PF filter decisions based on source OS type

[Mike Frantzen]

Just committed a diff to -current that lets adds Michal Zalewski's
p0f v2 style passive fingerprinting to PF. It allows PF to filter on
the operating system of the source host by passively fingerprinting
the SYN packets. Powerfuly policy enforcement is now possible:
block proto tcp from any os Windows to any port smtp
block proto tcp from any os SCO
pass proto tcp from any os $UNIXES keep state queue high-bandwidth

# Send older windows to a web page telling them to upgrade
rdr on le0 proto tcp from any os "Windows 98" to any port 80 \
-> 127.0.0.1 port 8001

Passive fingerprinting has also been added to tcpdump via the -o
parameter to print out the sender OS of TCP SYN packets.

There is a short writeup at http://www.w4g.org/fingerprinting.html

We need your help to populate the operating system database. Please
go to http://lcamtuf.coredump.cx/p0f-help with as many machines with
web browsers as possible and type in your OS name if it doesn't
recognize the machine.

.mike

[Ed White]

On Thursday 21 August 2003 21:18, Mike Frantzen wrote:
> Just committed a diff to -current that lets adds Michal Zalewski's
> p0f v2 style passive fingerprinting to PF. It allows PF to filter on
> the operating system of the source host by passively fingerprinting
> the SYN packets.

How does this interact with syn-proxy ?

I would like other types of SYN packets to be added to the database.
I'm talking about those that aren't created by a OS stack, but tools like
hping, nmap, ettercap, firewalk...

Any way ?

Ed

[Jolan Luff]

On Thu, Aug 21, 2003 at 11:39:30PM +0200, Ed White wrote:
> I would like other types of SYN packets to be added to the database.
> I'm talking about those that aren't created by a OS stack, but tools like
> hping, nmap, ettercap, firewalk...
>
> Any way ?

Must be a way as nmap is already in pf.os.

[Daniel Hartmeier]

On Fri, Aug 22, 2003 at 12:36:29AM +0200, Ed White wrote:

> If the packet match all the values, but it's not a plain SYN, the new feature
> will skip this rule ?
> I mean the "os platform" directive implies "flags S/FSRPAU" ? or simply
> implies "flags S/S" ?

Neither. If the packet matches all other parameters, but isn't a TCP SYN
(SYN set, ACK unset), the os directive is ignored (matches).

Daniel

[Ed White]

On Thursday 21 August 2003 21:18, Mike Frantzen wrote:

> the SYN packets.

uhm...

...
block in quick inet proto tcp os Windows from any to any port 31337
...

If the packet match all the values, but it's not a plain SYN, the new feature
will skip this rule ?
I mean the "os platform" directive implies "flags S/FSRPAU" ? or simply
implies "flags S/S" ?

Thanks.

Ed

[Cedric Berger]

Mike Frantzen wrote:

>We need your help to populate the operating system database. Please
>go to http://lcamtuf.coredump.cx/p0f-help with as many machines with
>web browsers as possible and type in your OS name if it doesn't
>recognize the machine.
>

I'm typing that mail on a W2K box, behind a OpenBSD Firewall (NAT).
My system is not recognized, what should I put there?
Cedric

[J.Smith]

Hi.

The OS detection with p0f sounds really cool to me. So I headed right
over to http://lcamtuf.coredump.cx/p0f-help to help fill the
fingerprint database. I just wondered, is it possible to add
fingerprints for devices or platforms that do not actually let you
point a browser to a webpage ? For example, I have some special
purpose devices that I would like to add, but they don't come with a
full OS nor a browser. How can I add these to the database ?

Sincerely,

John Smith

[Duncan Matthew Stirling]

I think it's such a cool idea, but there are always going to be
exceptions, and limitations.

For example, I have a number of systems at work that I've patched to
appear at different OS then what they are.