LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-12-2003, 01:09 AM   #1
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Rep: Reputation: 15
Problem installing p0f


I am using Redhat 9. I am trying to install p0f. Until make, it is OK, but when I type make install, there is an error.
The output at the shell:
[root@lnx01 p0f]# make
./Build all
Your system type is: Linux

Please help with p0f 2:
http://lcamtuf.coredump.cx/p0f-help/

GNU make found at /usr/bin/gmake, trying to use it...
gmake[1]: Entering directory `/root/UMThesis/p0f2003/p0f'
strip p0f 2>/dev/null || true
>> You can also try 'make p0fq' to compile a sample query
>> client (see README for more information).
gmake[1]: Leaving directory `/root/UMThesis/p0f2003/p0f'

[root@lnx01 p0f]# make install
./Build install
Your system type is: Linux

Please help with p0f 2:
http://lcamtuf.coredump.cx/p0f-help/

GNU make found at /usr/bin/gmake, trying to use it...
gmake[1]: Entering directory `/root/UMThesis/p0f2003/p0f'
cp -f p0f /usr/sbin/
cp -f p0frep /usr/sbin/
mkdir /etc/p0f || true
mkdir: cannot create directory `/etc/p0f': File exists
cp -f p0f.fp p0fa.fp p0fr.fp /etc/p0f/
cp -f p0f.1 /usr/man/man1/
cp: cannot create regular file `/usr/man/man1/p0f.1': No such file or directory
gmake[1]: *** [install] Error 1
gmake[1]: Leaving directory `/root/UMThesis/p0f2003/p0f'
make: *** [install] Error 2
[root@lnx01 p0f]#

Later I tried p0f at prompt, it runs but does not display anything. Hope someone can help.

Also, how can I remove this if I wanted to install a fresh one? Where can I uninstall this?
THanks
James
 
Old 11-12-2003, 01:28 AM   #2
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
Oh yeah, forgot to mention that I am using the 2.0.3 version
 
Old 11-12-2003, 10:34 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
There's an easier way: making a p0f rpm

mkdir: cannot create directory `/etc/p0f': File exists
Remove it first: find /etc -iname p0f | xargs rm -rf


cp: cannot create regular file `/usr/man/man1/p0f.1': No such file or directory
Link the dirs, IIRC RH uses "/usr/share/man": test -d /usr/man || ln -sf /usr/share/man /usr/man


Later I tried p0f at prompt, it runs but does not display anything.
If it doesn't install right, then chances it won't run are high. We're not on Windows where you can dismiss some installation errors.


Also, how can I remove this if I wanted to install a fresh one? Where can I uninstall this?
Hmm. If the installation script doesn't provide an "uninstall" function, and you don't run an filesystem integrity checker, then your best bet is to rerun the install script as: "make install | tee /tmp/p0f-install.log", note where it puts the files or read the log and remove them manually.


There's an easier way for all of this, and that's making an rpm to install (I've done it for p0f v1 and p0f v2). All it takes to build the rpm is four easy steps. This will build a relocatable rpm with static binary:

1. Download or locate the p0f.tgz archive.
2. Run this to get the archive renamed:
tar -xzf p0f.tgz && mv p0f p0f-2.0.3 && tar -czf p0f-2.0.3.tar.gz p0f-2.0.3/ && rm -rf p0f-2.0.3 p0f.tgz && mv p0f-2.0.3.tar.gz /usr/src/redhat/SOURCES

3. Save the code below to a file named /usr/src/redhat/SPECS/p0f.spec:
Code:
%define name p0f
# Version
%define ver 2.0
# Release
%define rel 3

Name: %{name}
Summary: %{name}, a passive OS fingerprinting tool
Version: %{ver}
Release: %{rel}
Copyright: Copyright 2000-2003 camtuf@coredump.cx
Packager: unSpawn <unspawn@rootshell.be>
Group: Networking/Utilities
Source0: %{name}-%{ver}.%{rel}.tar.gz
Provides: %{name}
Vendor: none
URL: http://coredump.cx
BuildRoot: %{_builddir}/%{name}-%{ver}.%{rel}
Excludearch: sparc alpha xbox
Prefix: /usr

%description
%{summary}, version %{ver}.%{rel}

%prep
%setup -n %{name}-%{ver}.%{rel}

echo true > configure && chmod 0700 configure
make static all 2>&1>/dev/null
mv p0f-static p0f 2>&1>/dev/null
strip p0f 2>&1>/dev/null
make tools 2>&1>/dev/null
make p0fq 2>&1>/dev/null
find doc/ -type f > doc/tools.NDX
tar -cjf doc/tools.tar.bz2 test/ --remove-files && rm -rf test/
find tmp/ -type f > doc/ufos.NDX
tar -cjf doc/ufos.tar.bz2 tmp/ --remove-files && rm -rf tmp/
gzip p0frep && mv p0frep.gz doc/

%install
if [ "$RPM_BUILD_ROOT" = "%{_builddir}/%{name}-%{ver}.%{rel}" ]; then
install -d $RPM_BUILD_ROOT/usr/local/sbin
install -d $RPM_BUILD_ROOT/usr/share/man/man1
install -d $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{ver}
chmod 0750 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{ver}
install -m 0550 %{name} $RPM_BUILD_ROOT/usr/local/sbin
for conf in %{name}.fp %{name}a.fp %{name}r.fp; do
install -m 0640 $conf $RPM_BUILD_ROOT/usr/local/sbin; done
install -m 0640 %{name}.1 $RPM_BUILD_ROOT/usr/share/man/man1
else echo Invalid Build root \'"$RPM_BUILD_ROOT"\'; exit 1
fi
						
%clean
if [ "$RPM_BUILD_ROOT" = "%{_builddir}/%{name}-%{ver}.%{rel}" ]; then rm -rf $RPM_BUILD_ROOT; else
echo Invalid Build root \'"$RPM_BUILD_ROOT"\'; exit 1; fi

%files
%defattr(-,root,root)
%doc doc/*
%attr(640,root,root) %config /usr/local/sbin/%{name}.fp
%attr(640,root,root) %config /usr/local/sbin/%{name}a.fp
%attr(640,root,root) %config /usr/local/sbin/%{name}r.fp
%attr(550,root,root) /usr/local/sbin/%{name}
%attr(640,root,root) /usr/share/man/man1/%{name}.1.gz

%changelog
* Wed Nov 05 2003 unSpawn <unspawn@rootshell.be>
- RPMified p0f.
4. Now run, as root:
rpm -bb /usr/src/redhat/SPECS/p0f.spec

After a while you have the p0f rpm, which you can install as usual.
 
Old 11-12-2003, 08:52 PM   #4
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
Thanks for the detailed reply. It looks really complex but I will do my best to do what is mentioned.
Thanks again

James
 
Old 11-12-2003, 09:24 PM   #5
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
This is actually another question related to p0f. Since we are discussing p0f here, I will put the question here instead.
Lets say I want to trim the output generated by p0f.
Lets say I only want the IP address of the source/client computer, and its OS and then save it to a text file containing these two things.
How can I do it? Hope you can give an example.

Thanks a million.Appreciate your effort.
James
 
Old 11-12-2003, 09:35 PM   #6
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
I tried doing what you said earlier in crating the rpm but once I reach
rpm -bb /usr/src/redhat/SPECS/p0f.spec , I get an error saying that -bb is an unknown option.

Any ideas what happened?
 
Old 11-12-2003, 09:37 PM   #7
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
Forgot to mention-By the way I am using Redhat 9
 
Old 11-12-2003, 11:30 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Thanks for the detailed reply. It looks really complex but I will do my best to do what is mentioned.
Prolly you didn't read I said "four easy steps" :-]


Lets say I only want the IP address of the source/client computer, and its OS and then save it to a text file containing these two things.
P0f comes with a tool to query the logs, if you build the rpm from my spec I think it went in the /usr/share/doc/p0f-2.0.3/tools.tar.bz2 tarball. Can't remember the name, but it's in the docs.
If you want to do it manually, then this snippet applies to a p0f v2 logfile:

Code:
#!/bin/bash
# Lame separator
sepSpace() { tr -s " " | sed -e "s/^ //g" | cut -d " " -f "$@"; }
h=$(hostname -i)
test -f "$1" && grep "$1" -e "^<"| sepSpace 6- \
| sed -e "s/:/ /" -e "s/-> $h:.*(/(/" \
| sepSpace 1,4- | sort | uniq

I get an error saying that -bb is an unknown option.
The option "-bb" (see "man rpm") should build the binary package as opposed to "-ba" which builds and binary and source packages. Maybe you need to use "rpmbuild" instead. Check your docs. If all fails and you trust me (I see no reason why you should) I could build a generic rpm easily.
 
