bro_docs: OSFinger.h Source File

00001 // $Id: OSFinger.h,v 1.1 2004/12/31 08:16:41 vern Exp $
00002 
00003 // Taken with permission from:
00004 //
00005 // p0f - passive OS fingerprinting (GNU LESSER GENERAL PUBLIC LICENSE)
00006 // -------------------------------------------------------------------
00007 //
00008 // "If you sit down at a poker game and don't see a sucker,
00009 // get up. You're the sucker."
00010 //
00011 // (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
00012 
00013 #ifndef osfinger_h
00014 #define osfinger_h
00015 
00016 #include "util.h"
00017 #include "Dict.h"
00018 
00019 
00020 // Size limit for size wildcards.
00021 #define PACKET_BIG 100
00022 
00023 // Maximum number of signatures allowed in the config file.
00024 #define MAXSIGS 1024
00025 
00026 // Max signature line length.
00027 #define MAXLINE 1024
00028 
00029 // Maximum distance from a host to be taken seriously. Between 35 and 64
00030 // is sane. Making it too high might result in some (very rare) false
00031 // positives, too low will result in needless UNKNOWNs.
00032 #define MAXDIST 40
00033 
00034 // Maximum number of TCP options.  A TCP packet can have at most 64 bytes
00035 // of header, 20 of which are non-options.  Thus, if a single option
00036 // consumes 1 bytes (the minimum, there can only be 44 bytes of options.
00037 // We err on the safe side.
00038 #define MAXOPT 64
00039 
00040 declare(PDict,int);
00041 
00042 struct os_type {
00043         char* os;
00044         char* desc;
00045         uint8 dist;
00046         uint16 gadgets;
00047         uint16 match;
00048         uint32 uptime;
00049 };
00050 
00051 struct fp_entry {
00052         struct fp_entry* next;
00053         char* os;               // OS genre
00054         char* desc;             // OS description
00055         uint8 no_detail;        // disable guesstimates
00056         uint8 generic;          // generic hit
00057         uint8 userland;         // userland stack
00058         uint16 wsize;           // window size
00059         uint8 wsize_mod;        // MOD_* for wsize
00060         uint8 ttl;              // TTL
00061         uint8 df;               // don't fragment bit
00062         uint8 zero_stamp;       // timestamp option but zero value?
00063         uint16 size;            // packet size
00064         uint8 optcnt;           // option count
00065         uint8 opt[MAXOPT];      // TCPOPT_*
00066         uint16 wsc;             // window scaling option
00067         uint16 mss;             // MSS option
00068         uint8 wsc_mod;          // modulo for WSCALE (NONE or CONST)
00069         uint8 mss_mod;          // modulo for MSS (NONE or CONST)
00070         uint32 quirks;          // packet quirks and bugs
00071         uint32 line;            // config file line
00072 };
00073 
00074 struct mtu_def {
00075         uint16 mtu;
00076         char* dev;
00077 };
00078 
00079 enum FingerprintMode {
00080         SYN_FINGERPRINT_MODE, SYN_ACK_FINGERPRINT_MODE, RST_FINGERPRINT_MODE,
00081 };
00082 
00083 class OSFingerprint {
00084 public:
00085         OSFingerprint(FingerprintMode mode);
00086         ~OSFingerprint()        {}
00087 
00088         bool Error() const      { return err; }
00089 
00090         int FindMatch(struct os_type* retval, uint16 tot, uint8 DF_flag,
00091                 uint8 TTL, uint16 WSS, uint8 ocnt, uint8* op, uint16 MSS,
00092                 uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ECN) const;
00093         bool CacheMatch(uint32 addr, int id);
00094 
00095         int Get_OS_From_SYN(struct os_type* retval,
00096                         uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
00097                         uint8 ocnt, uint8* op, uint16 MSS, uint8 win_scale,
00098                         uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
00099                         uint8 ecn) const;
00100 
00101         void load_config(char* file);
00102 
00103 protected:
00104         void collide(uint32 id);
00105 
00106         void Error(const char* msg)
00107                 {
00108                 error(msg);
00109                 err = true;
00110                 }
00111 
00112         void Error(const char* msg, int n)
00113                 {
00114                 error(msg, n);
00115                 err = true;
00116                 }
00117 
00118         void Error(const char* msg, const char* s)
00119                 {
00120                 error(msg, s);
00121                 err = true;
00122                 }
00123 
00124 private:
00125         bool err;       // if true, a fatal error has occurred
00126         unsigned int mode;
00127         uint32 sigcnt, gencnt;
00128         uint8 problems;
00129         struct fp_entry sig[MAXSIGS];
00130 
00131         /* By hash */
00132 #define OSHSIZE 16
00133         struct fp_entry* bh[OSHSIZE];
00134 
00135         PDict(int) os_matches;
00136 };
00137 
00138 #define SIGHASH(tsize, optcnt, q, df) \
00139         ((uint8(((tsize) << 1) ^ ((optcnt) << 1) ^ (df) ^ (q) )) & 0x0f)
00140 
00141 #define MOD_NONE        0
00142 #define MOD_CONST       1
00143 #define MOD_MSS         2
00144 #define MOD_MTU         3
00145 
00146 #define QUIRK_PAST      0x1 /* P */
00147 #define QUIRK_ZEROID    0x2 /* Z */
00148 #define QUIRK_IPOPT     0x4 /* I */
00149 #define QUIRK_URG       0x8 /* U */
00150 #define QUIRK_X2        0x10 /* X */
00151 #define QUIRK_ACK       0x20 /* A */
00152 #define QUIRK_T2        0x40 /* T */
00153 #define QUIRK_FLAGS     0x80 /* F */
00154 #define QUIRK_DATA      0x100 /* D */
00155 #define QUIRK_BROKEN    0x200 /* ! */
00156 #define QUIRK_RSTACK    0x400 /* K */
00157 #define QUIRK_SEQEQ     0x800 /* Q */
00158 #define QUIRK_SEQ0      0x1000 /* 0 */
00159 
00160 #define GADGETNAT       0x1
00161 #define GADGETNAT2      0x2
00162 #define GADGETFIREWALL  0x4
00163 #define GADGETECN       0x8
00164 #define GADGETUPTIME    0x10
00165 
00166 #define MATCHGENERIC    0x1
00167 #define MATCHFUZZY      0x2
00168 
00169 #endif