From fc3bcab0a5c3d6d2da5a076925b31b0491f00313 Mon Sep 17 00:00:00 2001 From: Trevor Johnson Date: Wed, 9 Jan 2002 21:19:39 +0000 Subject: [PATCH] Update to 1.8. Patch p0f.c to look for the database under $PREFIX (could also be done by setting SYSCONFDIR). Submitted by: lioux Remove duplicate regular expression in do-patch target. Update the README patch (sent to William Stearns). Remove an old "signature" from pkg-descr. --- net-mgmt/p0f/Makefile | 7 +- net-mgmt/p0f/distinfo | 2 +- net-mgmt/p0f/files/patch-README | 350 ++++++++++++++++++++++++++------ net-mgmt/p0f/pkg-descr | 3 - net/p0f/Makefile | 7 +- net/p0f/distinfo | 2 +- net/p0f/files/patch-README | 350 ++++++++++++++++++++++++++------ net/p0f/pkg-descr | 3 - 8 files changed, 584 insertions(+), 140 deletions(-) diff --git a/net-mgmt/p0f/Makefile b/net-mgmt/p0f/Makefile index af0b6cdc0c8d..c035831401b3 100644 --- a/net-mgmt/p0f/Makefile +++ b/net-mgmt/p0f/Makefile @@ -6,7 +6,7 @@ # PORTNAME= p0f -PORTVERSION= 1.7 +PORTVERSION= 1.8 CATEGORIES= net MASTER_SITES= http://lcamtuf.hack.pl/ DISTNAME= ${PORTNAME} @@ -17,8 +17,9 @@ MAINTAINER= trevor@FreeBSD.org WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} post-patch: - @${PERL} -pi -e "s=/etc=${PREFIX}/etc=g ; \ - s=/etc=${PREFIX}/etc=g" ${WRKSRC}/README + @${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \ + ${WRKSRC}/README \ + ${WRKSRC}/p0f.c do-install: @${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin diff --git a/net-mgmt/p0f/distinfo b/net-mgmt/p0f/distinfo index 198e93223d63..b02d48c10055 100644 --- a/net-mgmt/p0f/distinfo +++ b/net-mgmt/p0f/distinfo @@ -1 +1 @@ -MD5 (p0f.tgz) = 5d4242df39c6325683ee02f9e95f2801 +MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822 diff --git a/net-mgmt/p0f/files/patch-README b/net-mgmt/p0f/files/patch-README index 270fb4e42ac1..6d8750a3529a 100644 --- a/net-mgmt/p0f/files/patch-README +++ b/net-mgmt/p0f/files/patch-README @@ -1,78 +1,302 @@ ---- README.orig Mon Jun 12 15:28:41 2000 -+++ README Mon Jun 12 21:15:54 2000 -@@ -27,30 +27,31 @@ - - Background: +patch to version 1.8.test9 + +- mention the FreeBSD port +- mention that BSD make, not just GNU make, is adequate +- some rewording for clarity, not intended to change meaning +- reformatting of white space, mostly done with "fmt 79 80" +- spelling changes, mostly suggested by ispell + +--- README.old Thu Nov 22 16:37:28 2001 ++++ README Wed Jan 9 12:10:53 2002 +@@ -18,17 +18,17 @@ + Project Status + -------------- + +- As for today, this packet is hosted and maintained by William Stearns +- . Original code comes from Michal Zalewski +- . Feel free to mail William or both of us with +- bugfixes, ideas, etc =) ++ This program is now hosted and maintained by William Stearns ++ . It was originally written by Michal Zalewski ++ . Feel free to mail William or both of us with ++ bug-fixes, ideas, etc. =) + + + ----------------- + Special thanks to + ----------------- + +- * Lance Spitzner for whitepaper on passive OS fingerprinting: ++ * Lance Spitzner for white paper on passive OS fingerprinting: + http://www.enteract.com/~lspitz/finger.html + + * tf8 for initial piece of libpcap support and packet parsing +@@ -36,7 +36,7 @@ + * teso/security.is/b0f/#hax for ideas and testing + + * Jeremy Weatherford, Chris Wilson and Szilveszter Adam for +- portability testing/patches, bugfixes and ideas, ++ portability testing/patches, bug-fixes and ideas, + + * other BUGTRAQ readers for OS fingerprints and useful patches + +@@ -49,126 +49,127 @@ + Background + ---------- - * What is passive OS fingerprinting? +- +- Passive OS fingerprinting technique is based on information coming +- from remote host when it tries to establish a connection to your system. +- Captured packet parameters contain enough information to determine +- remote OS - and, unlike active scanners (nmap, queSO) - this is done +- without sending anything to this host. +- +- If you're looking for more information on this approach, read Spitzner's +- whitepaper at http://www.enteract.com/~lspitz/finger.html :) +- + * What is passive OS fingerprinting? - -- Passive OS fingerprinting technique bases on information coming -- from remote host when it establishes connection to our system. Captured -- packets contains enough information to determine OS - and, unlike -- active scanners (nmap, queSO) - without sending anything to this host. -+ Passive OS fingerprinting is based on information coming from a remote host -+ when it establishes a connection to our system. Captured packets contain -+ enough information to identify the operating system. In contrast to active -+ scanners such as nmap and QueSO, p0f does not