cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to "1.8 final release". Change master site. Add new home

Browse Source 
page.  Install new man page.  Be verbose.  Add patch to fix new -o
option.  Update patch to README (the old one was integrated upstream).
The new patches have been sent to William Stearns.
This commit is contained in:
Trevor Johnson 2002-01-21 08:47:53 +00:00
parent 0c6b0118e1
commit 508c4a1756
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=53438
10 changed files with 70 additions and 614 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
net-mgmt/p0f/Makefile
View File

@ -7,28 +7,29 @@
PORTNAME= p0f
PORTVERSION= 1.8
PORTREVISION= 1
CATEGORIES= net
MASTER_SITES= http://lcamtuf.hack.pl/
DISTNAME= ${PORTNAME}
MASTER_SITES= http://www.stearns.org/p0f/
EXTRACT_SUFX= .tgz
MAINTAINER= trevor@FreeBSD.org
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
MAN1= p0f.1
post-patch:
@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${WRKSRC}/README \
${WRKSRC}/p0f.c
do-install:
@${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
@${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_MAN} ${WRKSRC}/${MAN1} ${MANPREFIX}/man/man1
post-install:
.if !defined(NOPORTDOCS)
@${MKDIR} ${PREFIX}/share/doc/p0f
@${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
${MKDIR} ${PREFIX}/share/doc/p0f
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
.endif
.include <bsd.port.mk>

2
net-mgmt/p0f/distinfo
View File

@ -1 +1 @@
MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822
MD5 (p0f-1.8.tgz) = a800396508a9d4bd4e4204a76ea79c2e

