1 The idea of passive OS fingerprint matching exists for quite a long time,
2 but was created as extension fo OpenBSD pf only some weeks ago.
3 Original idea was lurked in some OpenBSD mailing list (thanks
4 grange@open...) and than adopted for Linux netfilter in form of this code.
6 Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.
8 This module compares some data(WS, MSS, options and it's order, ttl,
9 df and others) from first SYN packet (actually from packets with SYN
10 bit set) with dynamically loaded OS fingerprints.
13 If present, OSF will log determined genres even if they don't match
15 0 - log all determined entries,
18 In syslog you find something like this:
20 ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
22 ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
25 if present, OSF will use some smartness to determine remote OS.
26 OSF will use initial TTL only if source of connection is in our local network.
29 If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.
31 .BI "--genre " "[!] string"
32 Match a OS genre by passive fingerprinting
36 #iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
38 NOTE: -p tcp is obviously required as it is a TCP match.
40 Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
41 One can flush all fingerprints with following command:
43 echo -en FLUSH > /proc/sys/net/ipv4/osf
45 Only one fingerprint per open/write/close.
47 Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os