Old 11-12-2003, 11:47 PM   #9
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
Oh, sorry about that.
I used rpmbuild -bb but got some errors:
Checking for unpackaged file(s): /usr/lib/rpm/check-files /usr/src/redhat/BUILD/p0f-2.0.3
error: Installed (but unpackaged) file(s) found:
/Build
/Makefile
/WIN32-Code/getopt.c
/WIN32-Code/getopt.h
/WIN32-Prj/p0f.NET.ncb
/WIN32-Prj/p0f.NET.sln
/WIN32-Prj/p0f.NET.suo
/WIN32-Prj/p0f.NET.vcproj
/WIN32-Prj/p0f.dsp
/WIN32-Prj/p0f.dsw
/WIN32-Prj/p0f.ncb
/WIN32-Prj/p0f.opt
/WIN32-Prj/p0f.plg
/config.h
/configure
/doc/COPYING
/doc/CREDITS
/doc/ChangeLog
/doc/INSTALL.Win32
/doc/KNOWN_BUGS
/doc/README
/doc/TODO
/doc/p0frep.gz
/doc/tools.NDX
/doc/tools.tar.bz2
/doc/ufos.NDX
/doc/ufos.tar.bz2
/doc/win-memleak.txt
/fpentry.h
/mk/AIX
/mk/Linux
/mk/SunOS
/mtu.h
/p0f
/p0f-query.c
/p0f-query.h
/p0f.1
/p0f.c
/p0f.fp
/p0fa.fp
/p0fr.fp
/tcp.h
/tos.h
/types.h

RPM build errors:
Installed (but unpackaged) file(s) found:
/Build
/Makefile
/WIN32-Code/getopt.c
/WIN32-Code/getopt.h
/WIN32-Prj/p0f.NET.ncb
/WIN32-Prj/p0f.NET.sln
/WIN32-Prj/p0f.NET.suo
/WIN32-Prj/p0f.NET.vcproj
/WIN32-Prj/p0f.dsp
/WIN32-Prj/p0f.dsw
/WIN32-Prj/p0f.ncb
/WIN32-Prj/p0f.opt
/WIN32-Prj/p0f.plg
/config.h
/configure
/doc/COPYING
/doc/CREDITS
/doc/ChangeLog
/doc/INSTALL.Win32
/doc/KNOWN_BUGS
/doc/README
/doc/TODO
/doc/p0frep.gz
/doc/tools.NDX
/doc/tools.tar.bz2
/doc/ufos.NDX
/doc/ufos.tar.bz2
/doc/win-memleak.txt
/fpentry.h
/mk/AIX
/mk/Linux
/mk/SunOS
/mtu.h
/p0f
/p0f-query.c
/p0f-query.h
/p0f.1
/p0f.c
/p0f.fp
/p0fa.fp
/p0fr.fp
/tcp.h
/tos.h
/types.h
Can I ignore them?
Where is the rpm file located now?
Wow, the snippet code looks really complex.
How do I use the code? What do I do?
Where is the query tool from the folder extracted from p0f.tgz (downloaded from the website)?
Do you think you can explain why those characters are used? I really cannot get you.

Thanks again a lot
James
 
Old 11-14-2003, 12:37 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Can I ignore them?
Yes.


Where is the rpm file located now?
Here: http://www.rootshell.be/~unspawn/pac...2.0-3.i386.rpm :-]


Wow, the snippet code looks really complex.
It's really simple.
Define function to get space separated values
Get your IP address
Test if the argument you supply on the commandline is a valid file, and if it is, grep it for the way a P0f log is built, filter it, sort and make results unique.


How do I use the code? What do I do?
Save the code to a file, say "~/p0f-parse", make it executable: "chmod 0700 ~/p0f-parse".
Feed it the p0f log: "./p0f-parse /var/log/p0f.log" and the output will be shown.


Where is the query tool from the folder extracted from p0f.tgz
If you got the rpm look in the /usr/share/doc/p0f-2.0.3 dir.
If that answer isn't good enough, read the p0f docs.
Search a wee bit before you ask.


*OT, and with all due respect, but you should not run "honeyd". From all of this, I can guesstimate chances you fsck up your own system before you trip a cracker are rather large.
 
Old 11-14-2003, 12:54 AM   #11
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
Thanks for the tip. Anyway, I am running this on an intranet so hopefully it should be alright.
 
Old 11-18-2003, 12:08 AM   #12
james_cwy
Member
 
Registered: Nov 2003
Posts: 52

Original Poster
Rep: Reputation: 15
I tried using your snippet code. After running it, it just returns to the prompt.
eg
[root@lnx01 p0f2003]# chmod 755 trim
[root@lnx01 p0f2003]# ./trim sampleoutput1
Both the trim that contains the snipped code and sampleoutput1 are in the same dir.
I do not know where to find the output.

Lets say I just want the OS that p0f guessed, minus the IP now, what needs to be changed? Hope you can help.

Thanks
James
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem installing module in Fedora Core 2 (2.6 kernel vs 2.4 problem?) Arodef Linux - Kernel 3 11-30-2007 03:55 PM
Problem installing new programs... KDE problem? seiyachan Mandriva 33 12-19-2005 10:18 AM
problem installing-hardware problem? LivinLarge Linux - General 3 04-28-2005 02:56 PM
p0f phatbastard Linux - Security 2 11-08-2004 03:37 PM
Problem Installing Gentoo. (Partioning Problem) w33k Linux - Software 7 08-10-2004 11:06 PM


All times are GMT -5. The time now is 02:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration