p0f Statistics thingies

What's this? | Notes | Files | Old versions

I've replaced the previous versions of this stuff with similar code using a SQL database.

This stuff is just a few simple perl scripts that I made for showing fingerprint statistics from p0f for a couple of routers.
And once I had this stuff working, of course I also wanted to include OS info in my mail statistics as well as SpamAssassin rules, wich was an easy thing to do with p0fIP2OS.pm (and p0fOS.pm).

The p0f data is saved in a SQL database (I use MySQL but it shouldn't be too hard to port to something else).

What's this?

• p0f.udpsend:
  Runs p0f and send the output in UDP packets to a collector.
• p0f.udplog:
  Collects UDP packets and saves info to the SQL database.
  (Alternatively it maye write the data to separate logs for each sender. Those log files are renamed at regular intervals and when the collector receives a SIGHUP.)
• p0f.graph:
  Creates a bunch of graphs showing the distribution of Operating systems etc.
  (Also reads any p0f log files created by the collector and save the info to the database before creating graphs.)
  
• p0fIP2OS.pm:
  A small perl module that can fetch the OS from the database.
  This module is used in my mimedefang-filter.
• p0fOS.pm:
  A small SpamAssassin plugin that fetches the OS from the database (using the above module) and inserts it in a header for use in scores and bayes.

Notes

• This thing outputs two sets of graphs. One is set is based on connections to the router(s). The other is based on some kind of attempt to get closer to the number of different machines instead. This means that two connections from the same IP address with the same fingerprint will be ccounted only once in that set.
• These scripts requires p0f (of course) and a bunch of perl modules.
  You can find p0f at http://lcamtuf.coredump.cx/p0f.shtml, and the perl modules at CPAN.
• Before this stuff can work, you have to create the database and set up it permissions right. Once that is done, use p0f.graph to create the tables.
• The p0f.graph script should be easy to modify for reading regular p0f logs, but as it is done here it expects a certain naming scheme for the files:
  <senders IP><a hexadecimal number>.p0flog
  Example: 10.0.10.4.46526AE6D87.p0flog
  The sender is supposed to be the router where p0f is running.
• You may use this stuff as you wish as long as you don't claim to have made it yourself.

Files

• p0f.udpsend (view)
• p0f.udplog (view)
• p0f.graph (view)
• p0fIP2OS.pm (view)
• p0fOS.pm (view)
• index.cgi (view)

Regards

/Jonas Eckerman

(2012-03-20)