[nycbug-talk] some C help?

Sat Mar 10 16:35:07 EST 2007

On Sat 2007.03.10 at 16:28 -0500, Okan Demirmen wrote:
> On Sat 2007.03.10 at 00:24 -0500, Charles Sprickman wrote:
> > Hi All,
> > 
> > I'm playing around with a FreeBSD port of spamd/spamlogd from OpenBSD that 
> > someone posted here some time ago.
> > 
> > Spamd seems to work, spamlogd seems to almost work.  It's C, so I'm a 
> > little lost, but I am able to find the area where things are getting 
> > screwed up.  In short, spamlogd runs tcpdump with some very specific flags 
> > to look for inbound or outbound mail, finds an IP in the tcpdump output, 
> > and then throws it into the spamd db as whitelisted.  For example, in my 
> > case I'm looking at outbound mail - generally mxers that *I* send to are 
> > not going to be spamming me - they are more likely going to be legit 
> > servers.
> > 
> > So I have a pf rule to tag the traffic, and spamlogd is catching it, but 
> > some pattern matching must be going awry.  Here I'm sending mail to a host 
> > at 10.10.10.10, and this is what tcpdump sees (called with the same args 
> > spamlogd is using):
> > 
> > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 68 
> > bytes
> > rule 12/0(match): pass out on fxp0: 10.10.10.9 > 10.10.10.10: [|tcp]
> > 
> > But then it spits this out to syslog:
> > 
> > Mar 10 00:09:24 slimjim spamlogd[72636]: invalid ip address 10.10.10
> > 
> > Note the lack of the final octet.
> > 
> > This is (I hope) the area where spamlogd parses the output of tcpdump:
> 
> yes, it is, but no need to analyze it...
> 
> it does its job correctly.
> 
> > That chunk makes very little sense to me.
> > 
> > Can anyone give me a quick shove in the right direction?
> 
> ...and the reason yours is failing is not because of that chunk of code,
> but rather your pflog interface.  it should look like:
> 
> 	[blah] 10.10.10.9.XXXX > 10.10.10.10.25: [blah]
> 
> where XXXX is an ephemeral port...basically your log is dropping the
> port number. why? i don't know - what does your pf rule look like?

oh, and i'll add that -current (and 4.1) doesn't spawn tcpdump any more,
but uses pcap directly....plus lots of other yummy features - ask for
the port to get upgraded ;)