From 508c4a17566384b2951e9df5938f7b5f7a37200f Mon Sep 17 00:00:00 2001 From: Trevor Johnson Date: Mon, 21 Jan 2002 08:47:53 +0000 Subject: Update to "1.8 final release". Change master site. Add new home page. Install new man page. Be verbose. Add patch to fix new -o option. Update patch to README (the old one was integrated upstream). The new patches have been sent to William Stearns. --- net/p0f/Makefile | 17 +-- net/p0f/distinfo | 2 +- net/p0f/files/patch-README | 305 ++------------------------------------------- net/p0f/files/patch-p0f.c | 16 +++ net/p0f/pkg-descr | 2 + 5 files changed, 35 insertions(+), 307 deletions(-) create mode 100644 net/p0f/files/patch-p0f.c (limited to 'net/p0f') diff --git a/net/p0f/Makefile b/net/p0f/Makefile index c035831401b3..a1b38dbd579c 100644 --- a/net/p0f/Makefile +++ b/net/p0f/Makefile @@ -7,28 +7,29 @@ PORTNAME= p0f PORTVERSION= 1.8 +PORTREVISION= 1 CATEGORIES= net -MASTER_SITES= http://lcamtuf.hack.pl/ -DISTNAME= ${PORTNAME} +MASTER_SITES= http://www.stearns.org/p0f/ EXTRACT_SUFX= .tgz MAINTAINER= trevor@FreeBSD.org -WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} +MAN1= p0f.1 post-patch: - @${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \ + ${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \ ${WRKSRC}/README \ ${WRKSRC}/p0f.c do-install: - @${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin - @${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc + ${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin + ${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc + ${INSTALL_MAN} ${WRKSRC}/${MAN1} ${MANPREFIX}/man/man1 post-install: .if !defined(NOPORTDOCS) - @${MKDIR} ${PREFIX}/share/doc/p0f - @${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f + ${MKDIR} ${PREFIX}/share/doc/p0f + ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f .endif .include diff --git a/net/p0f/distinfo b/net/p0f/distinfo index b02d48c10055..64553d9ff86d 100644 --- a/net/p0f/distinfo +++ b/net/p0f/distinfo @@ -1 +1 @@ -MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822 +MD5 (p0f-1.8.tgz) = a800396508a9d4bd4e4204a76ea79c2e diff --git a/net/p0f/files/patch-README b/net/p0f/files/patch-README index 6d8750a3529a..1e201f6ac13f 100644 --- a/net/p0f/files/patch-README +++ b/net/p0f/files/patch-README @@ -1,302 +1,11 @@ -patch to version 1.8.test9 - -- mention the FreeBSD port -- mention that BSD make, not just GNU make, is adequate -- some rewording for clarity, not intended to change meaning -- reformatting of white space, mostly done with "fmt 79 80" -- spelling changes, mostly suggested by ispell - ---- README.old Thu Nov 22 16:37:28 2001 -+++ README Wed Jan 9 12:10:53 2002 -@@ -18,17 +18,17 @@ - Project Status - -------------- +--- README.old Thu Jan 17 21:58:09 2002 ++++ README Sun Jan 20 23:30:58 2002 +@@ -94,7 +94,7 @@ -- As for today, this packet is hosted and maintained by William Stearns -- . Original code comes from Michal Zalewski -- . Feel free to mail William or both of us with -- bugfixes, ideas, etc =) -+ This program is now hosted and maintained by William Stearns -+ . It was originally written by Michal Zalewski -+ . Feel free to mail William or both of us with -+ bug-fixes, ideas, etc. =) - - - ----------------- - Special thanks to - ----------------- - -- * Lance Spitzner for whitepaper on passive OS fingerprinting: -+ * Lance Spitzner for white paper on passive OS fingerprinting: - http://www.enteract.com/~lspitz/finger.html - - * tf8 for initial piece of libpcap support and packet parsing -@@ -36,7 +36,7 @@ - * teso/security.is/b0f/#hax for ideas and testing - - * Jeremy Weatherford, Chris Wilson and Szilveszter Adam for -- portability testing/patches, bugfixes and ideas, -+ portability testing/patches, bug-fixes and ideas, - - * other BUGTRAQ readers for OS fingerprints and useful patches - -@@ -49,126 +49,127 @@ - Background - ---------- - -- * What is passive OS fingerprinting? -- -- Passive OS fingerprinting technique is based on information coming -- from remote host when it tries to establish a connection to your system. -- Captured packet parameters contain enough information to determine -- remote OS - and, unlike active scanners (nmap, queSO) - this is done -- without sending anything to this host. -- -- If you're looking for more information on this approach, read Spitzner's -- whitepaper at http://www.enteract.com/~lspitz/finger.html :) -- -+ * What is passive OS fingerprinting? -+ -+ The passive OS fingerprinting technique is based on information coming from a -+ remote host when it tries to establish a connection to your system. Captured -+ packet parameters contain enough information to identify the remote OS. In -+ contrast to active scanners such as nmap and queSO, p0f does this without -+ sending anything to the remote host. -+ -+ If you're looking for more information on this approach, read Spitzner's white -+ paper (mentioned above). :) -+ - In short, there are certain TCP/IP flag settings specific for given systems. -- Usually initial TTL (8 bits), window size (16 