|
Problem installing p0f
I am using Redhat 9. I am trying to install p0f. Until make, it is OK, but when I type make install, there is an error.
The output at the shell: [root@lnx01 p0f]# make ./Build all Your system type is: Linux Please help with p0f 2: http://lcamtuf.coredump.cx/p0f-help/ GNU make found at /usr/bin/gmake, trying to use it... gmake[1]: Entering directory `/root/UMThesis/p0f2003/p0f' strip p0f 2>/dev/null || true >> You can also try 'make p0fq' to compile a sample query >> client (see README for more information). gmake[1]: Leaving directory `/root/UMThesis/p0f2003/p0f' [root@lnx01 p0f]# make install ./Build install Your system type is: Linux Please help with p0f 2: http://lcamtuf.coredump.cx/p0f-help/ GNU make found at /usr/bin/gmake, trying to use it... gmake[1]: Entering directory `/root/UMThesis/p0f2003/p0f' cp -f p0f /usr/sbin/ cp -f p0frep /usr/sbin/ mkdir /etc/p0f || true mkdir: cannot create directory `/etc/p0f': File exists cp -f p0f.fp p0fa.fp p0fr.fp /etc/p0f/ cp -f p0f.1 /usr/man/man1/ cp: cannot create regular file `/usr/man/man1/p0f.1': No such file or directory gmake[1]: *** [install] Error 1 gmake[1]: Leaving directory `/root/UMThesis/p0f2003/p0f' make: *** [install] Error 2 [root@lnx01 p0f]# Later I tried p0f at prompt, it runs but does not display anything. Hope someone can help. Also, how can I remove this if I wanted to install a fresh one? Where can I uninstall this? THanks James |
Oh yeah, forgot to mention that I am using the 2.0.3 version
|
There's an easier way: making a p0f rpm
mkdir: cannot create directory `/etc/p0f': File exists
Remove it first: find /etc -iname p0f | xargs rm -rf cp: cannot create regular file `/usr/man/man1/p0f.1': No such file or directory Link the dirs, IIRC RH uses "/usr/share/man": test -d /usr/man || ln -sf /usr/share/man /usr/man Later I tried p0f at prompt, it runs but does not display anything. If it doesn't install right, then chances it won't run are high. We're not on Windows where you can dismiss some installation errors. Also, how can I remove this if I wanted to install a fresh one? Where can I uninstall this? Hmm. If the installation script doesn't provide an "uninstall" function, and you don't run an filesystem integrity checker, then your best bet is to rerun the install script as: "make install | tee /tmp/p0f-install.log", note where it puts the files or read the log and remove them manually. There's an easier way for all of this, and that's making an rpm to install (I've done it for p0f v1 and p0f v2). All it takes to build the rpm is four easy steps. This will build a relocatable rpm with static binary: 1. Download or locate the p0f.tgz archive. 2. Run this to get the archive renamed: tar -xzf p0f.tgz && mv p0f p0f-2.0.3 && tar -czf p0f-2.0.3.tar.gz p0f-2.0.3/ && rm -rf p0f-2.0.3 p0f.tgz && mv p0f-2.0.3.tar.gz /usr/src/redhat/SOURCES 3. Save the code below to a file named /usr/src/redhat/SPECS/p0f.spec: Code:
%define name p0frpm -bb /usr/src/redhat/SPECS/p0f.spec After a while you have the p0f rpm, which you can install as usual. |
Thanks for the detailed reply. It looks really complex but I will do my best to do what is mentioned.
Thanks again James |
This is actually another question related to p0f. Since we are discussing p0f here, I will put the question here instead.
Lets say I want to trim the output generated by p0f. Lets say I only want the IP address of the source/client computer, and its OS and then save it to a text file containing these two things. How can I do it? Hope you can give an example. Thanks a million.Appreciate your effort. James |
I tried doing what you said earlier in crating the rpm but once I reach
rpm -bb /usr/src/redhat/SPECS/p0f.spec , I get an error saying that -bb is an unknown option. Any ideas what happened? |
Forgot to mention-By the way I am using Redhat 9
|
Thanks for the detailed reply. It looks really complex but I will do my best to do what is mentioned.
Prolly you didn't read I said "four easy steps" :-] Lets say I only want the IP address of the source/client computer, and its OS and then save it to a text file containing these two things. P0f comes with a tool to query the logs, if you build the rpm from my spec I think it went in the /usr/share/doc/p0f-2.0.3/tools.tar.bz2 tarball. Can't remember the name, but it's in the docs. If you want to do it manually, then this snippet applies to a p0f v2 logfile: Code:
#!/bin/bashI get an error saying that -bb is an unknown option. The option "-bb" (see "man rpm") should build the binary package as opposed to "-ba" which builds and binary and source packages. Maybe you need to use "rpmbuild" instead. Check your docs. If all fails and you trust me (I see no reason why you should) I could build a generic rpm easily. |
Oh, sorry about that.
