OSFingerprint Class Reference

#include <OSFinger.h>

Collaboration diagram for OSFingerprint:

[legend]List of all members.

Public Member Functions
	OSFingerprint (FingerprintMode mode)
	~OSFingerprint ()
bool	Error () const
int	FindMatch (struct os_type *retval, uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS, uint8 ocnt, uint8 *op, uint16 MSS, uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ECN) const
bool	CacheMatch (uint32 addr, int id)
int	Get_OS_From_SYN (struct os_type *retval, uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS, uint8 ocnt, uint8 *op, uint16 MSS, uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ecn) const
void	load_config (char *file)
Protected Member Functions
void	collide (uint32 id)
void	Error (const char *msg)
void	Error (const char *msg, int n)
void	Error (const char *msg, const char *s)
Private Member Functions
	PDict (int) os_matches
Private Attributes
bool	err
unsigned int	mode
uint32	sigcnt
uint32	gencnt
uint8	problems
fp_entry	sig [MAXSIGS]
fp_entry *	bh [OSHSIZE]

---

Constructor & Destructor Documentation

OSFingerprint::OSFingerprint (  FingerprintMode  mode  )

Definition at line 28 of file OSFinger.cc. References bh, copy_string(), err, Error(), gencnt, internal_val(), load_config(), MAXSIGS, OSHSIZE, problems, RST_FINGERPRINT_MODE, sig, sigcnt, SYN_ACK_FINGERPRINT_MODE, and SYN_FINGERPRINT_MODE. { err = 0; sigcnt=gencnt=0; problems=0; char* fname; memset(sig, 0, sizeof(struct fp_entry)*MAXSIGS); memset(bh, 0, sizeof(struct fp_entry*)*OSHSIZE); if (mode == SYN_FINGERPRINT_MODE) { fname = copy_string(internal_val("passive_fingerprint_file")->AsString()->CheckString()); load_config(fname); } else if (mode == SYN_ACK_FINGERPRINT_MODE) {//not yet supported load_config("p0fsynack.sig"); } else if (mode == RST_FINGERPRINT_MODE) {//not yet supported load_config("p0frst.sig"); } else { Error("OS fingerprinting: unknown mode!"); } }

OSFingerprint::~OSFingerprint (   )  [inline]

Definition at line 86 of file OSFinger.h. {}

---

Member Function Documentation

bool OSFingerprint::CacheMatch (  uint32  addr, int  id )

Definition at line 58 of file OSFinger.cc. References addr, id, and uint32. Referenced by NetSessions::CompareWithPreviousOSMatch(). { HashKey key = HashKey(&addr, 1); int* pid = new int; *pid=id; int* prev = os_matches.Insert(&key, pid); bool ret = (prev ? *prev != id : 1); if (prev) delete prev; return ret; }

void OSFingerprint::collide (  uint32  id  )  [protected]

