Thank you for looking, then another question: will you develop this functional, or it will stay as is?
чт, 25 мая 2023 г. в 18:54, Stuart Henderson <s...@spacehopper.org>: > On 2023/05/25 17:40, Alexandr Nedvedicky wrote: > > Hello, > > > > I took a look at signatures: > > > https://tools.netsa.cert.org/p0f/p0f.fp.2012032901 signatures file > (pf.os), > > > > This change is not about updating parser it looks like it will > > also require to update matching stuff in kernel. I have not looked > > at all details yet. > > as well as PF, this database is used by tcpdump (-o). > > quirks were added in p0f v2.x (p0f upstream is now at version 3.x which > has a completely different database). > > (p0f 2.x is in ports) > > > below is fingerprint entry format as found in etc/pf.os we have > > in current: > > > > # Fingerprint entry format: > > # > > # wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details > > # > > # wwww - window size (can be *, %nnn, Snn or Tnn). The special > values > > # "S" and "T" which are a multiple of MSS or a multiple of MTU > > # respectively. > > # ttt - initial TTL > > # D - don't fragment bit (0 - not set, 1 - set) > > # ss - overall SYN packet size > > # OOO - option value and order specification (see below) > > # OS - OS genre (Linux, Solaris, Windows) > > # Version - OS Version (2.0.27 on x86, etc) > > # Subtype - OS subtype or patchlevel (SP3, lo0) > > # details - Generic OS details > > > > and here is a format description from link above > > > > # Fingerprint entry format: > > # > > # wwww:ttt:D:ss:OOO...:QQ:OS:Details > > # > > # wwww - window size (can be * or %nnn or Sxx or Txx) > > # "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are > allowed. > > # ttt - initial TTL > > # D - don't fragment bit (0 - not set, 1 - set) > > # ss - overall SYN packet size (* has a special meaning) > > # OOO - option value and order specification (see below) > > # QQ - quirks list (see below) > > # OS - OS genre (Linux, Solaris, Windows) > > # details - OS description (2.0.27 on x86, etc) > > > > > > # Quirks section is usually an empty list ('.') of oddities or bugs of > this > > # particular stack. List items are not separated in any way. Possible > values: > > # > > # P - options past EOL, > > # Z - zero IP ID, > > # I - IP options specified, > > # U - urg pointer non-zero, > > # X - unused (x2) field non-zero, > > # A - ACK number non-zero, > > # T - non-zero second timestamp, > > # F - unusual flags (PUSH, URG, etc), > > # D - data payload, > > # ! - broken options segment. > > > > > > quirks are new and I think we will also have to update code in kernel > too. > > > > I'm afraid it's more than just fixing the parser. > > > > regards > > sashan > > > > On Mon, May 22, 2023 at 06:50:34PM +0300, ???????? ???????????? wrote: > > > Apologize in advance for my bad english :) I am trying to use this > > > https://tools.netsa.cert.org/p0f/p0f.fp.2012032901 signatures file > (pf.os), > > > as far as I understand, it is newer than the one that comes with the OS > > > (and maybe you will update it too). "too short OS description" error > > > appears when trying to apply rules (pfctl -f /etc/pf.conf). > > > > > > I think the problem is somewhere in parser, judging by the description > in > > > the file at the link I provided: > > > > > > # If OS genre starts with '*', p0f will not show distance, link type > > > # and timestamp data. It is useful for userland TCP/IP stacks of > > > # network scanners and so on, where many settings are randomized or > > > # bogus. > > > # > > > # If OS genre starts with @, it denotes an approximate hit for a group > > > # of operating systems (signature reporting still enabled in this > case). > > > # Use this feature at the end of this file to catch cases for which > > > # you don't have a precise match, but can tell it's Windows or FreeBSD > > > # or whatnot by looking at, say, flag layout alone. > > > # > > > # If OS genre starts with - (which can prefix @ or *), the entry is > > > # not considered to be a real operating system (but userland stack > > > # instead). It is important to mark all scanners and so on with -, > > > # so that they are not used for masquerade detection (also add this > > > # prefix for signatures of application-induced behavior, such as > > > # increased window size with Opera browser). > > > > > > Attaching the dump of ktrace. OpenBSD version: 7.3 > > > > >
