Package: p0f Version: 2.0.5-1 Severity: minor All '-' need to be escaped, and there was a '.fp' at the beginning of a line that was confusing groff. Moving it to the end of the previous line and escaping settled things.
Patch attached. Take care, -- System Information: Debian Release: 3.1 Architecture: powerpc (ppc) Kernel: Linux 2.6.8-powerpc Locale: LANG=en_US.ISO-8859-1, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.ISO-8859-1) Versions of packages p0f depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libpcap0.7 0.7.2-7 System interface for user-level pa -- no debconf information
--- p0f.1.bak 2005-12-04 13:54:57.801593456 +0000 +++ p0f.1 2005-12-04 13:57:03.627465016 +0000 @@ -3,7 +3,7 @@ p0f \- identify remote systems passively .SH SYNOPSIS .B p0f -.I p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket ] [ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ] +.I p0f [ \-f file ] [ \-i device ] [ \-s file ] [ \-o file ] [ \-Q socket ] [ \-w file ] [ \-u user ] [ \-c size ] [ \-T nn ] [ \-FNODVUKAXMqxtpdlRL ] [ 'filter rule' ] .br .SH "DESCRIPTION" .PP @@ -14,62 +14,62 @@ any suspicious network traffic. The other host has to either: .FP -- connect to your network - either spontaneously or in an induced manner, for +\- connect to your network \- either spontaneously or in an induced manner, for example when trying to establish a ftp data stream, returning a bounced mail, performing auth lookup, using IRC DCC, external html mail image reference and so on, .FP -- or be contacted by some entity on your network using some standard means +\- or be contacted by some entity on your network using some standard means (such as a web browsing); it can either accept or refuse the connection. .PP The method can see thru packet firewalls and does not have the restrictions of an active fingerprinting. The main uses of passive OS fingerprinting are attacker profiling (IDS and honeypots), visitor profiling (content -optimization), customer/user profiling (policy enforcement), pen-testing, +optimization), customer/user profiling (policy enforcement), pen\-testing, etc. .SH OPTIONS .TP -\fB-f\fR file +\fB\-f\fR file read fingerprints from file; by default, p0f reads signatures from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems only). You can use this to load custom fingerprint data. -Specifying multiple -f values will NOT combine several signature +Specifying multiple \-f values will NOT combine several signature files together. .TP -\fB-i\fR device +\fB\-i\fR device listen on this device; p0f defaults to whatever device libpcap considers to be the best (and which often isn't). On some newer systems you might be able to specify 'any' to listen on all -devices, but don't rely on this. Specifying multiple -i values +devices, but don't rely on this. Specifying multiple \-i values will NOT cause p0f to listen on several interfaces at once. .TP -\fB-s\fR file +\fB\-s\fR file read packets from tcpdump snapshot; this is an alternate mode of operation, in which p0f reads packet from pcap data capture file, instead of a live network. Useful for -forensics (this will parse tcpdump -w output, for example). +forensics (this will parse tcpdump \-w output, for example). -You can use Ethereal's text2pcap to convert human-readable +You can use Ethereal's text2pcap to convert human\-readable packet traces to pcap files, if needed. .TP -\fB-w\fR file +\fB\-w\fR file writes matching packets to a tcpdump snapshot, in addition to fingerprinting; useful when it is advisable to save copies of the actual traffic for review. .TP -\fB-o\fR file -write to this logfile. This option is required for -d and -implies -t. +\fB\-o\fR file +write to this logfile. This option is required for \-d and +implies \-t. .TP -\fB-Q\fR socket +\fB\-Q\fR socket listen on a specified local stream socket (a filesystem object, -for example /var/run/p0f-sock) for queries. One can later send a -packet to this socket with p0f_query structure from p0f-query.h, +for example /var/run/p0f\-sock) for queries. One can later send a +packet to this socket with p0f_query structure from p0f\-query.h, and wait for p0f_response. This is a method of integrating p0f with active services (web server or web scripts, etc). P0f will -still continue to report