305
net-mgmt/p0f/files/patch-README
View File

@ -1,302 +1,11 @@
patch to version 1.8.test9
- mention the FreeBSD port
- mention that BSD make, not just GNU make, is adequate
- some rewording for clarity, not intended to change meaning
- reformatting of white space, mostly done with "fmt 79 80"
- spelling changes, mostly suggested by ispell
--- README.old Thu Nov 22 16:37:28 2001
+++ README Wed Jan 9 12:10:53 2002
@@ -18,17 +18,17 @@
Project Status
--------------
--- README.old Thu Jan 17 21:58:09 2002
+++ README Sun Jan 20 23:30:58 2002
@@ -94,7 +94,7 @@
- As for today, this packet is hosted and maintained by William Stearns
- <wstearns@pobox.com>. Original code comes from Michal Zalewski
- <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
- bugfixes, ideas, etc =)
+ This program is now hosted and maintained by William Stearns
+ <wstearns@pobox.com>. It was originally written by Michal Zalewski
+ <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
+ bug-fixes, ideas, etc. =)
-----------------
Special thanks to
-----------------
- * Lance Spitzner for whitepaper on passive OS fingerprinting:
+ * Lance Spitzner for white paper on passive OS fingerprinting:
http://www.enteract.com/~lspitz/finger.html
* tf8 for initial piece of libpcap support and packet parsing
@@ -36,7 +36,7 @@
* teso/security.is/b0f/#hax for ideas and testing
* Jeremy Weatherford, Chris Wilson and Szilveszter Adam for
- portability testing/patches, bugfixes and ideas,
+ portability testing/patches, bug-fixes and ideas,
* other BUGTRAQ readers for OS fingerprints and useful patches
@@ -49,126 +49,127 @@
Background
----------
- * What is passive OS fingerprinting?
-
- Passive OS fingerprinting technique is based on information coming
- from remote host when it tries to establish a connection to your system.
- Captured packet parameters contain enough information to determine
- remote OS - and, unlike active scanners (nmap, queSO) - this is done
- without sending anything to this host.
-
- If you're looking for more information on this approach, read Spitzner's
- whitepaper at http://www.enteract.com/~lspitz/finger.html :)
-
+ * What is passive OS fingerprinting?
+
+ The passive OS fingerprinting technique is based on information coming from a
+ remote host when it tries to establish a connection to your system. Captured
+ packet parameters contain enough information to identify the remote OS. In
+ contrast to active scanners such as nmap and queSO, p0f does this without
+ sending anything to the remote host.
+
+ If you're looking for more information on this approach, read Spitzner's white
+ paper (mentioned above). :)
+
In short, there are certain TCP/IP flag settings specific for given systems.
- Usually initial TTL (8 bits), window size (16 bits), maximum segment size
- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
- (1 bit), window scaling option (8 bits), initial packet size (16 bits)
- vary from one TCP stack implementation to another, and, combined together,
- give unique, 67-bit signature for every system.
-
- Some portions of p0f code are currently used by IDS systems and
- sniffer software.
-
- * What are main advantages?
-
- Passive OS fingerprinting can be done on huge portions of input data - eg.
- information gathered on firewall, proxy, routing device or Internet server,
- without causing any network activity. You can launch passive OS detection
- software on such machine and leave it for days, weeks or months, collecting
- really interesting statistical information about your customers, about
- attackers, other servers, etc. What's really funny - packet filtering
- firewalls, network address translation and so on are almost always
- transparent to p0f-alike software, so you're able to obtain information
- about systems behind the firewall. Also, such software can determine
- distance between remote host and your system, allowing you to generate
- network structure maps for firewalled/structural networks. And all without
- sending a single packet. Nice, especially for IDSes.
+ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16
+ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit),
+ window scaling option (8 bits), and initial packet size (16 bits) vary from
+ one TCP stack implementation to another. Together, they give a unique, 67-bit
+ signature for every system.
+
+ Some portions of the p0f code are currently used by IDS systems and sniffer
+ software.
+
+ * What are the main advantages?
+
+ Passive OS fingerprinting can be done on huge amounts of input data - for
+ example, information gathered on a firewall, proxy, routing device or Internet
+ server - without causing any network activity. You can launch passive OS
+ detection software on such a machine and leave it for days, weeks or months,
+ collecting really interesting statistical information about your customers,
+ attackers, other servers, etc. Since packet filtering firewalls, network
+ address translation and so on are almost always transparent to p0f-alike
+ software, you're able to obtain information about systems behind the firewall.
+ Also, such software can determine the distance between a remote host and your
+ system, allowing you to generate network structure maps for
+ firewalled/structural networks. All this can be done without sending a single
+ packet. It is especially nice for IDSes.
-----------
Limitations
-----------
- Proxy firewalls and other high-level proxy devices are not transparent to
- any TCP-level fingerprinting software. The device itself will be
- fingerprinted, not actual source hosts.
-
+ Proxy firewalls and other high-level proxy devices are not transparent to any
+ TCP-level fingerprinting software. The device itself will be fingerprinted,
