On 2023/05/25 17:40, Alexandr Nedvedicky wrote:
> Hello,
>
> I took a look at signatures:
> > https://tools.netsa.cert.org/p0f/p0f.fp.2012032901 signatures file (pf.os),
>
> This change is not about updating parser it looks like it will
> also require to update matching stuff in kernel. I have not looked
> at all details yet.
as well as PF, this database is used by tcpdump (-o).
quirks were added in p0f v2.x (p0f upstream is now at version 3.x which
has a completely different database).
(p0f 2.x is in ports)
> below is fingerprint entry format as found in etc/pf.os we have
> in current:
>
> # Fingerprint entry format:
> #
> # wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
> #
> # wwww - window size (can be *, %nnn, Snn or Tnn). The special values
> # "S" and "T" which are a multiple of MSS or a multiple of MTU
> # respectively.
> # ttt - initial TTL
> # D - don't fragment bit (0 - not set, 1 - set)
> # ss - overall SYN packet size
> # OOO - option value and order specification (see below)
> # OS - OS genre (Linux, Solaris, Windows)
> # Version - OS Version (2.0.27 on x86, etc)
> # Subtype - OS subtype or patchlevel (SP3, lo0)
> # details - Generic OS details
>
> and here is a format description from link above
>
> # Fingerprint entry format:
> #
> # wwww:ttt:D:ss:OOO...:QQ:OS:Details
> #
> # wwww - window size (can be * or %nnn or Sxx or Txx)
> # "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are allowed.
> # ttt - initial TTL
> # D - don't fragment bit (0 - not set, 1 - set)
> # ss - overall SYN packet size (* has a special meaning)
> # OOO - option value and order specification (see below)
> # QQ - quirks list (see below)
> # OS - OS genre (Linux, Solaris, Windows)
> # details - OS description (2.0.27 on x86, etc)
>
>
> # Quirks section is usually an empty list ('.') of oddities or bugs of this
> # particular stack. List items are not separated in any way. Possible values:
> #
> # P - options past EOL,
> # Z - zero IP ID,
> # I - IP options specified,
> # U - urg pointer non-zero,
> # X - unused (x2) field non-zero,
> # A - ACK number non-zero,
> # T - non-zero second timestamp,
> # F - unusual flags (PUSH, URG, etc),
> # D - data payload,
> # ! - broken options segment.
>
>
> quirks are new and I think we will also have to update code in kernel too.
>
> I'm afraid it's more than just fixing the parser.
>
> regards
> sashan
>
> On Mon, May 22, 2023 at 06:50:34PM +0300, ???????? ???????????? wrote:
> > Apologize in advance for my bad english :) I am trying to use this
> > https://tools.netsa.cert.org/p0f/p0f.fp.2012032901 signatures file (pf.os),
> > as far as I understand, it is newer than the one that comes with the OS
> > (and maybe you will update it too). "too short OS description" error
> > appears when trying to apply rules (pfctl -f /etc/pf.conf).
> >
> > I think the problem is somewhere in parser, judging by the description in
> > the file at the link I provided:
> >
> > # If OS genre starts with '*', p0f will not show distance, link type
> > # and timestamp data. It is useful for userland TCP/IP stacks of
> > # network scanners and so on, where many settings are randomized or
> > # bogus.
> > #
> > # If OS genre starts with @, it denotes an approximate hit for a group
> > # of operating systems (signature reporting still enabled in this case).
> > # Use this feature at the end of this file to catch cases for which
> > # you don't have a precise match, but can tell it's Windows or FreeBSD
> > # or whatnot by looking at, say, flag layout alone.
> > #
> > # If OS genre starts with - (which can prefix @ or *), the entry is
> > # not considered to be a real operating system (but userland stack
> > # instead). It is important to mark all scanners and so on with -,
> > # so that they are not used for masquerade detection (also add this
> > # prefix for signatures of application-induced behavior, such as
> > # increased window size with Opera browser).
> >
> > Attaching the dump of ktrace. OpenBSD version: 7.3
>
>
