Passive OS fingerprint module update.
Passive OS fingerprinting netfilter module allows to passively detect remote OS and perform various netfilter actions based on that knowledge. This module compares some data (WS, MSS, options and it’s order, ttl, df and others) from packets with SYN bit set with dynamically loaded OS fingerprints.
Fingerprint matching rules can be downloaded from OpenBSD source tree and loaded via netlink connector into the kernel via special util found in archive. It will also listen for events about matching packets.
Archive also contains library file (also attached), which was shipped with iptables extensions some time ago (at least when ipt_osf existed in patch-o-matic).
Example usage:
$ wget http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/pf.os?rev=1.21;content-type=text%2Fplain # modrpobe ipt_osf # ./ucon_osf -f ./pf.os ^C Daemon will listen for incoming match events -d switch removes fingerprints # iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 0 --ttl 2 --connector
You will find something like this in the syslog:
ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
Enjoy!
Detailed guide in pictures to how not to build an amplifier. Current POHMELFS TODO.
Comments are currently closed.