Passive OS fingerprint module update.
Passive OS fingerprinting netfilter module allows to passively detect remote OS and perform various netfilter actions based on that knowledge. This module compares some data (WS, MSS, options and it’s order, ttl, df and others) from packets with SYN bit set with dynamically loaded OS fingerprints.
Fingerprint matching rules can be downloaded from OpenBSD source tree and loaded via netlink connector into the kernel via special util found in archive. It will also listen for events about matching packets.
This release has all rules initialization to be handled over the netlink and introduces lookup tables to speed-up RCU lookup a bit (added in the previous version though, which was not announced in the mail lists likely because of spam filters). It also adds back a max ip option length definition, which is needed for the successful library compilation. otherwise one can include
# modrpobe ipt_osf # ./ucon_osf -f ./pf.os ^C Daemon will listen for incoming match events -d switch removes fingerprints # iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 0 --ttl 2 --connector
You will find something like this in the syslog:
ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 126.96.36.199:4024 -> 188.8.131.52:139
I’ve asked for its inclusion into the vanilla tree. This is a bit late though, but if things are good, it will find its way in the next kernel.