bits), maximum segment size -- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option -- (1 bit), window scaling option (8 bits), initial packet size (16 bits) -- vary from one TCP stack implementation to another, and, combined together, -- give unique, 67-bit signature for every system. -- -- Some portions of p0f code are currently used by IDS systems and -- sniffer software. -- -- * What are main advantages? -- -- Passive OS fingerprinting can be done on huge portions of input data - eg. -- information gathered on firewall, proxy, routing device or Internet server, -- without causing any network activity. You can launch passive OS detection -- software on such machine and leave it for days, weeks or months, collecting -- really interesting statistical information about your customers, about -- attackers, other servers, etc. What's really funny - packet filtering -- firewalls, network address translation and so on are almost always -- transparent to p0f-alike software, so you're able to obtain information -- about systems behind the firewall. Also, such software can determine -- distance between remote host and your system, allowing you to generate -- network structure maps for firewalled/structural networks. And all without -- sending a single packet. Nice, especially for IDSes. -+ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16 -+ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit), -+ window scaling option (8 bits), and initial packet size (16 bits) vary from -+ one TCP stack implementation to another. Together, they give a unique, 67-bit -+ signature for every system. -+ -+ Some portions of the p0f code are currently used by IDS systems and sniffer -+ software. -+ -+ * What are the main advantages? -+ -+ Passive OS fingerprinting can be done on huge amounts of input data - for -+ example, information gathered on a firewall, proxy, routing device or Internet -+ server - without causing any network activity. You can launch passive OS -+ detection software on such a machine and leave it for days, weeks or months, -+ collecting really interesting statistical information about your customers, -+ attackers, other servers, etc. Since packet filtering firewalls, network -+ address translation and so on are almost always transparent to p0f-alike -+ software, you're able to obtain information about systems behind the firewall. -+ Also, such software can determine the distance between a remote host and your -+ system, allowing you to generate network structure maps for -+ firewalled/structural networks. All this can be done without sending a single -+ packet. It is especially nice for IDSes. - - - ----------- - Limitations - ----------- - -- Proxy firewalls and other high-level proxy devices are not transparent to -- any TCP-level fingerprinting software. The device itself will be -- fingerprinted, not actual source hosts. -- -+ Proxy firewalls and other high-level proxy devices are not transparent to any -+ TCP-level fingerprinting software. The device itself will be fingerprinted, -+ not actual source hosts. -+ In order to obtain information required for fingerprinting, you have to -- receive at least one SYN packet initializing TCP connection to your -- machine or network. Note: you don't have to respond to particular SYN. -- Of course, it's impossible to perform any kind of OS detection witout -- receiving any information. -- -- It is possible to perform passive fingerprinting on live TCP connection, or -- on a connection established by you to a remote host. However, these -- techniques are less reliable (many implementations copy parameters from -- the first SYN packet; other parameters change rapidly with time). -- -- ------------------------------------------- --Is there anything special about this one? ------------------------------------------- -- -- There is another passive OS detection utility, called 'siphon'. It's -- pretty good piece of proof-of-concept software, but it isn't perfect. Well, -- p0f isn't perfect for sure, but features some improvements: -- -+ receive at least one SYN packet initializing TCP connection to your machine or + receive at least one SYN packet initiating a TCP connection to your machine or +- or network. Note: you don't have to respond to this particular SYN. Of course, + network. Note: you don't have to respond to this particular SYN. Of course, -+ it's impossible to perform any kind of OS detection without receiving any -+ information. -+ -+ It is possible to perform passive fingerprinting on a live TCP connection, or -+ on a connection established by you to a remote host. However, these techniques -+ are less reliable (many implementations copy parameters from the first SYN -+ packet; other parameters change rapidly with time). -+ -+ -+--------------------------------------------- -+Is there anything special about this program? -+--------------------------------------------- -+ -+ There is another passive OS detection utility, called 'siphon'. It's a pretty -+ good piece of proof-of-concept software, but it isn't