send anything to the host being -+ identified. - - If you're looking for more information, read Spitzner's text at: - http://www.enteract.com/~lspitz/finger.html - -- * How it works? -+ * How does it work? - - Well, there are some TCP/IP flag settings specific for given systems. - Usually initial TTL (8 bits), window size (16 bits), maximum segment size - (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option -- (1 bit) and window scaling option (8 bits) combined together gives unique, -+ (1 bit) and window scaling option (8 bits) combined together give a unique, - 51-bit signature for every system. - ++ ++ The passive OS fingerprinting technique is based on information coming from a ++ remote host when it tries to establish a connection to your system. Captured ++ packet parameters contain enough information to identify the remote OS. In ++ contrast to active scanners such as nmap and queSO, p0f does this without ++ sending anything to the remote host. ++ ++ If you're looking for more information on this approach, read Spitzner's white ++ paper (mentioned above). :) ++ + In short, there are certain TCP/IP flag settings specific for given systems. +- Usually initial TTL (8 bits), window size (16 bits), maximum segment size +- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option +- (1 bit), window scaling option (8 bits), initial packet size (16 bits) +- vary from one TCP stack implementation to another, and, combined together, +- give unique, 67-bit signature for every system. +- +- Some portions of p0f code are currently used by IDS systems and +- sniffer software. +- - * What are main advantages? -+ * What are the main advantages? - +- - Passive OS fingerprinting can be done on huge portions of input data - eg. - information gathered on firewall, proxy, routing device or Internet server, - without causing any network activity. You can launch passive OS detection - software on such machine and leave it for days, weeks or months, collecting -+ Passive OS fingerprinting can be done on huge amounts of input data - -+ gathered on a firewall, proxy, routing device or Internet server - without -+ causing any network activity. You can launch passive OS detection -+ software on such a machine and leave it for days or months, collecting - really interesting statistical and - *erm* - just interesting information. - What's really funny - packet filtering firewalls, network address - translation and so on are transparent to p0f-alike software, so you're able -@@ -62,7 +63,7 @@ +- really interesting statistical information about your customers, about +- attackers, other servers, etc. What's really funny - packet filtering +- firewalls, network address translation and so on are almost always +- transparent to p0f-alike software, so you're able to obtain information +- about systems behind the firewall. Also, such software can determine +- distance between remote host and your system, allowing you to generate +- network structure maps for firewalled/structural networks. And all without +- sending a single packet. Nice, especially for IDSes. ++ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16 ++ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit), ++ window scaling option (8 bits), and initial packet size (16 bits) vary from ++ one TCP stack implementation to another. Together, they give a unique, 67-bit ++ signature for every system. ++ ++ Some portions of the p0f code are currently used by IDS systems and sniffer ++ software. ++ ++ * What are the main advantages? ++ ++ Passive OS fingerprinting can be done on huge amounts of input data - for ++ example, information gathered on a firewall, proxy, routing device or Internet ++ server - without causing any network activity. You can launch passive OS ++ detection software on such a machine and leave it for days, weeks or months, ++ collecting really interesting statistical information about your customers, ++ attackers, other servers, etc. Since packet filtering firewalls, network ++ address translation and so on are almost always transparent to p0f-alike ++ software, you're able to obtain information about systems behind the firewall. ++ Also, such software can determine the distance between a remote host and your ++ system, allowing you to generate network structure maps for ++ firewalled/structural networks. All this can be done without sending a single ++ packet. It is especially nice for IDSes. + + + ----------- Limitations + ----------- - Proxy firewalls and other high-level proxy devices are not transparent to -- any tcp fingerprinting software. It applies to p0f, as well. -+ any TCP fingerprinting software. It applies