From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
To: Jeff Garzik <jeff@garzik.org>
Cc: Patrick McHardy <kaber@trash.net>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: Passive OS fingerprinting.
Date: Tue, 1 Jul 2008 17:39:58 +0400 [thread overview]
Message-ID: <20080701133958.GA11317@2ka.mipt.ru> (raw)
In-Reply-To: <486A31FF.8050201@garzik.org>
Hi Jeff.
On Tue, Jul 01, 2008 at 09:32:47AM -0400, Jeff Garzik (jeff@garzik.org) wrote:
> It sure would be nice for regular socket applications to have an easy,
> unprivileged way to query the OS fingerprint information of a given socket.
>
> Speaking purely from a userspace application API perspective, it would
> be most useful for an app to be able to stop OSF collection, start OSF
> collection, and query OSF stats. start/stop would be a refcount that
> disables in-kernel OSF when not in use.
>
> To present a specific use case: I would like to know if incoming SMTP
> connections are Windows or not. That permits me to better determine if
> the incoming connection is a hijacked PC or not -- it becomes a useful
> factor in spamassassin scoring.
>
> In this case, incoming SMTP is -always- TCP, thus being a TCP-specific
> module is not a problem. You cover a huge swath of apps even if the
> module is TCP-specific.
>
> Another use case is validating whether a browser is "lying" about its
> OS, when parsing HTTP user-agent info, or in general when any remote
> agent is "lying" about its OS. Security software can use that as an
> additional red-flag factor.
It is possible right now in OSF: it sends a netlink notification to
userspace about received and matched packet. We can even think some more
about reverse channel - to inform kernel about some steps for this
match, it requires root priveledges though. It can also be done via
different channel (like running script to install iptables rule).
--
Evgeniy Polyakov
next prev parent reply other threads:[~2008-07-01 13:39 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-01 11:39 Passive OS fingerprinting Evgeniy Polyakov
2008-07-01 11:53 ` Patrick McHardy
2008-07-01 12:03 ` Evgeniy Polyakov
2008-07-01 12:35 ` Patrick McHardy
2008-07-01 13:08 ` Evgeniy Polyakov
2008-07-01 13:41 ` Patrick McHardy
2008-07-01 14:14 ` Evgeniy Polyakov
2008-07-01 14:16 ` Patrick McHardy
2008-07-01 14:48 ` Evgeniy Polyakov
2008-07-01 14:54 ` Patrick McHardy
2008-07-01 14:26 ` Jan Engelhardt
2008-07-01 14:25 ` Patrick McHardy
2008-07-01 13:32 ` Jeff Garzik
2008-07-01 13:35 ` Patrick McHardy
2008-07-01 13:47 ` Evgeniy Polyakov
2008-07-01 15:34 ` Jeff Garzik
2008-07-01 15:44 ` Patrick McHardy
2008-07-01 13:39 ` Evgeniy Polyakov [this message]
2008-07-01 19:56 ` Paul E. McKenney
2008-07-01 21:21 ` Evgeniy Polyakov
[not found] ` <20080701224149.GA8449@linux.vnet.ibm.com>
2008-07-02 4:46 ` Evgeniy Polyakov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080701133958.GA11317@2ka.mipt.ru \
--to=johnpol@2ka.mipt.ru \
--cc=jeff@garzik.org \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).