Hello,
I took a look at signatures:
> https://tools.netsa.cert.org/p0f/p0f.fp.2012032901 signatures file (pf.os),
This change is not about updating parser it looks like it will
also require to update matching stuff in kernel. I have not looked
at all details yet.
below is fingerprint entry format as found in etc/pf.os we have
in current:
# Fingerprint entry format:
#
# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
#
# wwww - window size (can be *, %nnn, Snn or Tnn). The special values
# "S" and "T" which are a multiple of MSS or a multiple of MTU
# respectively.
# ttt - initial TTL
# D - don't fragment bit (0 - not set, 1 - set)
# ss - overall SYN packet size
# OOO - option value and order specification (see below)
# OS - OS genre (Linux, Solaris, Windows)
# Version - OS Version (2.0.27 on x86, etc)
# Subtype - OS subtype or patchlevel (SP3, lo0)
# details - Generic OS details
and here is a format description from link above
# Fingerprint entry format:
#
# wwww:ttt:D:ss:OOO...:QQ:OS:Details
#
# wwww - window size (can be * or %nnn or Sxx or Txx)
# "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are allowed.
# ttt - initial TTL
# D - don't fragment bit (0 - not set, 1 - set)
# ss - overall SYN packet size (* has a special meaning)
# OOO - option value and order specification (see below)
# QQ - quirks list (see below)
# OS - OS genre (Linux, Solaris, Windows)
# details - OS description (2.0.27 on x86, etc)
# Quirks section is usually an empty list ('.') of oddities or bugs of this
# particular stack. List items are not separated in any way. Possible values:
#
# P - options past EOL,
# Z - zero IP ID,
# I - IP options specified,
# U - urg pointer non-zero,
# X - unused (x2) field non-zero,
# A - ACK number non-zero,
# T - non-zero second timestamp,
# F - unusual flags (PUSH, URG, etc),
# D - data payload,
# ! - broken options segment.
quirks are new and I think we will also have to update code in kernel too.
I'm afraid it's more than just fixing the parser.
regards
sashan
On Mon, May 22, 2023 at 06:50:34PM +0300, ???????? ???????????? wrote:
> Apologize in advance for my bad english :) I am trying to use this
> https://tools.netsa.cert.org/p0f/p0f.fp.2012032901 signatures file (pf.os),
> as far as I understand, it is newer than the one that comes with the OS
> (and maybe you will update it too). "too short OS description" error
> appears when trying to apply rules (pfctl -f /etc/pf.conf).
>
> I think the problem is somewhere in parser, judging by the description in
> the file at the link I provided:
>
> # If OS genre starts with '*', p0f will not show distance, link type
> # and timestamp data. It is useful for userland TCP/IP stacks of
> # network scanners and so on, where many settings are randomized or
> # bogus.
> #
> # If OS genre starts with @, it denotes an approximate hit for a group
> # of operating systems (signature reporting still enabled in this case).
> # Use this feature at the end of this file to catch cases for which
> # you don't have a precise match, but can tell it's Windows or FreeBSD
> # or whatnot by looking at, say, flag layout alone.
> #
> # If OS genre starts with - (which can prefix @ or *), the entry is
> # not considered to be a real operating system (but userland stack
> # instead). It is important to mark all scanners and so on with -,
> # so that they are not used for masquerade detection (also add this
> # prefix for signatures of application-induced behavior, such as
> # increased window size with Opera browser).
>
> Attaching the dump of ktrace. OpenBSD version: 7.3