to p0f, as well. - +- Proxy firewalls and other high-level proxy devices are not transparent to +- any TCP-level fingerprinting software. The device itself will be +- fingerprinted, not actual source hosts. +- ++ Proxy firewalls and other high-level proxy devices are not transparent to any ++ TCP-level fingerprinting software. The device itself will be fingerprinted, ++ not actual source hosts. ++ In order to obtain information required for fingerprinting, you have to - receive at least one SYN packet initializing TCP connection to your -@@ -78,9 +79,9 @@ - window size are constant for initial TCP/IP packet, but changing rapidly - later). - --Why our bubble gum is better? -+Why is our bubble gum better? - +- receive at least one SYN packet initializing TCP connection to your +- machine or network. Note: you don't have to respond to particular SYN. +- Of course, it's impossible to perform any kind of OS detection witout +- receiving any information. +- +- It is possible to perform passive fingerprinting on live TCP connection, or +- on a connection established by you to a remote host. However, these +- techniques are less reliable (many implementations copy parameters from +- the first SYN packet; other parameters change rapidly with time). +- +- +------------------------------------------ +-Is there anything special about this one? +------------------------------------------ +- - There is another passive OS detection utility, called 'siphon'. It's -+ There is another passive OS detection utility, called 'siphon'. It's a - pretty good piece of proof-of-concept software, but it isn't perfect. Well, - p0f isn't perfect for sure, but has several improvements: - -@@ -128,8 +129,8 @@ - - Files: +- pretty good piece of proof-of-concept software, but it isn't perfect. Well, +- p0f isn't perfect for sure, but features some improvements: +- ++ receive at least one SYN packet initializing TCP connection to your machine or ++ network. Note: you don't have to respond to this particular SYN. Of course, ++ it's impossible to perform any kind of OS detection without receiving any ++ information. ++ ++ It is possible to perform passive fingerprinting on a live TCP connection, or ++ on a connection established by you to a remote host. However, these techniques ++ are less reliable (many implementations copy parameters from the first SYN ++ packet; other parameters change rapidly with time). ++ ++ ++--------------------------------------------- ++Is there anything special about this program? ++--------------------------------------------- ++ ++ There is another passive OS detection utility, called 'siphon'. It's a pretty ++ good piece of proof-of-concept software, but it isn't perfect. Well, p0f ++ isn't perfect for sure, but features some improvements: ++ + - it's single-threaded and pretty clean, +- ++ + - works properly on Linuxes (siphon has a problem with bpf on 2.2), as + well as on BSD systems and SunOS/Solaris, +- ++ + - has pretty large and detailed fingerprints database, +- ++ + - uses more information for fingerprinting (42 extra bits), +- ++ + - it's more accurate, +- ++ + - you can define your own filtering rules in the tcpdump flavour: +- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and +- listening interface (using option -i). +- +- What more? Dunno :) Simply, check it out. ++ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening ++ interface (using option -i). ++ ++ What more? Dunno. :) Simply, check it out. + + + ------------ + Not working! + ------------ + +- Probably p0f isn't working well on every platform in the world; first +- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in +- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package). +- In this case, simply issue: +- +- ln -s /usr/include/pcap/pcap.h /usr/include/ +- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/ +- +- NOTE: if p0f recognized system incorrectly or cannot recognize it at all, +- please send OS signature and system description to author. Thanks :) +- ++ Probably p0f isn't working well on every platform in the world. First of all, ++ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in ++ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat ++ 6.1 package). In this case, simply issue: ++ ++ ln -s /usr/include/pcap/pcap.h /usr/include/ ++ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/ ++ ++ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all, ++ please send the OS signature and system description to the author. Thanks. :) ++ + Tested platforms: + + - NetBSD + - FreeBSD ++ in the ports collection + - OpenBSD + - Linux 2.0/2.2/2.4 + http://www.stearns.org/p0f/ + - Solaris 