2 # p0f This shell script takes care of starting and stopping
3 # the p0f monitoring program
5 # chkconfig: 2345 52 48
7 # description: p0f - the p0f monitoring program. \
8 # p0f performs passive OS fingerprinting technique bases on \
9 # information coming from remote host when it establishes \
10 # connection to our system. Captured packets contains enough \
11 # information to determine OS - and, unlike active scanners \
12 # (nmap, queSO) - without sending anything to this host.
15 # pidfile: /var/run/p0f.pid
17 # Source function library.
18 . /etc/rc.d/init.d/functions
21 . /etc/sysconfig/network
24 [ -f /etc/sysconfig/p0f ] && . /etc/sysconfig/p0f
26 # Check that networking is up.
27 if is_yes "${NETWORKING}"; then
28 if [ ! -f /var/lock/subsys/network ]; then
37 # See how we were called.
40 # Check if the service is already running?
41 if [ ! -f /var/lock/subsys/p0f ]; then
43 # The command in backticks returns all the local IP addresses on this machine.
44 for OneIP in `/sbin/ip -f inet addr show | awk '/inet/{print $2}' | awk -F/ '{print $1}' | LC_ALL=C sort -u`; do
45 if [ -z "$BpfFilter" ]; then
46 BpfFilter="not src host $OneIP"
48 BpfFilter="$BpfFilter and not src host $OneIP"
52 if [ -n "$P0F_RULE" ]; then
53 if [ -n "$RULE" ]; then
54 RULE="$RULE and $P0F_RULE"
60 if [ -n "$P0F_INTERFACE" ]; then
61 OPTIONS="$OPTIONS -i $P0F_INTERFACE"
63 if [ -n "$P0F_SOCKET" ]; then
64 # read the manual first and then ask why the umask
66 OPTIONS="$OPTIONS -s $P0F_SOCKET"
68 if [ -n "$P0F_USER" ]; then
69 OPTIONS="$OPTIONS -u $P0F_USER"
71 # Start up p0f and filter out all packets originating from any of this machines IP's.
72 /usr/sbin/p0f $OPTIONS $P0F_OPTIONS "$RULE" -d -o /var/log/p0f 2>/dev/null
74 if [ $RETVAL -eq 0 ]; then
75 # this is secure, as socket is always created with current umask and root
76 if [ "$P0F_USER" ] && [ "$P0F_SOCKET" ]; then
77 chown ${P0F_USER}: $P0F_SOCKET
79 touch /var/lock/subsys/p0f
85 msg_already_running "p0f"
89 if [ -f /var/lock/subsys/p0f ]; then
92 rm -f /var/lock/subsys/p0f >/dev/null 2>&1
107 msg_usage "$0 {start|stop|restart|force-reload|status}"