--On Thursday, August 04, 2005 12:46:20 -0500 Paul Schmehl
<[EMAIL PROTECTED]> wrote:
I'm working on a shell script to use p0f to identify "unauthorized" hosts
on our network.
In the script I use an echo command to see what the output of the command
is. This is what it looks like:
/usr/local/bin/p0f -i xl0 -N -l -o /root/capture.1123177152.log 'src net
10.0.0.0/8 or src net 129.110.0.0/16'
If I paste the output of the echo command to the cli and hit enter, p0f
runs and writes to the log. Yet when I actually try to run that same
command from the script, p0f complains:
pcap_compile: illegal token: '
See man tcpdump or p0f README for help on bpf filter expressions.
Here's the script. It's very simple right now, but there's a lot more
work to be done. I first have to figure out this problem, though:
# !/bin/sh
P0F=/usr/local/bin/p0f
EPOCH_DATE=`date -j -f "%a %b %d %T %Z %Y" "\`date\`" "+%s"`
LOG=/root/capture.${EPOCH_DATE}.log
NIC="-i xl0"
ARGS="-N -l -o ${LOG}"
DAEMON="-d"
FILTER="'src net 10.0.0.0/8 or src net 129.110.0.0/16'"
echo "${P0F} ${NIC} ${ARGS} ${DAEMON} ${FILTER}"
${P0F} ${NIC} ${ARGS} ${FILTER}
Why is p0f complaining about the bpf filter? I've tried escaping the
single quotes, but that generates a different error. I don't understand
why the identical command works on the cli, but not in the script.
For the record, `eval ${P0F} ${NIC} ${ARGS} ${DAEMON} ${FILTER}` solved the
problem.
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