2.6-2.7 + - LinuxPPC + http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html +- +- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x; +- GNU egrep (for proper Makefile processing) + +- ++ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD ++ make; GNU egrep (for proper Makefile processing) ++ ++ + ------------- + Configuration + ------------- - /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described - inside: -+ /etc/p0f.fp or ./p0f.fp - OS fingerprints database. -+ The format is described inside: - - # Valid entry describes the way server starts TCP handshake (first SYN). - # Important options are: window size (wss), maximum segment size (mss), +- ++ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp . ++ Its format is described below: ++ + # + # p0f - passive OS fingerprinting + # ------------------------------- +@@ -208,9 +209,9 @@ + # W - window scaling (-1=not present, other=value) + # S - sackOK flag (0=unset, 1=set) + # N - nop flag (0=unset, 1=set) +- # I - declared packet size (-1 = irrevelant) ++ # I - declared packet size (-1 = irrelevant) + # +- ++ + + -------------------- + What should be done? +@@ -218,22 +219,22 @@ + + - Colorful interface, of course ;) + - Packet sizes added for old fingerprints +- - Manpage and other user-friendly features ++ - Man page and other user-friendly features + + + ------------------- + License, disclaimer + ------------------- + +- The p0f utility and related utilities are free software; you can +- redistribute it and/or modify it under the terms of the GNU Library +- General Public License as published by the Free Software Foundation; +- either version 2 of the License, or (at your option) any later version. +- +- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, +- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE +- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ The p0f utility and related utilities are free software; you can redistribute ++ it and/or modify it under the terms of the GNU Library General Public License ++ as published by the Free Software Foundation; either version 2 of the License, ++ or (at your option) any later version. ++ ++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL ++ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR ++ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS ++ IN THE SOFTWARE. diff --git a/net-mgmt/p0f/pkg-descr b/net-mgmt/p0f/pkg-descr index a48562804ca6..10ff2af92c7e 100644 --- a/net-mgmt/p0f/pkg-descr +++ b/net-mgmt/p0f/pkg-descr @@ -19,6 +19,3 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml if you do not understand how this can be harmful. Running p0f with no options will cause it to analyse packets intended for other hosts. - -Trevor Johnson -trevor@jpj.net diff --git a/net/p0f/Makefile b/net/p0f/Makefile index af0b6cdc0c8d..c035831401b3 100644 --- a/net/p0f/Makefile +++ b/net/p0f/Makefile @@ -6,7 +6,7 @@ # PORTNAME= p0f -PORTVERSION= 1.7 +PORTVERSION= 1.8 CATEGORIES= net MASTER_SITES= http://lcamtuf.hack.pl/ DISTNAME= ${PORTNAME} @@ -17,8 +17,9 @@ MAINTAINER= trevor@FreeBSD.org WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} post-patch: - @${PERL} -pi -e "s=/etc=${PREFIX}/etc=g ; \ - s=/etc=${PREFIX}/etc=g" ${WRKSRC}/README + @${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \ + ${WRKSRC}/README \ + ${WRKSRC}/p0f.c do-install: @${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin diff --git a/net/p0f/distinfo b/net/p0f/distinfo index 198e93223d63..b02d48c10055 100644 --- a/net/p0f/distinfo +++ b/net/p0f/distinfo @@ -1 +1 @@ -MD5 (p0f.tgz) = 5d4242df39c6325683ee02f9e95f2801 +MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822 diff --git a/net/p0f/files/patch-README b/net/p0f/files/patch-README index 270fb4e42ac1..6d8750a3529a 100644 --- a/net/p0f/files/patch-README +++ b/net/p0f/files/patch-README @@ -1,78 +1,302 @@ ---- README.orig Mon Jun 12 15:28:41 2000 -+++ README Mon Jun 12 21:15:54 2000 -@@ -27,30 +27,31 @@ - - Background: +patch to version 1.8.test9 + +- mention the FreeBSD port +- mention that BSD make, not just GNU make, is adequate +- some rewording for clarity, not intended to change meaning +- reformatting of white space, mostly done with "fmt 79 80" +- spelling changes, mostly suggested by ispell + +--- README.old Thu Nov 22 16:37:28 2001 ++++ README Wed Jan 9 12:10:53 2002 +@@ -18,17 +18,17 @@ + Project Status + -------------- + +- As for today, this packet is hosted and maintained by William Stearns +- . Original code comes from Michal Zalewski +- . Feel free to mail William or both of us with +- bugfixes, ideas, etc =) ++ This program is now hosted and maintained by William Stearns ++ . It was originally written by Michal Zalewski ++ . Feel free to mail William or both of us with ++ bug-fixes, ideas, etc. =) + + + ----------------- + Special thanks to + ----------------- + +- * Lance Spitzner for whitepaper on passive OS fingerprinting: ++ * Lance Spitzner for white paper on passive OS fingerprinting: + http://www.enteract.com/~lspitz/finger.html + + * tf8 for initial piece of libpcap support and packet parsing +@@ -36,7 +36,7 @@ + * teso/security.is/b0f/#hax for ideas and testing + + * Jeremy Weatherford, Chris Wilson and Szilveszter Adam for +- portability testing/patches, bugfixes and ideas, ++ portability testing/patches, bug-fixes and ideas, + + * other BUGTRAQ readers for OS fingerprints and useful patches + +@@ -49,126 +49,127 @@ + Background + ---------- - * What is passive OS fingerprinting? +- +- Passive OS fingerprinting technique is based on information coming +- from remote host when it tries to establish a connection to your system. +- Captured packet parameters contain enough information to determine +- remote OS - and, unlike active scanners (nmap, queSO) - this is done +- without sending anything to this host. +- +- If you're looking for more information on this approach, read Spitzner's +- whitepaper at http://www.enteract.com/~lspitz/finger.html :) +- + * What is passive OS fingerprinting? - -- Passive OS fingerprinting technique bases on information coming -- from remote host when it establishes connection to our system. Captured -- packets contains enough information to determine OS - and, unlike -- active scanners (nmap, queSO) - without sending anything to this host. -+ Passive OS fingerprinting is based on information coming from a remote host -+ when it establishes a connection to our system. Captured packets contain -+ enough information to identify the operating system. In contrast to active -+ scanners such as nmap and QueSO, p0f does not send anything to the host being -+ identified. - - If you're looking for more information, read Spitzner's text at: - http://www.enteract.com/~lspitz/finger.html - -- * How it works? -+ * How does it work? - - Well, there are some TCP/IP flag settings specific for given systems. - Usually initial TTL (8 bits), window size (16 bits), maximum segment size - (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option -- (1 bit) and window scaling option (8 bits) combined together gives unique, -+ (1 bit) and window scaling option (8 bits) combined together give a unique, - 51-bit signature for every system. - ++ ++ The passive OS fingerprinting technique is based on information coming from a ++ remote host when it tries to establish a connection to your system. Captured ++ packet parameters contain enough information to identify the remote OS. In ++ contrast to active scanners such as nmap and queSO, p0f does this without ++ sending anything to the remote host. ++ ++ If you're looking for more information on this approach, read Spitzner's white ++ paper (mentioned above). :) ++ + In short, there are certain TCP/IP flag settings specific for given systems. +- Usually initial TTL (8 bits), window size (16 bits), maximum segment size +- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option +- (1 bit), window scaling option (8 bits), initial packet size (16 bits) +- vary from one TCP stack implementation to another, and, combined together, +- give unique, 67-bit signature for every system. +- +- Some portions of p0f code are currently used by IDS systems and +- sniffer software. +- - * What are main advantages? -+ * What are the main advantages? - +- - Passive OS fingerprinting can be done on huge portions of input data - eg. - information gathered on firewall, proxy, routing device or Internet server, - without causing any network activity. You can launch passive OS detection - software on such machine and leave it for days, weeks or months, collecting -+ Passive OS fingerprinting can be done on huge amounts of input data - -+ gathered on a firewall, proxy, routing device or Internet server - without -+ causing any network activity. You can launch passive OS detection -+ software on such a machine and leave it for days or months, collecting - really interesting statistical and - *erm* - just interesting information. - What's really funny - packet filtering firewalls, network address - translation and so on are transparent to p0f-alike software, so you're able -@@ -62,7 +63,7 @@ +- really interesting statistical information about your customers, about +- attackers, other servers, etc. What's really funny - packet filtering +- firewalls, network address translation and so on are almost always +- transparent to p0f-alike software, so you're able to obtain information +- about systems behind the firewall. Also, such software can determine +- distance between remote host and your system, allowing you to generate +- network structure maps for firewalled/structural networks. And all without +- sending a single packet. Nice, especially for IDSes. ++ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16 ++ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit), ++ window scaling option (8 bits), and initial packet size (16 bits) vary from ++ one TCP stack implementation to another. Together, they give a unique, 67-bit ++ signature for every system. ++ ++ Some portions of the p0f code are currently used by IDS systems and sniffer ++ software. ++ ++ * What are the main advantages? ++ ++ Passive OS fingerprinting can be done on huge amounts of input data - for ++ example, information gathered on a firewall, proxy, routing device or Internet ++ server - without causing any network activity. You can launch passive OS ++ detection software on such a machine and leave it for days, weeks or months, ++ collecting really interesting statistical information about your customers, ++ attackers, other servers, etc. Since packet filtering firewalls, network ++ address translation and so on are almost always transparent to p0f-alike ++ software, you're able to obtain information about systems behind the firewall. ++ Also, such software can determine the distance between a remote host and your ++ system, allowing you to generate network structure maps for ++ firewalled/structural networks. All this can be done without sending a single ++ packet. It is especially nice for IDSes. + + + ----------- Limitations + ----------- - Proxy firewalls and other high-level proxy devices are not transparent to -- any tcp fingerprinting software. It applies to p0f, as well. -+ any TCP fingerprinting software. It applies to p0f, as well. - +- Proxy firewalls and other high-level proxy devices are not transparent to +- any TCP-level fingerprinting software. The device itself will be +- fingerprinted, not actual source hosts. +- ++ Proxy firewalls and other high-level proxy devices are not transparent to any ++ TCP-level fingerprinting software. The device itself will be fingerprinted, ++ not actual source hosts. ++ In order to obtain information required for fingerprinting, you have to - receive at least one SYN packet initializing TCP connection to your -@@ -78,9 +79,9 @@ - window size are constant for initial TCP/IP packet, but changing rapidly - later). - --Why our bubble gum is better? -+Why is our bubble gum better? - +- receive at least one SYN packet initializing TCP connection to your +- machine or network. Note: you don't have to respond to particular SYN. +- Of course, it's impossible to perform any kind of OS detection witout +- receiving any information. +- +- It is possible to perform passive fingerprinting on live TCP connection, or +- on a connection established by you to a remote host. However, these +- techniques are less reliable (many implementations copy parameters from +- the first SYN packet; other parameters change rapidly with time). +- +- +------------------------------------------ +-Is there anything special about this one? +------------------------------------------ +- - There is another passive OS detection utility, called 'siphon'. It's -+ There is another passive OS detection utility, called 'siphon'. It's a - pretty good piece of proof-of-concept software, but it isn't perfect. Well, - p0f isn't perfect for sure, but has several improvements: - -@@ -128,8 +129,8 @@ - - Files: +- pretty good piece of proof-of-concept software, but it isn't perfect. Well, +- p0f isn't perfect for sure, but features some improvements: +- ++ receive at least one SYN packet initializing TCP connection to your machine or ++ network. Note: you don't have to respond to this particular SYN. Of course, ++ it's impossible to perform any kind of OS detection without receiving any ++ information. ++ ++ It is possible to perform passive fingerprinting on a live TCP connection, or ++ on a connection established by you to a remote host. However, these techniques ++ are less reliable (many implementations copy parameters from the first SYN ++ packet; other parameters change rapidly with time). ++ ++ ++--------------------------------------------- ++Is there anything special about this program? ++--------------------------------------------- ++ ++ There is another passive OS detection utility, called 'siphon'. It's a pretty ++ good piece of proof-of-concept software, but it isn't perfect. Well, p0f ++ isn't perfect