+ not actual source hosts.
+
In order to obtain information required for fingerprinting, you have to
- receive at least one SYN packet initializing TCP connection to your
- machine or network. Note: you don't have to respond to particular SYN.
- Of course, it's impossible to perform any kind of OS detection witout
- receiving any information.
-
- It is possible to perform passive fingerprinting on live TCP connection, or
- on a connection established by you to a remote host. However, these
- techniques are less reliable (many implementations copy parameters from
- the first SYN packet; other parameters change rapidly with time).
-
-
------------------------------------------
-Is there anything special about this one?
------------------------------------------
-
- There is another passive OS detection utility, called 'siphon'. It's
- pretty good piece of proof-of-concept software, but it isn't perfect. Well,
- p0f isn't perfect for sure, but features some improvements:
-
+ receive at least one SYN packet initializing TCP connection to your machine or
receive at least one SYN packet initiating a TCP connection to your machine or
- or network. Note: you don't have to respond to this particular SYN. Of course,
+ network. Note: you don't have to respond to this particular SYN. Of course,
+ it's impossible to perform any kind of OS detection without receiving any
+ information.
+
+ It is possible to perform passive fingerprinting on a live TCP connection, or
+ on a connection established by you to a remote host. However, these techniques
+ are less reliable (many implementations copy parameters from the first SYN
+ packet; other parameters change rapidly with time).
+
+
+---------------------------------------------
+Is there anything special about this program?
+---------------------------------------------
+
+ There is another passive OS detection utility, called 'siphon'. It's a pretty
+ good piece of proof-of-concept software, but it isn't perfect. Well, p0f
+ isn't perfect for sure, but features some improvements:
+
- it's single-threaded and pretty clean,
-
+
- works properly on Linuxes (siphon has a problem with bpf on 2.2), as
well as on BSD systems and SunOS/Solaris,
-
+
- has pretty large and detailed fingerprints database,
-
+
- uses more information for fingerprinting (42 extra bits),
-
+
- it's more accurate,
-
+
- you can define your own filtering rules in the tcpdump flavour:
- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and
- listening interface (using option -i).
-
- What more? Dunno :) Simply, check it out.
+ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening
+ interface (using option -i).
+
+ What more? Dunno. :) Simply, check it out.
it's impossible to perform any kind of OS detection without receiving any
information.
------------
Not working!
------------
- Probably p0f isn't working well on every platform in the world; first
- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package).
- In this case, simply issue:
-
- ln -s /usr/include/pcap/pcap.h /usr/include/
- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
-
- NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
- please send OS signature and system description to author. Thanks :)
-
+ Probably p0f isn't working well on every platform in the world. First of all,
+ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
+ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat
+ 6.1 package). In this case, simply issue:
+
+ ln -s /usr/include/pcap/pcap.h /usr/include/
+ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
+
+ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all,
+ please send the OS signature and system description to the author. Thanks. :)
+
Tested platforms:
- NetBSD
- FreeBSD
+ in the ports collection
- OpenBSD
- Linux 2.0/2.2/2.4
http://www.stearns.org/p0f/
- Solaris 2.6-2.7
- LinuxPPC
http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html
-
- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
- GNU egrep (for proper Makefile processing)
-
+ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD
+ make; GNU egrep (for proper Makefile processing)
+
+
-------------
Configuration
-------------
- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
- inside:
-
+ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp .
+ Its format is described below:
+
#
# p0f - passive OS fingerprinting
# -------------------------------
@@ -208,9 +209,9 @@
# W - window scaling (-1=not present, other=value)
# S - sackOK flag (0=unset, 1=set)
# N - nop flag (0=unset, 1=set)
- # I - declared packet size (-1 = irrevelant)
+ # I - declared packet size (-1 = irrelevant)
#
-
+
--------------------
What should be done?
@@ -218,22 +219,22 @@
- Colorful interface, of course ;)
- Packet sizes added for old fingerprints
- - Manpage and other user-friendly features
+ - Man page and other user-friendly features
-------------------
License, disclaimer
-------------------
- The p0f utility and related utilities are free software; you can
- redistribute it and/or modify it under the terms of the GNU Library
- General Public License as published by the Free Software Foundation;
- either version 2 of the License, or (at your option) any later version.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM,
- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ The p0f utility and related utilities are free software; you can redistribute
+ it and/or modify it under the terms of the GNU Library General Public License
+ as published by the Free Software Foundation; either version 2 of the License,
+ or (at your option) any later version.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
+ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ IN THE SOFTWARE.

