Jan Engelhardt | 23e718b | 2010-03-27 12:38:45 +0100 | [diff] [blame] | 1 | The osf module does passive operating system fingerprinting. This modules |
| 2 | compares some data (Window Size, MSS, options and their order, TTL, DF, |
| 3 | and others) from packets with the SYN bit set. |
| 4 | .TP |
| 5 | [\fB!\fP] \fB\-\-genre\fP \fIstring\fP |
| 6 | Match an operating system genre by using a passive fingerprinting. |
| 7 | .TP |
| 8 | \fB\-\-ttl\fP \fIlevel\fP |
| 9 | Do additional TTL checks on the packet to determine the operating system. |
| 10 | \fIlevel\fP can be one of the following values: |
| 11 | .IP \(bu 4 |
| 12 | 0 - True IP address and fingerprint TTL comparison. This generally works for |
| 13 | LANs. |
| 14 | .IP \(bu 4 |
| 15 | 1 - Check if the IP header's TTL is less than the fingerprint one. Works for |
| 16 | globally-routable addresses. |
| 17 | .IP \(bu 4 |
| 18 | 2 - Do not compare the TTL at all. |
| 19 | .TP |
| 20 | \fB\-\-log\fP \fIlevel\fP |
| 21 | Log determined genres into dmesg even if they do not match the desired one. |
| 22 | \fIlevel\fP can be one of the following values: |
| 23 | .IP \(bu 4 |
| 24 | 0 - Log all matched or unknown signatures |
| 25 | .IP \(bu 4 |
| 26 | 1 - Log only the first one |
| 27 | .IP \(bu 4 |
| 28 | 2 - Log all known matched signatures |
| 29 | .PP |
| 30 | You may find something like this in syslog: |
| 31 | .PP |
| 32 | Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> |
| 33 | 11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 |
| 34 | .PP |
| 35 | OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load |
| 36 | fingerprints from a file, use: |
| 37 | .PP |
Jan Engelhardt | db6d027 | 2010-03-27 12:48:55 +0100 | [diff] [blame] | 38 | \fBnfnl_osf -f /usr/share/xtables/pf.os\fP |
Jan Engelhardt | 23e718b | 2010-03-27 12:38:45 +0100 | [diff] [blame] | 39 | .PP |
| 40 | To remove them again, |
| 41 | .PP |
Jan Engelhardt | db6d027 | 2010-03-27 12:48:55 +0100 | [diff] [blame] | 42 | \fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP |
Jan Engelhardt | 23e718b | 2010-03-27 12:38:45 +0100 | [diff] [blame] | 43 | .PP |
| 44 | The fingerprint database can be downlaoded from |
| 45 | http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . |