summaryrefslogtreecommitdiffstats
path: root/extensions/libipt_osf.man
blob: 38d25a035ba8a9588511c5068de3e654af611073 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
The idea of passive OS fingerprint matching exists for quite a long time,
but was created as extension fo OpenBSD pf only some weeks ago.
Original idea was lurked in some OpenBSD mailing list (thanks
grange@open...) and than adopted for Linux netfilter in form of this code.

Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.

This module compares some data(WS, MSS, options and it's order, ttl,
df and others) from first SYN packet (actually from packets with SYN
bit set) with dynamically loaded OS fingerprints.
.TP
.B "--log 1/0" 
If present, OSF will log determined genres even if they don't match
desired one.	
0 - log all determined entries, 
1 - only first one.

In syslog you find something like this:
.IP
ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
.IP
ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
.TP
.B "--smart"
if present, OSF will use some smartness to determine remote OS.
OSF will use initial TTL only if source of connection is in our local network.
.TP
.B "--netlink"
If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.
.TP
.BI "--genre " "[!] string"
Match a OS genre by passive fingerprinting
.P
Example:

#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart

NOTE: -p tcp is obviously required as it is a TCP match.

Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
One can flush all fingerprints with following command:
.IP
echo -en FLUSH > /proc/sys/net/ipv4/osf
.P
Only one fingerprint per open/write/close.

Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os