16
net-mgmt/p0f/files/patch-p0f.c Normal file
View File

@ -0,0 +1,16 @@
--- p0f.c.orig Thu Jan 17 21:05:58 2002
+++ p0f.c Mon Jan 21 00:22:56 2002
@@ -348,10 +348,9 @@
T_tstamp = 1;
break;
case 'o':
- { FILE* x;
- x=fopen(optarg,"a");
- if (!x) { perror(optarg); exit(1); }
- stdout=x;
+ if (!freopen(optarg,"a",stdout)) {
+ perror(optarg);
+ exit(1);
}
break;
default:

2
net-mgmt/p0f/pkg-descr
View File

@ -19,3 +19,5 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml
if you do not understand how this can be harmful. Running p0f with
no options will cause it to analyse packets intended for other
hosts.
WWW: http://www.stearns.org/p0f/

17
net/p0f/Makefile
View File

@ -7,28 +7,29 @@
PORTNAME= p0f
PORTVERSION= 1.8
PORTREVISION= 1
CATEGORIES= net
MASTER_SITES= http://lcamtuf.hack.pl/
DISTNAME= ${PORTNAME}
MASTER_SITES= http://www.stearns.org/p0f/
EXTRACT_SUFX= .tgz
MAINTAINER= trevor@FreeBSD.org
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
MAN1= p0f.1
post-patch:
@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${WRKSRC}/README \
${WRKSRC}/p0f.c
do-install:
@${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
@${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_MAN} ${WRKSRC}/${MAN1} ${MANPREFIX}/man/man1
post-install:
.if !defined(NOPORTDOCS)
@${MKDIR} ${PREFIX}/share/doc/p0f
@${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
${MKDIR} ${PREFIX}/share/doc/p0f
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
.endif
.include <bsd.port.mk>

2
net/p0f/distinfo
View File

@ -1 +1 @@
MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822
MD5 (p0f-1.8.tgz) = a800396508a9d4bd4e4204a76ea79c2e