for sure, but features some improvements: ++ + - it's single-threaded and pretty clean, +- ++ + - works properly on Linuxes (siphon has a problem with bpf on 2.2), as + well as on BSD systems and SunOS/Solaris, +- ++ + - has pretty large and detailed fingerprints database, +- ++ + - uses more information for fingerprinting (42 extra bits), +- ++ + - it's more accurate, +- ++ + - you can define your own filtering rules in the tcpdump flavour: +- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and +- listening interface (using option -i). +- +- What more? Dunno :) Simply, check it out. ++ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening ++ interface (using option -i). ++ ++ What more? Dunno. :) Simply, check it out. + + + ------------ + Not working! + ------------ + +- Probably p0f isn't working well on every platform in the world; first +- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in +- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package). +- In this case, simply issue: +- +- ln -s /usr/include/pcap/pcap.h /usr/include/ +- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/ +- +- NOTE: if p0f recognized system incorrectly or cannot recognize it at all, +- please send OS signature and system description to author. Thanks :) +- ++ Probably p0f isn't working well on every platform in the world. First of all, ++ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in ++ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat ++ 6.1 package). In this case, simply issue: ++ ++ ln -s /usr/include/pcap/pcap.h /usr/include/ ++ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/ ++ ++ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all, ++ please send the OS signature and system description to the author. Thanks. :) ++ + Tested platforms: + + - NetBSD + - FreeBSD ++ in the ports collection + - OpenBSD + - Linux 2.0/2.2/2.4 + http://www.stearns.org/p0f/ + - Solaris 2.6-2.7 + - LinuxPPC + http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html +- +- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x; +- GNU egrep (for proper Makefile processing) + +- ++ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD ++ make; GNU egrep (for proper Makefile processing) ++ ++ + ------------- + Configuration + ------------- - /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described - inside: -+ /etc/p0f.fp or ./p0f.fp - OS fingerprints database. -+ The format is described inside: - - # Valid entry describes the way server starts TCP handshake (first SYN). - # Important options are: window size (wss), maximum segment size (mss), +- ++ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp . ++ Its format is described below: ++ + # + # p0f - passive OS fingerprinting + # ------------------------------- +@@ -208,9 +209,9 @@ + # W - window scaling (-1=not present, other=value) + # S - sackOK flag (0=unset, 1=set) + # N - nop flag (0=unset, 1=set) +- # I - declared packet size (-1 = irrevelant) ++ # I - declared packet size (-1 = irrelevant) + # +- ++ + + -------------------- + What should be done? +@@ -218,22 +219,22 @@ + + - Colorful interface, of course ;) + - Packet sizes added for old fingerprints +- - Manpage and other user-friendly features ++ - Man page and other user-friendly features + + + ------------------- + License, disclaimer + ------------------- + +- The p0f utility and related utilities are free software; you can +- redistribute it and/or modify it under the terms of the GNU Library +- General Public License as published by the Free Software Foundation; +- either version 2 of the License, or (at your option) any later version. +- +- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, +- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE +- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ The p0f utility and related utilities are free software; you can redistribute ++ it and/or modify it under the terms of the GNU Library General Public License ++ as published by the Free Software Foundation; either version 2 of the License, ++ or (at your option) any later version. ++ ++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL ++ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR ++ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS ++ IN THE SOFTWARE. diff --git a/net/p0f/pkg-descr b/net/p0f/pkg-descr index a48562804ca6..10ff2af92c7e 100644 --- a/net/p0f/pkg-descr +++ b/net/p0f/pkg-descr @@ -19,6 +19,3 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml if you do not understand how this can be harmful. Running p0f with no options will cause it to analyse packets intended for other hosts. - -Trevor Johnson -trevor@jpj.net