signatures the usual way - but you can -use -qKU combination to suppress this. Also see -c notes. +still continue to report signatures the usual way \- but you can +use \-qKU combination to suppress this. Also see \-c notes. A sample query tool (p0fq) is provided in the test/ subdirectory. There is also a trivial perl implementation of @@ -79,82 +79,82 @@ to your current umask. If you want to restrict access to this interface, use caution. .TP -\fB-c\fR size -cache size for -Q and -M options. The default is 128, which +\fB\-c\fR size +cache size for \-Q and \-M options. The default is 128, which is sane for a system under a moderate network load. Setting it -too high will slow down p0f and may result in some -M false -positives for dial-up nodes, dual-boot systems, etc. Setting it -too low will result in cache misses for -Q option. To choose the +too high will slow down p0f and may result in some \-M false +positives for dial\-up nodes, dual\-boot systems, etc. Setting it +too low will result in cache misses for \-Q option. To choose the right value, use the number of connections on average per the -interval of time you want to cache, then pass it to p0f with -c. +interval of time you want to cache, then pass it to p0f with \-c. -P0f, when run without -q, also reports average packet ratio -on exit. You can use this to determine the optimal -c setting. -This option has no effect if you do not use -Q nor -M. +P0f, when run without \-q, also reports average packet ratio +on exit. You can use this to determine the optimal \-c setting. +This option has no effect if you do not use \-Q nor \-M. .TP -\fB-u\fR user +\fB\-u\fR user this option forces p0f to chroot to this user's home directory after reading configuration data and binding to sockets, then to switch to his UID, GID and supplementary groups. -This is a security feature for the paranoid - when running +This is a security feature for the paranoid \- when running p0f in daemon mode, you might want to create a new unprivileged user with an empty home directory, and limit the exposure when p0f is compromised. That said, should such a compromise occur, the attacker will still have a socket he can -use for sniffing some network traffic (better than rm -rf /). +use for sniffing some network traffic (better than rm \-rf /). .TP -\fB-N\fR +\fB\-N\fR inhibit guesswork; do not report distances and link media. With this option, p0f logs only source IP and OS data. .TP -\fB-F\fR +\fB\-F\fR deploy fuzzy matching algorithm if no precise matches are found (currently applies to TTL only). This option is not recommended for RST+ mode. .TP -\fB-D\fR +\fB\-D\fR do not report OS details (just genre). This option is useful if you don't want p0f to elaborate on OS versions and such -(combine with -N). +(combine with \-N). .TP -\fB-U\fR +\fB\-U\fR do not display unknown signatures. Use this option if you want to keep your log file clean and are not interested in hosts that are not recognized. .TP -\fB-K\fR +\fB\-K\fR do not display known signatures. This option is useful when you -run p0f recreationally and want to spot UFOs, or in -Q or -M -modes when combined with -U to inhibit all output. +run p0f recreationally and want to spot UFOs, or in \-Q or \-M +modes when combined with \-U to inhibit all output. .TP -\fB-q\fR -be quiet - do not display banners and keep low profile. +\fB\-q\fR +be quiet \- do not display banners and keep low profile. .TP -\fB-p\fR +\fB\-p\fR switch card to promiscuous mode; by default, p0f listens only to packets addressed or routed thru the machine it runs on. This setting might decrease performance, depending on your network design and load. On switched networks, this usually has little or no effect. -Note that promiscuous mode on IP-enabled interfaces can be +Note that promiscuous mode on IP\-enabled interfaces can be detected remotely, and is sometimes not welcome by network administrators. .TP -\fB-t\fR -add human-readable timestamps to every entry (use multiple +\fB\-t\fR +add human\-readable timestamps to every entry (use multiple times to change date format, a la tcpdump). .TP -\fB-d\fR +\fB\-d\fR go into daemon mode (detach from current terminal and fork into -background). Requires -o. +background). Requires \-o. .TP -\fB-l\fR -outputs data in