305
net/p0f/files/patch-README
View File

@ -1,302 +1,11 @@
patch to version 1.8.test9
- mention the FreeBSD port
- mention that BSD make, not just GNU make, is adequate
- some rewording for clarity, not intended to change meaning
- reformatting of white space, mostly done with "fmt 79 80"
- spelling changes, mostly suggested by ispell
--- README.old Thu Nov 22 16:37:28 2001
+++ README Wed Jan 9 12:10:53 2002
@@ -18,17 +18,17 @@
Project Status
--------------
--- README.old Thu Jan 17 21:58:09 2002
+++ README Sun Jan 20 23:30:58 2002
@@ -94,7 +94,7 @@
- As for today, this packet is hosted and maintained by William Stearns
- <wstearns@pobox.com>. Original code comes from Michal Zalewski
- <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
- bugfixes, ideas, etc =)
+ This program is now hosted and maintained by William Stearns
+ <wstearns@pobox.com>. It was originally written by Michal Zalewski
+ <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
+ bug-fixes, ideas, etc. =)
-----------------
Special thanks to
-----------------
- * Lance Spitzner for whitepaper on passive OS fingerprinting:
+ * Lance Spitzner for white paper on passive OS fingerprinting:
http://www.enteract.com/~lspitz/finger.html
* tf8 for initial piece of libpcap support and packet parsing
@@ -36,7 +36,7 @@
* teso/security.is/b0f/#hax for ideas and testing
* Jeremy Weatherford, Chris Wilson and Szilveszter Adam for
- portability testing/patches, bugfixes and ideas,
+ portability testing/patches, bug-fixes and ideas,
* other BUGTRAQ readers for OS fingerprints and useful patches
@@ -49,126 +49,127 @@
Background
----------
- * What is passive OS fingerprinting?
-
- Passive OS fingerprinting technique is based on information coming
- from remote host when it tries to establish a connection to your system.
- Captured packet parameters contain enough information to determine
- remote OS - and, unlike active scanners (nmap, queSO) - this is done
- without sending anything to this host.
-
- If you're looking for more information on this approach, read Spitzner's
- whitepaper at http://www.enteract.com/~lspitz/finger.html :)
-
+ * What is passive OS fingerprinting?
+
+ The passive OS fingerprinting technique is based on information coming from a
+ remote host when it tries to establish a connection to your system. Captured
+ packet parameters contain enough information to identify the remote OS. In
+ contrast to active scanners such as nmap and queSO, p0f does this without
+ sending anything to the remote host.
+
+ If you're looking for more information on this approach, read Spitzner's white
+ paper (mentioned above). :)
+
In short, there are certain TCP/IP flag settings specific for given systems.
- Usually initial TTL (8 bits), window size (16 bits), maximum segment size
- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
- (1 bit), window scaling option (8 bits), initial packet size (16 bits)
- vary from one TCP stack implementation to another, and, combined together,
- give unique, 67-bit signature for every system.
-
- Some portions of p0f code are currently used by IDS systems and
- sniffer software.
-
- * What are main advantages?
-
- Passive OS fingerprinting can be done on huge portions of input data - eg.
- information gathered on firewall, proxy, routing device or Internet server,
- without causing any network activity. You can launch passive OS detection
- software on such machine and leave it for days, weeks or months, collecting
- really interesting statistical information about your customers, about
- attackers, other servers, etc. What's really funny - packet filtering
- firewalls, network address translation and so on are almost always
- transparent to p0f-alike software, so you're able to obtain information
- about systems behind the firewall. Also, such software can determine
- distance between remote host and your system, allowing you to generate
- network structure maps for firewalled/structural networks. And all without
- sending a single packet. Nice, especially for IDSes.
+ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16
+ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit),
+ window scaling option (8 bits), and initial packet size (16 bits) vary from
+ one TCP stack implementation to another. Together, they give a unique, 67-bit
+ signature for every system.
+
+ Some portions of the p0f code are currently used by IDS systems and sniffer
+ software.
+
+ * What are the main advantages?
+
+ Passive OS fingerprinting can be done on huge amounts of input data - for
+ example, information gathered on a firewall, proxy, routing device or Internet
+ server - without causing any network activity. You can launch passive OS
+ detection software on such a machine and leave it for days, weeks or months,
+ collecting really interesting statistical information about your customers,
+ attackers, other servers, etc. Since packet filtering firewalls, network
+ address translation and so on are almost always transparent to p0f-alike
+ software, you're able to obtain information about systems behind the firewall.
+ Also, such software can determine the distance between a remote host and your
+ system, allowing you to generate network structure maps for
+ firewalled/structural networks. All this can be done without sending a single
+ packet. It is especially nice for IDSes.
-----------
Limitations
-----------
- Proxy firewalls and other high-level proxy devices are not transparent to
- any TCP-level fingerprinting software. The device itself will be
- fingerprinted, not actual source hosts.
-
+ Proxy firewalls and other high-level proxy devices are not transparent to any
+ TCP-level fingerprinting software. The device itself will be fingerprinted,
+ not actual source hosts.
+
In order to obtain information required for fingerprinting, you have to
- receive at least one SYN packet initializing TCP connection to your
- machine or network. Note: you don't have to respond to particular SYN.
- Of course, it's impossible to perform any kind of OS detection witout
