From f33c46140f0e0a230aba5d739ce40cb14e066b13 Mon Sep 17 00:00:00 2001 From: Jonas Berlin Date: Fri, 1 Apr 2005 06:54:23 +0000 Subject: add lots of man pages (Jonas Berlin) --- extensions/libipt_osf.man | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 extensions/libipt_osf.man (limited to 'extensions/libipt_osf.man') diff --git a/extensions/libipt_osf.man b/extensions/libipt_osf.man new file mode 100644 index 00000000..38d25a03 --- /dev/null +++ b/extensions/libipt_osf.man @@ -0,0 +1,47 @@ +The idea of passive OS fingerprint matching exists for quite a long time, +but was created as extension fo OpenBSD pf only some weeks ago. +Original idea was lurked in some OpenBSD mailing list (thanks +grange@open...) and than adopted for Linux netfilter in form of this code. + +Original fingerprint table was created by Michal Zalewski . + +This module compares some data(WS, MSS, options and it's order, ttl, +df and others) from first SYN packet (actually from packets with SYN +bit set) with dynamically loaded OS fingerprints. +.TP +.B "--log 1/0" +If present, OSF will log determined genres even if they don't match +desired one. +0 - log all determined entries, +1 - only first one. + +In syslog you find something like this: +.IP +ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139 +.IP +ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80 +.TP +.B "--smart" +if present, OSF will use some smartness to determine remote OS. +OSF will use initial TTL only if source of connection is in our local network. +.TP +.B "--netlink" +If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1. +.TP +.BI "--genre " "[!] string" +Match a OS genre by passive fingerprinting +.P +Example: + +#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart + +NOTE: -p tcp is obviously required as it is a TCP match. + +Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file. +One can flush all fingerprints with following command: +.IP +echo -en FLUSH > /proc/sys/net/ipv4/osf +.P +Only one fingerprint per open/write/close. + +Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os -- cgit v1.2.3