#!/bin/bash # # Init file for p0f monitoring program # # chkconfig: 2345 60 40 # description: p0f - the p0f monitoring program. \ # p0f performs passive OS fingerprinting technique bases on information coming \ # from remote host when it establishes connection to our system. Captured \ # packets contains enough information to determine OS - and, unlike \ # active scanners (nmap, queSO) - without sending anything to this host. # # processname: p0f # config: /etc/sysconfig/p0f # pidfile: /var/run/p0f.pid # TODO add support for the LSB, as /etc/init.d/mysql # # Source function library. . /etc/rc.d/init.d/functions [ -f /etc/sysconfig/p0f ] && . /etc/sysconfig/p0f RETVAL=0 [ -z "$LOG_FILE" ] && LOG_FILE=/var/log/p0f [ ! -f "$LOG_FILE" ] && ( touch "$LOG_FILE" ; chown root.root "$LOG_FILE" ; chmod 600 "$LOG_FILE" ); [ -z "$OPTIONS" ] && OPTIONS=-v start() { gprintf "Starting p0f : " #The 'tcp and tcp[13] & 2 = 2' requires at least syn set. #An alternative would be 'tcp and tcp[13] & 0x3f = 2', which #is syn and no other major flags (but ECN enabled packets are OK) if [ -z "$BPF_FILTER" ]; then BPF_FILTER='tcp and tcp[13] & 2 = 2' else BPF_FILTER="$BPF_FILTER and tcp and tcp[13] & 2 = 2" fi #The command in backticks returns all the local IP addresses on this machine. for OneIP in `/sbin/ifconfig 2>/dev/null | grep 'inet addr' | sed -e 's/.*addr://' -e 's/ .*//'` ; do BPF_FILTER="$BPF_FILTER and not src host $OneIP" done #Start up p0f and filter out all packets originating from any of this machines IP's. opt=" -o $LOG_FILE $OPTIONS $BPF_FILTER" daemon p0fd $opt RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/p0f echo return $RETVAL } stop() { gprintf "Stopping p0f : " killproc p0f RETVAL=$? [ $RETVAL = 0 ] && rm -f /var/lock/subsys/p0f echo return $RETVAL } restart() { stop start } case "$1" in start) start ;; stop) stop ;; restart|reload) restart ;; condrestart) if [ -f /var/log/subsys/p0f ]; then restart fi ;; status) status p0f ;; *) gprintf "Usage: %s {start|stop|restart|condrestart|status}\n" `basename $0` RETVAL=1 ;; esac exit $RETVAL