Re: [AMaViS-user] p0f finger prints

[Mark M. <Mar...@ij...>]

Olivier,

>  First I had to modify the line 110 of p0f-analyzer.pl because the
>  queries submitted by amavisd-new is not of the form expected by
>  p0f-analyzer:
>  
>  p0f-analyzer expects: 203.159.32.1 41175 zzgbIwFRtSm0
>  amavisd-new sends: [203.159.32.1]:41175 zzgbIwFRtSm0
>  
>  The regular expression now reads:
>  
>    ^\[?(\d+\.\d+\.\d+\.\d+)\]?[:\s]+(.*)$/s
>  
>  No p0f receives and answers the requests from amavisd-new.

Seems you are using an old version of p0f-analyzer.pl with a
newer version of amavisd. Release notes on 2.6.0 say:

- updated p0f-analyzer.pl now supports a source port number information in
  queries while preserving backwards compatibility with previous versions
  of amavisd-new. Version 2.6.0 of amavisd requires a new version of
  p0f-analyzer.pl (supplied in the 2.6.0 distribution) if operating system
  fingerprinting is enabled. A source port number information in a query
  allows p0f-analyzer.pl to locate a matching entry in its cache faster and
  also more accurately when multiple connections are present from clients
  behind NAT using the same IP address. The source port number is made
  available to a content filter since Postfix version 2.5 (20071004);


>  But where does the fingerprint information is used by amavis? I set
>  amavis to log level 5, but I see no mention of the fingerprint.

Did you enable it in the amavisd.conf, e.g.:

  $os_fingerprint_method = 'p0f:127.0.0.1:2345';


Mark