/rspamd-p0f

Passive OS fingerprinting support for rspamd

Primary LanguageLuaApache License 2.0Apache-2.0

rspamd-p0f

⚠️ This plugin is now part of rspamd and it's development has been discontinued.
If you encounter any problems, feel free to report issues or submit PRs directly to the main rspamd repository.

This lua plugin provides passive OS fingerprinting feature for rspamd filtering system via p0f v3 fingerprinter. This allows to (somewhat inaccurately) detect which operating system running on remote server and what type of connection it's using. This information can then be used as an additional factor in detecting infected PCs and botnets.

Running p0f with API support

To make p0f listen to API requests on unix socket, you will need to run it with -s file flag set:

p0f -c "/tmp/p0f.sock" "tcp dst port 25"

This way p0f will be monitoring port 25 for new connections to fingerprint and listening to requests on /tmp/p0f.sock socket with at max 20 connections (can be adjusted using -S limit flag).

For FreeBSD you can also use rc script provided in freebsd directory. Move file named p0f to /usr/local/etc/rc.d on your system, then you can start p0f as regular service.

echo 'p0f_enable="YES"' | sudo tee /usr/local/etc/rc.conf.d/p0f > /dev/null
service p0f start

Plugin installation

Move all files from rspamd directory of this repository to your rspamd configuration directory (e. g. /etc/rspamd on Debian or /usr/local/etc/rspamd on FreeBSD) and reload rspamd.

To make sure that everything works, look for P0F symbol in message scan results or X-OS-Fingerprint header: P0F symbol

Plugin can be configured by editing following settings in /etc/rspamd/local.d/p0f.conf (must be created first)

# Path to the unix socket that p0f listens on
socket = '/tmp/p0f.sock';

# Connection timeout
timeout = 10;

# If defined, insert symbol with lookup results
symbol = 'P0F';

# If defined, insert header with lookup results with following format:
# "$OS (up: $UPTIME min), (distance $DISTANCE, link: $LINK), [$IP]"
header = false;

# Patterns to match OS string against
patterns = {
  WINDOWS = '^Windows.*';
}

# Cache lifetime in seconds (default - 2 hours)
expire = 7200;

# Cache key prefix
key_prefix = 'p0f';