[nycbug-talk] some C help?
Okan Demirmen
okan at demirmen.com
Sat Mar 10 16:35:07 EST 2007
On Sat 2007.03.10 at 16:28 -0500, Okan Demirmen wrote:
> On Sat 2007.03.10 at 00:24 -0500, Charles Sprickman wrote:
> > Hi All,
> >
> > I'm playing around with a FreeBSD port of spamd/spamlogd from OpenBSD that
> > someone posted here some time ago.
> >
> > Spamd seems to work, spamlogd seems to almost work. It's C, so I'm a
> > little lost, but I am able to find the area where things are getting
> > screwed up. In short, spamlogd runs tcpdump with some very specific flags
> > to look for inbound or outbound mail, finds an IP in the tcpdump output,
> > and then throws it into the spamd db as whitelisted. For example, in my
> > case I'm looking at outbound mail - generally mxers that *I* send to are
> > not going to be spamming me - they are more likely going to be legit
> > servers.
> >
> > So I have a pf rule to tag the traffic, and spamlogd is catching it, but
> > some pattern matching must be going awry. Here I'm sending mail to a host
> > at 10.10.10.10, and this is what tcpdump sees (called with the same args
> > spamlogd is using):
> >
> > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68
> > bytes
> > rule 12/0(match): pass out on fxp0: 10.10.10.9 > 10.10.10.10: [|tcp]
> >
> > But then it spits this out to syslog:
> >
> > Mar 10 00:09:24 slimjim spamlogd[72636]: invalid ip address 10.10.10
> >
> > Note the lack of the final octet.
> >
> > This is (I hope) the area where spamlogd parses the output of tcpdump:
>
> yes, it is, but no need to analyze it...
>
> it does its job correctly.
>
> > That chunk makes very little sense to me.
> >
> > Can anyone give me a quick shove in the right direction?
>
> ...and the reason yours is failing is not because of that chunk of code,
> but rather your pflog interface. it should look like:
>
> [blah] 10.10.10.9.XXXX > 10.10.10.10.25: [blah]
>
> where XXXX is an ephemeral port...basically your log is dropping the
> port number. why? i don't know - what does your pf rule look like?
oh, and i'll add that -current (and 4.1) doesn't spawn tcpdump any more,
but uses pcap directly....plus lots of other yummy features - ask for
the port to get upgraded ;)
More information about the talk
mailing list