- receiving any information.
-
- It is possible to perform passive fingerprinting on live TCP connection, or
- on a connection established by you to a remote host. However, these
- techniques are less reliable (many implementations copy parameters from
- the first SYN packet; other parameters change rapidly with time).
-
-
------------------------------------------
-Is there anything special about this one?
------------------------------------------
-
- There is another passive OS detection utility, called 'siphon'. It's
- pretty good piece of proof-of-concept software, but it isn't perfect. Well,
- p0f isn't perfect for sure, but features some improvements:
-
+ receive at least one SYN packet initializing TCP connection to your machine or
receive at least one SYN packet initiating a TCP connection to your machine or
- or network. Note: you don't have to respond to this particular SYN. Of course,
+ network. Note: you don't have to respond to this particular SYN. Of course,
+ it's impossible to perform any kind of OS detection without receiving any
+ information.
+
+ It is possible to perform passive fingerprinting on a live TCP connection, or
+ on a connection established by you to a remote host. However, these techniques
+ are less reliable (many implementations copy parameters from the first SYN
+ packet; other parameters change rapidly with time).
+
+
+---------------------------------------------
+Is there anything special about this program?
+---------------------------------------------
+
+ There is another passive OS detection utility, called 'siphon'. It's a pretty
+ good piece of proof-of-concept software, but it isn't perfect. Well, p0f
+ isn't perfect for sure, but features some improvements:
+
- it's single-threaded and pretty clean,
-
+
- works properly on Linuxes (siphon has a problem with bpf on 2.2), as
well as on BSD systems and SunOS/Solaris,
-
+
- has pretty large and detailed fingerprints database,
-
+
- uses more information for fingerprinting (42 extra bits),
-
+
- it's more accurate,
-
+
- you can define your own filtering rules in the tcpdump flavour:
- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and
- listening interface (using option -i).
-
- What more? Dunno :) Simply, check it out.
+ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening
+ interface (using option -i).
+
+ What more? Dunno. :) Simply, check it out.
it's impossible to perform any kind of OS detection without receiving any
information.
------------
Not working!
------------
- Probably p0f isn't working well on every platform in the world; first
- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package).
- In this case, simply issue:
-
- ln -s /usr/include/pcap/pcap.h /usr/include/
- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
-
- NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
- please send OS signature and system description to author. Thanks :)
-
+ Probably p0f isn't working well on every platform in the world. First of all,
+ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
+ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat
+ 6.1 package). In this case, simply issue:
+
+ ln -s /usr/include/pcap/pcap.h /usr/include/
+ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
+
+ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all,
+ please send the OS signature and system description to the author. Thanks. :)
+
Tested platforms:
- NetBSD
- FreeBSD
+ in the ports collection
- OpenBSD
- Linux 2.0/2.2/2.4
http://www.stearns.org/p0f/
- Solaris 2.6-2.7
- LinuxPPC
http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html
-
- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
- GNU egrep (for proper Makefile processing)
-
+ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD
+ make; GNU egrep (for proper Makefile processing)
+
+
-------------
Configuration
-------------
- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
- inside:
-
+ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp .
+ Its format is described below:
+
#
# p0f - passive OS fingerprinting
# -------------------------------
@@ -208,9 +209,9 @@
# W - window scaling (-1=not present, other=value)
# S - sackOK flag (0=unset, 1=set)
# N - nop flag (0=unset, 1=set)
- # I - declared packet size (-1 = irrevelant)
+ # I - declared packet size (-1 = irrelevant)
#
-
+
--------------------
What should be done?
@@ -218,22 +219,22 @@
- Colorful interface, of course ;)
- Packet sizes added for old fingerprints
- - Manpage and other user-friendly features
+ - Man page and other user-friendly features
-------------------
License, disclaimer
-------------------
- The p0f utility and related utilities are free software; you can
- redistribute it and/or modify it under the terms of the GNU Library
- General Public License as published by the Free Software Foundation;
- either version 2 of the License, or (at your option) any later version.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM,
- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ The p0f utility and related utilities are free software; you can redistribute
+ it and/or modify it under the terms of the GNU Library General Public License
+ as published by the Free Software Foundation; either version 2 of the License,
+ or (at your option) any later version.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
+ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ IN THE SOFTWARE.

16
net/p0f/files/patch-p0f.c Normal file
View File

@ -0,0 +1,16 @@
--- p0f.c.orig Thu Jan 17 21:05:58 2002
+++ p0f.c Mon Jan 21 00:22:56 2002
@@ -348,10 +348,9 @@
T_tstamp = 1;
break;
case 'o':
- { FILE* x;
- x=fopen(optarg,"a");
- if (!x) { perror(optarg); exit(1); }
- stdout=x;
+ if (!freopen(optarg,"a",stdout)) {
+ perror(optarg);
+ exit(1);
}
break;
default:

2
net/p0f/pkg-descr
View File

@ -19,3 +19,5 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml
if you do not understand how this can be harmful. Running p0f with
no options will cause it to analyse packets intended for other
hosts.
WWW: http://www.stearns.org/p0f/