Syntax error on p0f startup
257 views
Skip to first unread message
figa...@gmail.com
Mar 31, 2016, 5:31:27 AM3/31/16
to Modern Honey Network
Hello,
I deployed p0f with mhn (great tool) on a debian server (Jessie). Unfortunately, it doesn't start. Here is the p0f.out content :
[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from 'p0f.fp'.
[+] p0f.hpfeed: sending authentication.
[+] p0f.hpfeed: Authentication done.
[+] Intercepting traffic on interface 'eth0'.
[-] pcap_compile: syntax error
[-] PROGRAM ABORT : Syntax error! See 'man tcpdump' for help on filters.
Location : prepare_bpf(), p0f.c:655
--- p0f 3.07b by Michal Zalewski <> ---
So, I went into p0f.c file :
if (pcap_compile(pt, &flt, (char*)final_rule, 1, 0)) { pcap_perror(pt, "[-] pcap_compile"); if (!orig_rule) FATAL("pcap_compile() didn't work, strange"); else FATAL("Syntax error! See 'man tcpdump' for help on filters."); }
And I'm stuck here, i don't understand what is wrong with the syntax here and what i should correct to make it work.
Maybe someone here can help me. Thanks !
figa...@gmail.com
Mar 31, 2016, 5:40:24 AM3/31/16
to Modern Honey Network
Forgot to tell : I didn't see any error during deployment with deploy_p0f.sh
Jason Trost
Mar 31, 2016, 8:19:08 AM3/31/16
to figa...@gmail.com, Modern Honey Network
Any chance you don't have an eth0 interface?
Checkout /opt/p0f/p0f_wrapper.sh
If you want p0f to capture from a different interface then edit this file (see line, "INTERFACE=eth0" and change it). Then restart p0f using supervisorctl:
sudo supervisorctl restart p0f
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/905aa311-f213-4a64-b450-9ad9888e9e0d%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
Jason Trost | VP of Threat Research | www.anomali.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
figa...@gmail.com
Mar 31, 2016, 8:34:56 AM3/31/16
to Modern Honey Network, figa...@gmail.com
thanks for your help !
I checked p0f_wrapper.sh and found the problem.
You're right and it was about getting the IP address not the interface.
if I do an ifconfig, i have this
inet adr:192.168.x.xx Bcast:192.168.x.xxx Masque:255.255.255.0
I changed this line :
ifconfig ${INTERFACE} | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}
into this one :
MY_ADDRESS=`ifconfig ${INTERFACE} | grep 'inet adr:' | cut -d: -f2 | awk '{ print $1}'`
and it works
I checked p0f_wrapper.sh and found the problem.
You're right and it was about getting the IP address not the interface.
if I do an ifconfig, i have this
inet adr:192.168.x.xx Bcast:192.168.x.xxx Masque:255.255.255.0
I changed this line :
ifconfig ${INTERFACE} | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}
into this one :
MY_ADDRESS=`ifconfig ${INTERFACE} | grep 'inet adr:' | cut -d: -f2 | awk '{ print $1}'`
and it works
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/905aa311-f213-4a64-b450-9ad9888e9e0d%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages