Adding p0f version 1.7.

A passive OS fingerprinting tool.

PR:		19225
Submitted by:	Trevor Johnson <trevor@jpj.net>

6 files changed, 141 insertions, 0 deletions

diff --git a/net/p0f/Makefile b/net/p0f/Makefile
new file mode 100644
index 000000000000..797f990e4b19
--- /dev/null
+++ b/net/p0f/Makefile
@@ -0,0 +1,33 @@
+# New ports collection makefile for:	p0f
+# Date created:				2000-06-12
+# Whom:					Trevor Johnson
+#
+# $FreeBSD$
+#
+
+PORTNAME=		p0f
+PORTVERSION=		1.7
+CATEGORIES=		net
+MASTER_SITES=		http://lcamtuf.hack.pl/
+DISTNAME=		${PORTNAME}
+EXTRACT_SUFX=		.tgz
+
+MAINTAINER=		trevor@jpj.net
+
+WRKSRC=			${WRKDIR}/${PORTNAME}-${PORTVERSION}
+
+post-patch:
+	@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" ${WRKSRC}/p0f.c
+	@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" ${WRKSRC}/README
+
+do-install:
+	@${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
+	@${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
+
+post-install:
+.if !defined(NOPORTDOCS)
+	@${MKDIR} ${PREFIX}/share/doc/p0f
+	@${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
+.endif
+
+.include <bsd.port.mk>
diff --git a/net/p0f/distinfo b/net/p0f/distinfo
new file mode 100644
index 000000000000..198e93223d63
--- /dev/null
+++ b/net/p0f/distinfo
@@ -0,0 +1 @@
+MD5 (p0f.tgz) = 5d4242df39c6325683ee02f9e95f2801
diff --git a/net/p0f/files/patch-README b/net/p0f/files/patch-README
new file mode 100644
index 000000000000..270fb4e42ac1
--- /dev/null
+++ b/net/p0f/files/patch-README
@@ -0,0 +1,78 @@
+--- README.orig	Mon Jun 12 15:28:41 2000
++++ README	Mon Jun 12 21:15:54 2000
+@@ -27,30 +27,31 @@
+   
+ Background:
+ 
+-  *  What is passive OS fingerprinting?
++  * What is passive OS fingerprinting?
+   
+-  Passive OS fingerprinting technique bases on information coming
+-  from remote host when it establishes connection to our system. Captured
+-  packets contains enough information to determine OS - and, unlike
+-  active scanners (nmap, queSO) - without sending anything to this host.
++  Passive OS fingerprinting is based on information coming from a remote host
++  when it establishes a connection to our system.  Captured packets contain
++  enough information to identify the operating system.  In contrast to active
++  scanners such as nmap and QueSO, p0f does not send anything to the host being
++  identified.
+   
+   If you're looking for more information, read Spitzner's text at:
+   http://www.enteract.com/~lspitz/finger.html
+       
+-  * How it works?
++  * How does it work?
+   
+   Well, there are some TCP/IP flag settings specific for given systems.
+   Usually initial TTL (8 bits), window size (16 bits), maximum segment size
+   (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
+-  (1 bit) and window scaling option (8 bits) combined together gives unique,
++  (1 bit) and window scaling option (8 bits) combined together give a unique,
+   51-bit signature for every system.
+   
+-  * What are main advantages?
++  * What are the main advantages?
+   
+-  Passive OS fingerprinting can be done on huge portions of input data - eg.
+-  information gathered on firewall, proxy, routing device or Internet server,
+-  without causing any network activity. You can launch passive OS detection
+-  software on such machine and leave it for days, weeks or months, collecting
++  Passive OS fingerprinting can be done on huge amounts of input data -
++  gathered on a firewall, proxy, routing device or Internet server - without
++  causing any network activity.  You can launch passive OS detection
++  software on such a machine and leave it for days or months, collecting
+   really interesting statistical and - *erm* - just interesting information. 
+   What's really funny - packet filtering firewalls, network address
+   translation and so on are transparent to p0f-alike software, so you're able
+@@ -62,7 +63,7 @@
+ Limitations
+ 
+   Proxy firewalls and other high-level proxy devices are not transparent to
+-  any tcp fingerprinting software. It applies to p0f, as well.
++  any TCP fingerprinting software. It applies to p0f, as well.
+   
+   In order to obtain information required for fingerprinting, you have to
+   receive at least one SYN packet initializing TCP connection to your
+@@ -78,9 +79,9 @@
+   window size are constant for initial TCP/IP packet, but changing rapidly
+   later).
+   
+-Why our bubble gum is better?
++Why is our bubble gum better?
+ 
+-  There is another passive OS detection utility, called 'siphon'. It's
++  There is another passive OS detection utility, called 'siphon'. It's a
+   pretty good piece of proof-of-concept software, but it isn't perfect. Well,
+   p0f isn't perfect for sure, but has several improvements:
+   
+@@ -128,8 +129,8 @@
+   
+ Files:
+ 
+-  /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
+-  inside:
++  /etc/p0f.fp or ./p0f.fp - OS fingerprints database.
++  The format is described inside:
+   
+   # Valid entry describes the way server starts TCP handshake (first SYN).
+   # Important options are: window size (wss), maximum segment size (mss),
diff --git a/net/p0f/pkg-comment b/net/p0f/pkg-comment
new file mode 100644
index 000000000000..acf5b5aa214d
--- /dev/null
+++ b/net/p0f/pkg-comment
@@ -0,0 +1 @@
+Passive OS fingerprinting tool
diff --git a/net/p0f/pkg-descr b/net/p0f/pkg-descr
new file mode 100644
index 000000000000..a48562804ca6
--- /dev/null
+++ b/net/p0f/pkg-descr
@@ -0,0 +1,24 @@
+from the README:
+
+Passive OS fingerprinting is based on information coming from a remote host
+when it establishes a connection to our system.  Captured packets contain
+enough information to identify the operating system.  In contrast to active
+scanners such as nmap and QueSO, p0f does not send anything to the host being
+identified.
+  
+For more information, read Spitzner's text at:
+http://www.enteract.com/~lspitz/finger.html .
+
+from the maintainer:
+
+Use of this program requires read access to the packet filtering
+device, typically /dev/bpf0.  Granting such access allows the users
+who have it to put your Ethernet device into promiscuous mode and
+sniff your network.  See
+http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml
+if you do not understand how this can be harmful.  Running p0f with
+no options will cause it to analyse packets intended for other
+hosts.
+
+Trevor Johnson
+trevor@jpj.net
diff --git a/net/p0f/pkg-plist b/net/p0f/pkg-plist
new file mode 100644
index 000000000000..ac2c86b8a336
--- /dev/null
+++ b/net/p0f/pkg-plist
@@ -0,0 +1,4 @@
+bin/p0f
+etc/p0f.fp
+share/doc/p0f/README
+@dirrm share/doc/p0f