From owner-freebsd-ports Fri Jun 30 1: 6:45 2000 Delivered-To: freebsd-ports@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id E1AB937C3EE; Fri, 30 Jun 2000 01:06:31 -0700 (PDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id e5U86Uc11528; Fri, 30 Jun 2000 04:06:30 -0400 (EDT) Date: Fri, 30 Jun 2000 04:06:29 -0400 (EDT) From: Trevor Johnson To: gnats-admin@FreeBSD.org, freebsd-ports@FreeBSD.org Subject: Re: ports/19225: new port: net/p0f In-Reply-To: <200006122130.OAA18029@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's a slightly improved version of the proposed port. It now uses perl to edit files in place, rather than editing them with awk then moving them. I also added some information to pkg/DESCR. # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # p0f # p0f/files # p0f/files/md5 # p0f/patches # p0f/patches/patch-README # p0f/pkg # p0f/pkg/COMMENT # p0f/pkg/DESCR # p0f/pkg/PLIST # p0f/Makefile # echo c - p0f mkdir -p p0f > /dev/null 2>&1 echo c - p0f/files mkdir -p p0f/files > /dev/null 2>&1 echo x - p0f/files/md5 sed 's/^X//' >p0f/files/md5 << 'END-of-p0f/files/md5' XMD5 (p0f.tgz) = 94bd4d225c5204b3ad5ab4cc3797fe5b END-of-p0f/files/md5 echo c - p0f/patches mkdir -p p0f/patches > /dev/null 2>&1 echo x - p0f/patches/patch-README sed 's/^X//' >p0f/patches/patch-README << 'END-of-p0f/patches/patch-README' X--- README.orig Mon Jun 12 15:28:41 2000 X+++ README Mon Jun 12 21:15:54 2000 X@@ -27,30 +27,31 @@ X X Background: X X- * What is passive OS fingerprinting? X+ * What is passive OS fingerprinting? X X- Passive OS fingerprinting technique bases on information coming X- from remote host when it establishes connection to our system. Captured X- packets contains enough information to determine OS - and, unlike X- active scanners (nmap, queSO) - without sending anything to this host. X+ Passive OS fingerprinting is based on information coming from a remote host X+ when it establishes a connection to our system. Captured packets contain X+ enough information to identify the operating system. In contrast to active X+ scanners such as nmap and QueSO, p0f does not send anything to the host being X+ identified. X X If you're looking for more information, read Spitzner's text at: X http://www.enteract.com/~lspitz/finger.html X X- * How it works? X+ * How does it work? X X Well, there are some TCP/IP flag settings specific for given systems. X Usually initial TTL (8 bits), window size (16 bits), maximum segment size X (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option X- (1 bit) and window scaling option (8 bits) combined together gives unique, X+ (1 bit) and window scaling option (8 bits) combined together give a unique, X 51-bit signature for every system. X X- * What are main advantages? X+ * What are the main advantages? X X- Passive OS fingerprinting can be done on huge portions of input data - eg. X- information gathered on firewall, proxy, routing device or Internet server, X- without causing any network activity. You can launch passive OS detection X- software on such machine and leave it for days, weeks or months, collecting X+ Passive OS fingerprinting can be done on huge amounts of input data - X+ gathered on a firewall, proxy, routing device or Internet server - without X+ causing any network activity. You can launch passive OS detection X+ software on such a machine and leave it for days or months, collecting X really interesting statistical and - *erm* - just interesting information. X What's really funny - packet filtering firewalls, network address X translation and so on are transparent to p0f-alike software, so you're able X@@ -62,7 +63,7 @@ X Limitations X X Proxy firewalls and other high-level proxy devices are not transparent to X- any tcp fingerprinting software. It applies to p0f, as well. X+ any TCP fingerprinting software. It applies to p0f, as well. X X In order to obtain information required for fingerprinting, you have to X receive at least one SYN packet initializing TCP connection to your X@@ -78,9 +79,9 @@ X window size are constant for initial TCP/IP packet, but changing rapidly X later). X X-Why our bubble gum is better? X+Why is our bubble gum better? X X- There is another passive OS detection utility, called 'siphon'. It's X+ There is another passive OS detection utility, called 'siphon'. It's a X pretty good piece of proof-of-concept software, but it isn't perfect. Well, X p0f isn't perfect for sure, but has several improvements: X X@@ -128,8 +129,8 @@ X X Files: X X- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described X- inside: X+ /etc/p0f.fp or ./p0f.fp - OS fingerprints database. X+ The format is described inside: X X # Valid entry describes the way server starts TCP handshake (first SYN). X # Important options are: window size (wss), maximum segment size (mss), END-of-p0f/patches/patch-README echo c - p0f/pkg mkdir -p p0f/pkg > /dev/null 2>&1 echo x - p0f/pkg/COMMENT sed 's/^X//' >p0f/pkg/COMMENT << 'END-of-p0f/pkg/COMMENT' XPassive OS fingerprinting tool END-of-p0f/pkg/COMMENT echo x - p0f/pkg/DESCR sed 's/^X//' >p0f/pkg/DESCR << 'END-of-p0f/pkg/DESCR' Xfrom the README: X XPassive OS fingerprinting is based on information coming from a remote host Xwhen it establishes a connection to our system. Captured packets contain Xenough information to identify the operating system. In contrast to active Xscanners such as nmap and QueSO, p0f does not send anything to the host being Xidentified. X XFor more information, read Spitzner's text at: Xhttp://www.enteract.com/~lspitz/finger.html . X Xfrom the maintainer: X XUse of this program requires read access to the packet filtering Xdevice, typically /dev/bpf0. Granting such access allows the users Xwho have it to put your Ethernet device into promiscuous mode and Xsniff your network. See Xhttp://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml Xif you do not understand how this can be harmful. Running p0f with Xno options will cause it to analyse packets intended for other Xhosts. X XTrevor Johnson Xtrevor@jpj.net END-of-p0f/pkg/DESCR echo x - p0f/pkg/PLIST sed 's/^X//' >p0f/pkg/PLIST << 'END-of-p0f/pkg/PLIST' Xbin/p0f Xetc/p0f.fp Xshare/doc/p0f/README X@dirrm share/doc/p0f END-of-p0f/pkg/PLIST echo x - p0f/Makefile sed 's/^X//' >p0f/Makefile << 'END-of-p0f/Makefile' X# New ports collection makefile for: p0f X# Date created: 2000-06-12 X# Whom: Trevor Johnson X# X# $FreeBSD$ X# X XPORTNAME= p0f XPORTVERSION= 1.7 XCATEGORIES= net XMASTER_SITES= http://lcamtuf.hack.pl/ XDISTNAME= ${PORTNAME} XEXTRACT_SUFX= .tgz X XMAINTAINER= trevor@jpj.net X XWRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} X Xpost-patch: X @${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" ${WRKSRC}/p0f.c X @${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" ${WRKSRC}/README X Xdo-install: X @${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin X @${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc X Xpost-install: X.if !defined(NOPORTDOCS) X @${MKDIR} ${PREFIX}/share/doc/p0f X @${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f X.endif X X.include END-of-p0f/Makefile exit -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message