Re: Passive OS fingerprinting.

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jeff Garzik <jeff@garzik.org>
To: Patrick McHardy <kaber@trash.net>
Cc: Evgeniy Polyakov <johnpol@2ka.mipt.ru>,
	netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: Passive OS fingerprinting.
Date: Tue, 01 Jul 2008 11:34:08 -0400	[thread overview]
Message-ID: <486A4E70.3000603@garzik.org> (raw)
In-Reply-To: <486A3286.9060100@trash.net>

Patrick McHardy wrote:
> Jeff Garzik wrote:
>> Patrick McHardy wrote:
>>> What about the use cases? I certainly like the idea you suggest in
>>> your blog ("Ever dreamt to block all Linux users in your network
>>> from accessing internet and allow full bandwidth to Windows worm?")
>>> :) But something this easy to evade doesn't seem to provide a real
>>> benefit for a firewall.
>>>
>>> I can see that something like "Block IE6 running on Windows version X"
>>> might be useful (NUFW can do this I think), but that needs support
>>> from the host.
>>
>> Not addressing Evgeniy's module but speaking generally...
>>
>> It sure would be nice for regular socket applications to have an easy, 
>> unprivileged way to query the OS fingerprint information of a given 
>> socket.
> 
> I'm not sure how much OSF depends on the TTL, but doing this
> more than one hop away from the host (or without knowledge of
> the number of hops) makes using the TTL basically impossible.

The userspace version works quite well over the Internet:
http://lcamtuf.coredump.cx/p0f.shtml


>> Speaking purely from a userspace application API perspective, it would 
>> be most useful for an app to be able to stop OSF collection, start OSF 
>> collection, and query OSF stats.  start/stop would be a refcount that 
>> disables in-kernel OSF when not in use.
>>
>> To present a specific use case:  I would like to know if incoming SMTP 
>> connections are Windows or not.  That permits me to better determine 
>> if the incoming connection is a hijacked PC or not -- it becomes a 
>> useful factor in spamassassin scoring.
>>
>> In this case, incoming SMTP is -always- TCP, thus being a TCP-specific 
>> module is not a problem.  You cover a huge swath of apps even if the 
>> module is TCP-specific.
>>
>> Another use case is validating whether a browser is "lying" about its 
>> OS, when parsing HTTP user-agent info, or in general when any remote 
>> agent is "lying" about its OS.  Security software can use that as an 
>> additional red-flag factor. 
> 
> I for one would be much happier to only have netfilter as a user
> of this :)

I'm not sure I understand?  When site A connects to site B via TCP, is 
there a problem letting site A know the OS of site B?

	Jeff

next prev parent reply	other threads:[~2008-07-01 15:34 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-07-01 11:39 Passive OS fingerprinting Evgeniy Polyakov
2008-07-01 11:53 ` Patrick McHardy
2008-07-01 12:03   ` Evgeniy Polyakov
2008-07-01 12:35     ` Patrick McHardy
2008-07-01 13:08       ` Evgeniy Polyakov
2008-07-01 13:41         ` Patrick McHardy
2008-07-01 14:14           ` Evgeniy Polyakov
2008-07-01 14:16             ` Patrick McHardy
2008-07-01 14:48               ` Evgeniy Polyakov
2008-07-01 14:54                 ` Patrick McHardy
2008-07-01 14:26         ` Jan Engelhardt
2008-07-01 14:25           ` Patrick McHardy
2008-07-01 13:32       ` Jeff Garzik
2008-07-01 13:35         ` Patrick McHardy
2008-07-01 13:47           ` Evgeniy Polyakov
2008-07-01 15:34           ` Jeff Garzik [this message]
2008-07-01 15:44             ` Patrick McHardy
2008-07-01 13:39         ` Evgeniy Polyakov
2008-07-01 19:56 ` Paul E. McKenney
2008-07-01 21:21   ` Evgeniy Polyakov
     [not found]     ` <20080701224149.GA8449@linux.vnet.ibm.com>
2008-07-02  4:46       ` Evgeniy Polyakov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=486A4E70.3000603@garzik.org \
    --to=jeff@garzik.org \
    --cc=johnpol@2ka.mipt.ru \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).