs, containers, or Solaris zones, which are not 
>allowed access to raw packets due to network security concerns?
>
>Bob

I don't think it is a big issue: p0f relies on libpcap to get packet (OS) details and IIRC does little if anything with packet payloads. But I may be wrong here. Away from computer now, so speaking OTOH ;-)

It can run as a non-root user privileged to net_raw_access (iirc) on Solarish OSes, or as a root on older solarii (I have it on 8, 10 and SXCE). A zone can likewise be made privileged enough to sniff, but I vaguely remember it might not be needed at all.

See my recipe (PR) on github in hipster/oi-userland, I think sample XMLs with comments should be part of that. Alas, newer illumos exposed some issues with libpcap caching that were not problems on older kernels (or older libpcap?) so the PR lingered...

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

13 \u0441\u0435\u043d\u0442\u044f\u0431\u0440\u044f 2016�\u0433. 19:26:59 CEST, "Bob Friesenhahn bfriesen@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>On Mon, 12 Sep 2016, Jim Klimov jimklimov@... [milter-greylist]
>wrote:
>>
>> We use p0f (3.06b, 3.08b iirc is last) coerced to compile under 
>> solarish oses that we use (tweaks should be on my github). Depending 
>> on platform release we had libpcap issues that it processed packets 
>> by larger buffers at once, so p0f might not yet have answers when 
>> needed.
>
>Does using the p0f feature increase the opportunity for a security 
>weakness so it is more likely that the host machine can be 
>compromised?
>
>Can it work in VMs, containers, or Solaris zones, which are not 
>allowed access to raw packets due to network security concerns?
>
>Bob

In VMs we had a problem that it detected the hypervisor's OS as the local one (e.g. thinking it was windows while it was a solaris in virtualbox), but I think proper bridging maybe over a dedicated nic solved that.

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android