[nycbug-talk] some C help?
Okan Demirmen
okan at demirmen.com
Sat Mar 10 16:28:31 EST 2007
On Sat 2007.03.10 at 00:24 -0500, Charles Sprickman wrote:
> Hi All,
>
> I'm playing around with a FreeBSD port of spamd/spamlogd from OpenBSD that
> someone posted here some time ago.
>
> Spamd seems to work, spamlogd seems to almost work. It's C, so I'm a
> little lost, but I am able to find the area where things are getting
> screwed up. In short, spamlogd runs tcpdump with some very specific flags
> to look for inbound or outbound mail, finds an IP in the tcpdump output,
> and then throws it into the spamd db as whitelisted. For example, in my
> case I'm looking at outbound mail - generally mxers that *I* send to are
> not going to be spamming me - they are more likely going to be legit
> servers.
>
> So I have a pf rule to tag the traffic, and spamlogd is catching it, but
> some pattern matching must be going awry. Here I'm sending mail to a host
> at 10.10.10.10, and this is what tcpdump sees (called with the same args
> spamlogd is using):
>
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68
> bytes
> rule 12/0(match): pass out on fxp0: 10.10.10.9 > 10.10.10.10: [|tcp]
>
> But then it spits this out to syslog:
>
> Mar 10 00:09:24 slimjim spamlogd[72636]: invalid ip address 10.10.10
>
> Note the lack of the final octet.
>
> This is (I hope) the area where spamlogd parses the output of tcpdump:
yes, it is, but no need to analyze it...
it does its job correctly.
> That chunk makes very little sense to me.
>
> Can anyone give me a quick shove in the right direction?
...and the reason yours is failing is not because of that chunk of code,
but rather your pflog interface. it should look like:
[blah] 10.10.10.9.XXXX > 10.10.10.10.25: [blah]
where XXXX is an ephemeral port...basically your log is dropping the
port number. why? i don't know - what does your pf rule look like?
okan
More information about the talk
mailing list