perfect. Well, p0f -+ isn't perfect for sure, but features some improvements: -+ - - it's single-threaded and pretty clean, -- -+ - - works properly on Linuxes (siphon has a problem with bpf on 2.2), as - well as on BSD systems and SunOS/Solaris, -- -+ - - has pretty large and detailed fingerprints database, -- -+ - - uses more information for fingerprinting (42 extra bits), -- -+ - - it's more accurate, -- -+ - - you can define your own filtering rules in the tcpdump flavour: -- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and -- listening interface (using option -i). -- -- What more? Dunno :) Simply, check it out. -+ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening -+ interface (using option -i). -+ -+ What more? Dunno. :) Simply, check it out. - - - ------------ - Not working! - ------------ - -- Probably p0f isn't working well on every platform in the world; first -- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in -- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package). -- In this case, simply issue: -- -- ln -s /usr/include/pcap/pcap.h /usr/include/ -- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/ -- -- NOTE: if p0f recognized system incorrectly or cannot recognize it at all, -- please send OS signature and system description to author. Thanks :) -- -+ Probably p0f isn't working well on every platform in the world. First of all, -+ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in -+ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat -+ 6.1 package). In this case, simply issue: -+ -+ ln -s /usr/include/pcap/pcap.h /usr/include/ -+ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/ -+ -+ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all, -+ please send the OS signature and system description to the author. Thanks. :) -+ - Tested platforms: - - - NetBSD - - FreeBSD -+ in the ports collection - - OpenBSD - - Linux 2.0/2.2/2.4 - http://www.stearns.org/p0f/ - - Solaris 2.6-2.7 - - LinuxPPC - http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html -- -- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x; -- GNU egrep (for proper Makefile processing) - -- -+ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD -+ make; GNU egrep (for proper Makefile processing) -+ -+ - ------------- - Configuration - ------------- - -- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described -- inside: -- -+ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp . -+ Its format is described below: -+ - # - # p0f - passive OS fingerprinting - # ------------------------------- -@@ -208,9 +209,9 @@ - # W - window scaling (-1=not present, other=value) - # S - sackOK flag (0=unset, 1=set) - # N - nop flag (0=unset, 1=set) -- # I - declared packet size (-1 = irrevelant) -+ # I - declared packet size (-1 = irrelevant) - # -- -+ - - -------------------- - What should be done? -@@ -218,22 +219,22 @@ - - - Colorful interface, of course ;) - - Packet sizes added for old fingerprints -- - Manpage and other user-friendly features -+ - Man page and other user-friendly features - - - ------------------- - License, disclaimer - ------------------- + it's impossible to perform any kind of OS detection without receiving any + information. -- The p0f utility and related utilities are free software; you can -- redistribute it and/or modify it under the terms of the GNU Library -- General Public License as published by the Free Software Foundation; -- either version 2 of the License, or (at your option) any later version. -- -- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, -- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR -- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE -- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -+ The p0f utility and related utilities are free software; you can redistribute -+ it and/or modify it under the terms of the GNU Library General Public License -+ as published by the Free Software Foundation; either version 2 of the License, -+ or (at your option) any later version. -+ -+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL -+ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS -+ IN THE SOFTWARE. diff --git a/net/p0f/files/patch-p0f.c b/net/p0f/files/patch-p0f.c new file mode 100644 index 000000000000..5d5c61e2f1ca --- /dev/null +++ b/net/p0f/files/patch-p0f.c @@ -0,0 +1,16 @@ +--- p0f.c.orig Thu Jan 17 21:05:58 2002 ++++ p0f.c Mon Jan 21 00:22:56 2002 +@@ -348,10 +348,9 @@ + T_tstamp = 1; + break; + case 'o': +- { FILE* x; +- x=fopen(optarg,"a"); +- if (!x) { perror(optarg); exit(1); } +- stdout=x; ++ if (!freopen(optarg,"a",stdout)) { ++ perror(optarg); ++ exit(1); + } + break; + default: diff --git a/net/p0f/pkg-descr b/net/p0f/pkg-descr index 10ff2af92c7e..def189dd1264 100644 --- a/net/p0f/pkg-descr +++ b/net/p0f/pkg-descr @@ -19,3 +19,5 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml if you do not understand how this can be harmful. Running p0f with no options will cause it to analyse packets intended for other hosts. + +WWW: http://www.stearns.org/p0f/ -- cgit v1.2.3