From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
To: Patrick McHardy <kaber@trash.net>
Cc: Jeff Garzik <jeff@garzik.org>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: Passive OS fingerprinting.
Date: Tue, 1 Jul 2008 17:47:10 +0400 [thread overview]
Message-ID: <20080701134709.GA14457@2ka.mipt.ru> (raw)
In-Reply-To: <486A3286.9060100@trash.net>
On Tue, Jul 01, 2008 at 03:35:02PM +0200, Patrick McHardy (kaber@trash.net) wrote:
> >It sure would be nice for regular socket applications to have an easy,
> >unprivileged way to query the OS fingerprint information of a given
> >socket.
>
> I'm not sure how much OSF depends on the TTL, but doing this
> more than one hop away from the host (or without knowledge of
> the number of hops) makes using the TTL basically impossible.
There are three modes in OSF: LAN where things are simple, no-ttl, where
things are even more simpler and false positive, and heueristic mode,
which checks ttl, but with some addons. Like if ttl is 31, it is
possible that it is OS with initial TTL being equal to 32, and other OS,
with initial TTL 48, and whatever other checks succeeded for that cases,
determine what OS is.
It works quite good in internet not only LAN, since it is frequently
only enough to roughly determine initial TTL.
> >Another use case is validating whether a browser is "lying" about its
> >OS, when parsing HTTP user-agent info, or in general when any remote
> >agent is "lying" about its OS. Security software can use that as an
> >additional red-flag factor.
>
> I for one would be much happier to only have netfilter as a user
> of this :)
Security checkers do like to put its hands into sooo deep places in the stack :)
--
Evgeniy Polyakov
next prev parent reply other threads:[~2008-07-01 13:47 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-01 11:39 Passive OS fingerprinting Evgeniy Polyakov
2008-07-01 11:53 ` Patrick McHardy
2008-07-01 12:03 ` Evgeniy Polyakov
2008-07-01 12:35 ` Patrick McHardy
2008-07-01 13:08 ` Evgeniy Polyakov
2008-07-01 13:41 ` Patrick McHardy
2008-07-01 14:14 ` Evgeniy Polyakov
2008-07-01 14:16 ` Patrick McHardy
2008-07-01 14:48 ` Evgeniy Polyakov
2008-07-01 14:54 ` Patrick McHardy
2008-07-01 14:26 ` Jan Engelhardt
2008-07-01 14:25 ` Patrick McHardy
2008-07-01 13:32 ` Jeff Garzik
2008-07-01 13:35 ` Patrick McHardy
2008-07-01 13:47 ` Evgeniy Polyakov [this message]
2008-07-01 15:34 ` Jeff Garzik
2008-07-01 15:44 ` Patrick McHardy
2008-07-01 13:39 ` Evgeniy Polyakov
2008-07-01 19:56 ` Paul E. McKenney
2008-07-01 21:21 ` Evgeniy Polyakov
[not found] ` <20080701224149.GA8449@linux.vnet.ibm.com>
2008-07-02 4:46 ` Evgeniy Polyakov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080701134709.GA14457@2ka.mipt.ru \
--to=johnpol@2ka.mipt.ru \
--cc=jeff@garzik.org \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).