[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080701113927.GA16343@2ka.mipt.ru>
Date: Tue, 1 Jul 2008 15:39:28 +0400
From: Evgeniy Polyakov <johnpol@....mipt.ru>
To: netdev@...r.kernel.org
Cc: netfilter-devel@...r.kernel.org
Subject: Passive OS fingerprinting.
Hi.
Passive OS fingerprinting iptables (xtables) allows to match incoming
packets by different sets of SYN-packet and determine, which remote
system is on the remote end, so you can make decisions based on OS
type and even version at some degreee and perform various netfilter
actions based on that knowledge.
This module compares some data (WS, MSS, options and it's order, ttl, df
and others) from packets with SYN bit set with dynamically loaded OS
fingerprints.
This version existed quite for a while in patch-o-matic(-ng), but
suddenly was dropped and then only was updated on its own repo:
http://tservice.net.ru/~s0mbre/old/?section=projects&item=osf
I've updated OSF to match new iptables standards (namely xtables
support) and present new kernelspace and userspace library files in
attach.
To setup single rule, which will drop and log all Linux incoming
access one needs to do following steps:
# insmod ./ipt_osf.ko
# ./load ./pf.os /proc/sys/net/ipv4/osf
# iptables -I INPUT -j DROP -p tcp -m osf --genre Linux --log 2 \
--ttl 2 --connector
And you will find following lines in dmesg:
ipt_osf: Linux [2.5-2.6::Linux 2.5/2.6] : aa:aa:aa:aa:32885 -> bb:bb:bb:bb:23 hops=3
More info can be found on homepage:
http://tservice.net.ru/~s0mbre/old/?section=projects&item=osf
Enjoy!
Signed-off-by: Evgeniy Polyakov <johnpol@....mipt.ru>
--
Evgeniy Polyakov
View attachment "ipt_osf.c" of type "text/plain" (18961 bytes)
View attachment "ipt_osf.h" of type "text/plain" (3603 bytes)
View attachment "libipt_osf.c" of type "text/plain" (5176 bytes)
View attachment "Makefile" of type "text/plain" (866 bytes)
Powered by blists - more mailing lists