line-per-record style (easier to grep). +\fB\-l\fR +outputs data in line\-per\-record style (easier to grep). .TP -\fB-A\fR -a semi-supported option for SYN+ACK mode. This option will cause +\fB\-A\fR +a semi\-supported option for SYN+ACK mode. This option will cause p0f to fingerprint systems you connect to, as opposed to systems that connect to you (default). With this option, p0f will look for p0fa.fp file instead of the usual p0f.fp. The usual config @@ -163,17 +163,17 @@ The SYN+ACK signature database is sort of small at the moment, but suitable for many uses. Feel free to contribute. .TP -\fB-R\fR -a barely-supported option for RST+ mode. This option will +\fB\-R\fR +a barely\-supported option for RST+ mode. This option will prompt p0f to fingerprint several different types of traffic, most importantly "connection refused" and "timeout" messages. -This mode is similar to SYN+ACK (-A), except that the program +This mode is similar to SYN+ACK (\-A), except that the program will now look for p0fr.fp. The usual config is NOT SUITABLE for this mode. You may have to familiarize yourself with p0fr.fp before using it. .TP -\fB-O\fR +\fB\-O\fR absolutely experimental open connection (stray ACK) fingerprinting mode. In this mode, p0f will attempt to indiscriminately identify OS on all packets within an already @@ -189,30 +189,30 @@ you know what you are doing. NOTE: The p0fo.fp database is very sparsely populated at the moment. .TP -\fB-r\fR +\fB\-r\fR resolve host names; this mode is MUCH slower and poses some security risk. Do not use except for interactive runs or low traffic situations. NOTE: the option ONLY resolves IP address into a name, and does not perform any checks for -matching reverse DNS. Hence, the name may be spoofed - do not +matching reverse DNS. Hence, the name may be spoofed \- do not rely on it without checking twice. .TP -\fB-C\fR +\fB\-C\fR perform collision check on signatures prior to running. This -is an essential option whenever you add new signatures to -.fp files, but is not necessary otherwise. +is an essential option whenever you add new signatures to \.fp +files, but is not necessary otherwise. .TP -\fB-x\fR +\fB\-x\fR dump full packet contents; this option is not compatible with --l and is intended for debugging and packet comparison only. +\-l and is intended for debugging and packet comparison only. .TP -\fB-X\fR +\fB\-X\fR display packet payload; rarely, control packets we examine may carry a payload. This is a bug for the default (SYN) -and -A (SYN+ACK) modes, but is (sometimes) acceptable in --R (RST+) mode. +and \-A (SYN+ACK) modes, but is (sometimes) acceptable in +\-R (RST+) mode. .TP -\fB-M\fR +\fB\-M\fR deploy masquerade detection algorithm. The algorithm looks over recent (cached) hits and looks for indications of multiple systems being behind a single gateway. This is useful on routers @@ -220,25 +220,25 @@ somewhat slower due to caching and lookups. Use with caution (or do not use at all) in modes other than default (SYN). .TP -\fB-T\fR nn -masquerade detection threshold; only meaningful with -M, +\fB\-T\fR nn +masquerade detection threshold; only meaningful with \-M, sets the threshold for masquerade reporting. .TP -\fB-V\fR +\fB\-V\fR use verbose masquerade detection reporting. This option describes the status of all indicators, not only an overall value. .TP -\fB-v\fR +\fB\-v\fR enable support for 802.1Q VLAN tagged frames. Available on some interfaces, on other, will result in BPF error. .SH FILTERS -The last part, 'filter rule', is a bpf-style filter expression for +The last part, 'filter rule', is a bpf\-style filter expression for incoming packets. It is very useful for excluding or including certain networks, hosts, or specific packets, in the logfile. See man tcpdump for more information, few examples: -\'src port ftp-data\' +\'src port ftp\-data\' \'not dst net 10.0.0.0 mask 255.0.0.0\' @@ -252,7 +252,7 @@ Ethereal, etc). Please follow the security guidelines posted in the documentation supplied with the package. .SH BUGS -You need to consult the documentation for an up-to-date list of issues. +You need to consult the documentation for an up\-to\-date list of issues. .SH FILES .TP .BI /etc/p0f/p0f.fp\ /etc/p0f/p0fa.fp\ /etc/p0f/p0fr.fp\ /etc/p0f/p0fo.fp