Adding an Endace card to Symantec’s DLP

I decided to publish this hack as I could not find an iota of information about getting an Endace card working With Symantec’s DLP (previously Vontu) on RedHat.

After you’ve installed the module for your Endace card, you recycle your sensor and are confronted with the following error message:

Endace DAG driver is not available
Packet Capture was unable to activate Endace device support. Please see PacketCapture.log for more information.

A look at /var/log/Vontu/debug/PacketCapture.log yields:

ERROR PacketDriverFactory - Driver Dag is unavailable: libdag.so.3: cannot open shared object file: No such file or directory [PacketDriverFactory.cpp(423)]

do an

updatedb
locate libdag.so

You will notice you just compiled a version more recent than libdag.so.3. As it turns out, Symantec DLP v11.0 does NOT know how to use the generic libdag.so nor the latest libdag.so.4.0.2 you just compiled. I’ve tried many tricks mostly with symlinks and I just couldn’t get it to use libdag.so.4.

Hold on to your pants as I explain the unholy hack that made it work:

edit /opt/Vontu/Protect/lib/native/libPacketDriverDag.so.11.0.0 , this is a binary file so using a hex editor is a good idea although vi works fine. Also, do respect placement very carefully, you will be changing 1 character and 1 character only.

search for libdag.so.3 and replace its 3 by a 4.

Recycle your server again and it should be happy about life 🙂

Spamassassin stats

54.46% of all emails received on akrin so far got flagged as spam by the excellent Spamassassin. This is actually not too bad compared to high profile mail service providers.

1 email that takes the cake is with a spam score of 42.2 (anything above 4 is not relayed):

Return-Path: <comicalbp@sosmoteurs.com>
Received: from 201-93-229-84.dsl.telesp.net.br (201-93-229-84.dsl.telesp.net.br [201.93.229.84])
From: "Chase bank" <mailserver.id3373332193ib@chase.com>
To: <XXXXXX@akrin.com>
Subject: urgent security notification for client!
X-Spam-Level: ******************************************
X-Spam-Status: Yes, score=42.2 required=5.0

Content analysis details:

pts rule name              description
---- ---------------------- --------------------------------------------------
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml?201.93.229.84>]
3.0 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL [201.93.229.84 listed in zen.spamhaus.org]
0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
0.6 RCVD_IN_SORBS_WEB      RBL: SORBS: sender is a abuseable web server [201.93.229.84 listed in dnsbl.sorbs.net]
1.8 URIBL_PH_SURBL         Contains an URL listed in the PH SURBL blocklist [URIs: nilvert.com]
1.9 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist [URIs: nilvert.com]
1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist [URIs: nilvert.com]
1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist [URIs: nilvert.com]
2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist [URIs: nilvert.com]
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100% [score: 1.0000]
4.3 HELO_DYNAMIC_HCC       Relay HELO'd using suspicious hostname (HCC)
4.4 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr 2)
0.0 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d
1.4 FROM_LOCAL_HEX         From: localpart has long hexadecimal sequence
1.9 TVD_RCVD_IP            TVD_RCVD_IP
2.8 TVD_PH_SUBJ_URGENT     TVD_PH_SUBJ_URGENT
0.7 SPF_NEUTRAL            SPF: sender does not match SPF record (neutral)
2.3 SPOOF_COM2COM          URI: URI contains ".com" in middle and end
1.6 HTML_IMAGE_ONLY_24     BODY: HTML: images with 2000-2400 bytes of words
0.0 HTML_MESSAGE           BODY: HTML included in message
1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars
0.1 RDNS_DYNAMIC           Delivered to trusted network by host with dynamic-looking rDNS
2.8 DOS_OE_TO_MX           Delivered direct to MX with OE headers