I used rpmbuild -bb but got some errors: Checking for unpackaged file(s): /usr/lib/rpm/check-files /usr/src/redhat/BUILD/p0f-2.0.3 error: Installed (but unpackaged) file(s) found: /Build /Makefile /WIN32-Code/getopt.c /WIN32-Code/getopt.h /WIN32-Prj/p0f.NET.ncb /WIN32-Prj/p0f.NET.sln /WIN32-Prj/p0f.NET.suo /WIN32-Prj/p0f.NET.vcproj /WIN32-Prj/p0f.dsp /WIN32-Prj/p0f.dsw /WIN32-Prj/p0f.ncb /WIN32-Prj/p0f.opt /WIN32-Prj/p0f.plg /config.h /configure /doc/COPYING /doc/CREDITS /doc/ChangeLog /doc/INSTALL.Win32 /doc/KNOWN_BUGS /doc/README /doc/TODO /doc/p0frep.gz /doc/tools.NDX /doc/tools.tar.bz2 /doc/ufos.NDX /doc/ufos.tar.bz2 /doc/win-memleak.txt /fpentry.h /mk/AIX /mk/Linux /mk/SunOS /mtu.h /p0f /p0f-query.c /p0f-query.h /p0f.1 /p0f.c /p0f.fp /p0fa.fp /p0fr.fp /tcp.h /tos.h /types.h RPM build errors: Installed (but unpackaged) file(s) found: /Build /Makefile /WIN32-Code/getopt.c /WIN32-Code/getopt.h /WIN32-Prj/p0f.NET.ncb /WIN32-Prj/p0f.NET.sln /WIN32-Prj/p0f.NET.suo /WIN32-Prj/p0f.NET.vcproj /WIN32-Prj/p0f.dsp /WIN32-Prj/p0f.dsw /WIN32-Prj/p0f.ncb /WIN32-Prj/p0f.opt /WIN32-Prj/p0f.plg /config.h /configure /doc/COPYING /doc/CREDITS /doc/ChangeLog /doc/INSTALL.Win32 /doc/KNOWN_BUGS /doc/README /doc/TODO /doc/p0frep.gz /doc/tools.NDX /doc/tools.tar.bz2 /doc/ufos.NDX /doc/ufos.tar.bz2 /doc/win-memleak.txt /fpentry.h /mk/AIX /mk/Linux /mk/SunOS /mtu.h /p0f /p0f-query.c /p0f-query.h /p0f.1 /p0f.c /p0f.fp /p0fa.fp /p0fr.fp /tcp.h /tos.h /types.h Can I ignore them? Where is the rpm file located now? Wow, the snippet code looks really complex. How do I use the code? What do I do? Where is the query tool from the folder extracted from p0f.tgz (downloaded from the website)? Do you think you can explain why those characters are used? I really cannot get you. Thanks again a lot James |
Can I ignore them?
Yes. Where is the rpm file located now? Here: http://www.rootshell.be/~unspawn/pac...2.0-3.i386.rpm :-] Wow, the snippet code looks really complex. It's really simple. Define function to get space separated values Get your IP address Test if the argument you supply on the commandline is a valid file, and if it is, grep it for the way a P0f log is built, filter it, sort and make results unique. How do I use the code? What do I do? Save the code to a file, say "~/p0f-parse", make it executable: "chmod 0700 ~/p0f-parse". Feed it the p0f log: "./p0f-parse /var/log/p0f.log" and the output will be shown. Where is the query tool from the folder extracted from p0f.tgz If you got the rpm look in the /usr/share/doc/p0f-2.0.3 dir. If that answer isn't good enough, read the p0f docs. Search a wee bit before you ask. *OT, and with all due respect, but you should not run "honeyd". From all of this, I can guesstimate chances you fsck up your own system before you trip a cracker are rather large. |
Thanks for the tip. Anyway, I am running this on an intranet so hopefully it should be alright.
|
I tried using your snippet code. After running it, it just returns to the prompt.
eg [root@lnx01 p0f2003]# chmod 755 trim [root@lnx01 p0f2003]# ./trim sampleoutput1 Both the trim that contains the snipped code and sampleoutput1 are in the same dir. I do not know where to find the output. Lets say I just want the OS that p0f guessed, minus the IP now, what needs to be changed? Hope you can help. Thanks James |
| All times are GMT -5. The time now is 07:13 AM. |