jkf at ecs.soton.ac.uk
Tue Oct 2 16:58:12 IST 2001
At 16:54 02/10/2001, you wrote:
>Which is what you've been saying, but this only seems to work for this
>specific case. What criteria are you using to determine whether its a Denial
>of Service attack or not. Since my tiny zip file that expands to a HUGE file
>is the same, just another way of doing it. Where as my test file, only
>showed the first msg and then blindly carried on till the machine swap
>filled up and the machine went belly up.
>I thought the timeouts were generic and meant to cap the sweep process from
>going on for too long on the same file.
I set an alarm to go off. If the alarm ever happens, it kills the process.
Let me ask around here and see if anyone has any ideas...
> > At 16:27 02/10/2001, you wrote:
> >> root 22786 22768 66 15:46:26 ? 23:49 /opt/sophos/bin/sweep
> >> -p=/tmp/outputlog -sc -f -all -rec -ss -archive -loopback
> >> Total CPU time is 23:49
> >> This was a 800k file that expands out to 800MB, my tmp space on the mail
> >> server is only 600MB. So it fills it up and then sits and does
> >> tmp space sits at 99%
> >> The total cpu time above, seems well in excess of the timeout settings in
> >> the mailscanner.conf file?
> >> Any suggestions?
> > Not immediately, no. I tested with a genuine Zip Of Death file, not just a
> > large zip file, so I'm not sure what happens when it just runs out of
> > space. It should still die though. It gets killed -9 after being given 10
> > seconds to respond to a normal kill.
> > Try it with a real Zip Of Death and let me know what happens...
> >>> At 23:36 01/10/2001, you wrote:
> >>>> Just ran a test of the new timeouts, a 600k file that expands out into
> >> a few
> >>>> hundred megabytes. The "Commerical scanner timed out!" message
> appeared in
> >>>> the syslog after 5mins, although the sweep process is still
> thrashing away
> >>>> on the same message? (its been going now for 26mins on the one file,
> >> and the
> >>>> mail queue is at a complete stand still and growing by the second with
> >> other
> >>>> mail hotfooting it into the queue).
> >>> I have just tried this on a Solaris 8 system and the timeouts worked
> >>> nicely. It did scan the same thing 3 times (once as part of batch scan,
> >>> next as part of individual message scan, third time to attempt
> >>> disinfection), but that's as expected.
> >>> If you do:
> >>> while :
> >>> do
> >>> ps -fe | grep sweep
> >>> done
> >>> and watch the total CPU time of the sweep processes, do they ever exceed
> >>> the value set in the timeout setting in the mailscanner.conf file?
> >>> --
> >>> Julian Field Teaching Systems Manager
> >>> jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
> >>> Tel. 023 8059 2817 University of Southampton
> >>> Southampton SO17 1BJ
> > --
> > Julian Field Teaching Systems Manager
> > jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
> > Tel. 023 8059 2817 University of Southampton
> > Southampton SO17 1BJ
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner