From: Patrick McHardy <kaber@trash.net>
To: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: Passive OS fingerprinting.
Date: Tue, 01 Jul 2008 13:53:43 +0200 [thread overview]
Message-ID: <486A1AC7.9020706@trash.net> (raw)
In-Reply-To: <20080701113927.GA16343@2ka.mipt.ru>
Evgeniy Polyakov wrote:
> Passive OS fingerprinting iptables (xtables) allows to match incoming
> packets by different sets of SYN-packet and determine, which remote
> system is on the remote end, so you can make decisions based on OS
> type and even version at some degreee and perform various netfilter
> actions based on that knowledge.
>
> This module compares some data (WS, MSS, options and it's order, ttl, df
> and others) from packets with SYN bit set with dynamically loaded OS
> fingerprints.
[Only some general comments without having looked at the
code in detail]
My two main objections are that this only works for TCP and
can be trivially evaded. What use cases does it have?
I'm also wondering whether this couldn't be implemented
using the u32 match.
> This version existed quite for a while in patch-o-matic(-ng), but
> suddenly was dropped and then only was updated on its own repo:
> http://tservice.net.ru/~s0mbre/old/?section=projects&item=osf
>
> I've updated OSF to match new iptables standards (namely xtables
> support) and present new kernelspace and userspace library files in
> attach.
>
> To setup single rule, which will drop and log all Linux incoming
> access one needs to do following steps:
> # insmod ./ipt_osf.ko
> # ./load ./pf.os /proc/sys/net/ipv4/osf
> # iptables -I INPUT -j DROP -p tcp -m osf --genre Linux --log 2 \
> --ttl 2 --connector
And I don't think it should be using connector. AFAIK we
only have a single user in the tree currently and new
stuff usually uses genetlink (which is pretty similar),
so we might be able to remove connection in the future
unless we add new users. But netfilter modules should
use nfnetlink anyway.
next prev parent reply other threads:[~2008-07-01 11:53 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-01 11:39 Passive OS fingerprinting Evgeniy Polyakov
2008-07-01 11:53 ` Patrick McHardy [this message]
2008-07-01 12:03 ` Evgeniy Polyakov
2008-07-01 12:35 ` Patrick McHardy
2008-07-01 13:08 ` Evgeniy Polyakov
2008-07-01 13:41 ` Patrick McHardy
2008-07-01 14:14 ` Evgeniy Polyakov
2008-07-01 14:16 ` Patrick McHardy
2008-07-01 14:48 ` Evgeniy Polyakov
2008-07-01 14:54 ` Patrick McHardy
2008-07-01 14:26 ` Jan Engelhardt
2008-07-01 14:25 ` Patrick McHardy
2008-07-01 13:32 ` Jeff Garzik
2008-07-01 13:35 ` Patrick McHardy
2008-07-01 13:47 ` Evgeniy Polyakov
2008-07-01 15:34 ` Jeff Garzik
2008-07-01 15:44 ` Patrick McHardy
2008-07-01 13:39 ` Evgeniy Polyakov
2008-07-01 19:56 ` Paul E. McKenney
2008-07-01 21:21 ` Evgeniy Polyakov
[not found] ` <20080701224149.GA8449@linux.vnet.ibm.com>
2008-07-02 4:46 ` Evgeniy Polyakov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=486A1AC7.9020706@trash.net \
--to=kaber@trash.net \
--cc=johnpol@2ka.mipt.ru \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).