Here are a bunch of datasets accumulated over the years for different projects, have fun with them! If you have something to augment this list with, let me know.
Adding an Endace card to Symantec’s DLP
I decided to publish this hack as I could not find an iota of information about getting an Endace card working With Symantec’s DLP (previously Vontu) on RedHat.
After you’ve installed the module for your Endace card, you recycle your sensor and are confronted with the following error message:
Endace DAG driver is not available Packet Capture was unable to activate Endace device support. Please see PacketCapture.log for more information.
A look at /var/log/Vontu/debug/PacketCapture.log yields:
ERROR PacketDriverFactory - Driver Dag is unavailable: libdag.so.3: cannot open shared object file: No such file or directory [PacketDriverFactory.cpp(423)]
do an
updatedb locate libdag.so
You will notice you just compiled a version more recent than libdag.so.3. As it turns out, Symantec DLP v11.0 does NOT know how to use the generic libdag.so nor the latest libdag.so.4.0.2 you just compiled. I’ve tried many tricks mostly with symlinks and I just couldn’t get it to use libdag.so.4.
Hold on to your pants as I explain the unholy hack that made it work:
edit /opt/Vontu/Protect/lib/native/libPacketDriverDag.so.11.0.0 , this is a binary file so using a hex editor is a good idea although vi works fine. Also, do respect placement very carefully, you will be changing 1 character and 1 character only.
search for libdag.so.3 and replace its 3 by a 4.
Recycle your server again and it should be happy about life 🙂
Spamassassin stats
54.46% of all emails received on akrin so far got flagged as spam by the excellent Spamassassin. This is actually not too bad compared to high profile mail service providers.
1 email that takes the cake is with a spam score of 42.2 (anything above 4 is not relayed):
Return-Path: <comicalbp@sosmoteurs.com> Received: from 201-93-229-84.dsl.telesp.net.br (201-93-229-84.dsl.telesp.net.br [201.93.229.84]) From: "Chase bank" <mailserver.id3373332193ib@chase.com> To: <XXXXXX@akrin.com> Subject: urgent security notification for client! X-Spam-Level: ****************************************** X-Spam-Status: Yes, score=42.2 required=5.0
Content analysis details:
pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?201.93.229.84>] 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [201.93.229.84 listed in zen.spamhaus.org] 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [201.93.229.84 listed in dnsbl.sorbs.net] 1.8 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist [URIs: nilvert.com] 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: nilvert.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: nilvert.com] 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: nilvert.com] 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: nilvert.com] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 4.3 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 0.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d 1.4 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence 1.9 TVD_RCVD_IP TVD_RCVD_IP 2.8 TVD_PH_SUBJ_URGENT TVD_PH_SUBJ_URGENT 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) 2.3 SPOOF_COM2COM URI: URI contains ".com" in middle and end 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 2.8 DOS_OE_TO_MX Delivered direct to MX with OE headers