Definition at line 72 of file OSFinger.cc. References fp_entry::df, fmt(), id, MOD_CONST, MOD_MSS, MOD_MTU, fp_entry::optcnt, PACKET_BIG, problems, fp_entry::quirks, sig, fp_entry::size, uint32, warn(), and fp_entry::zero_stamp. Referenced by load_config(). { uint32 i,j; uint32 cur; if (sig[id].ttl % 32 && sig[id].ttl != 255 && sig[id].ttl % 30) { problems=1; warn(fmt("OS fingerprinting: [!] Unusual TTL (%d) for signature '%s %s' (line %d).", sig[id].ttl,sig[id].os,sig[id].desc,sig[id].line)); } for (i=0;i<id;i++) { if (!strcmp(sig[i].os,sig[id].os) && !strcmp(sig[i].desc,sig[id].desc)) { problems=1; warn(fmt("OS fingerprinting: [!] Duplicate signature name: '%s %s' (line %d and %d).", sig[i].os,sig[i].desc,sig[i].line,sig[id].line)); } /* If TTLs are sufficiently away from each other, the risk of a collision is lower. */ if (abs((int)sig[id].ttl - (int)sig[i].ttl) > 25) continue; if (sig[id].df ^ sig[i].df) continue; if (sig[id].zero_stamp ^ sig[i].zero_stamp) continue; /* Zero means >= PACKET_BIG */ if (sig[id].size) { if (sig[id].size ^ sig[i].size) continue; } else if (sig[i].size < PACKET_BIG) continue; if (sig[id].optcnt ^ sig[i].optcnt) continue; if (sig[id].quirks ^ sig[i].quirks) continue; switch (sig[id].wsize_mod) { case 0: /* Current: const */ cur=sig[id].wsize; do_const: switch (sig[i].wsize_mod) { case 0: /* Previous is also const */ /* A problem if values match */ if (cur ^ sig[i].wsize) continue; break; case MOD_CONST: /* Current: const, prev: modulo (or *) */ /* A problem if current value is a multiple of that modulo */ if (cur % sig[i].wsize) continue; break; case MOD_MSS: /* Current: const, prev: mod MSS */ if (sig[i].mss_mod || sig[i].wsize * (sig[i].mss ? sig[i].mss : 1460 ) != (int) cur) continue; break; case MOD_MTU: /* Current: const, prev: mod MTU */ if (sig[i].mss_mod || sig[i].wsize * ( (sig[i].mss ? sig[i].mss : 1460 )+40) != (int) cur) continue; break; } break; case 1: /* Current signature is modulo something */ /* A problem only if this modulo is a multiple of the previous modulo */ if (sig[i].wsize_mod != MOD_CONST) continue; if (sig[id].wsize % sig[i].wsize) continue; break; case MOD_MSS: /* Current is modulo MSS */ /* There's likely a problem only if the previous one is close to '*'; we do not check known MTUs, because this particular signature can be made with some uncommon MTUs in mind. The problem would also appear if current signature has a fixed MSS. */ if (sig[i].wsize_mod != MOD_CONST || sig[i].wsize >= 8) { if (!sig[id].mss_mod) { cur = (sig[id].mss ? sig[id].mss : 1460 ) * sig[id].wsize; goto do_const; } continue; } break; case MOD_MTU: /* Current is modulo MTU */ if (sig[i].wsize_mod != MOD_CONST || sig[i].wsize <= 8) { if (!sig[id].mss_mod) { cur = ( (sig[id].mss ? sig[id].mss : 1460 ) +40) * sig[id].wsize; goto do_const; } continue; } break; } /* Same for wsc */ switch (sig[id].wsc_mod) { case 0: /* Current: const */ cur=sig[id].wsc; switch (sig[i].wsc_mod) { case 0: /* Previous is also const */ /* A problem if values match */ if (cur ^ sig[i].wsc) continue; break; case 1: /* Current: const, prev: modulo (or *) */ /* A problem if current value is a multiple of that modulo */ if (cur % sig[i].wsc) continue; break; } break; case MOD_CONST: /* Current signature is modulo something */ /* A problem only if this modulo is a multiple of the previous modulo */ if (!sig[i].wsc_mod) continue; if (sig[id].wsc % sig[i].wsc) continue; break; } /* Same for mss */ switch (sig[id].mss_mod) { case 0: /* Current: const */ cur=sig[id].mss; switch (sig[i].mss_mod) { case 0: /* Previous is also const */ /* A problem if values match */ if (cur ^ sig[i].mss) continue; break; case 1: /* Current: const, prev: modulo (or *) */ /* A problem if current value is a multiple of that modulo */ if (cur % sig[i].mss) continue; break; } break; case MOD_CONST: /* Current signature is modulo something */ /* A problem only if this modulo is a multiple of the previous modulo */ if (!sig[i].mss_mod) continue; if ((sig[id].mss ? sig[id].mss : 1460 ) % (sig[i].mss ? sig[i].mss : 1460 )) continue; break; } /* Now check option sequence */ for (j=0;j<sig[id].optcnt;j++) if (sig[id].opt[j] ^ sig[i].opt[j]) goto reloop; problems=1; warn(fmt("OS fingerprinting: [!] Signature '%s %s' (line %d)\n" " is already covered by '%s %s' (line %d).", sig[id].os,sig[id].desc,sig[id].line,sig[i].os,sig[i].desc, sig[i].line)); reloop: ; } }

void OSFingerprint::Error (  const char *  msg, const char *  s )  [inline, protected]

Definition at line 118 of file OSFinger.h. References err, and error(). { error(msg, s); err = true; }

void OSFingerprint::Error (  const char *  msg, int  n )  [inline, protected]

Definition at line 112 of file OSFinger.h. References err, and error(). { error(msg, n); err = true; }

void OSFingerprint::Error (  const char *  msg  )  [inline, protected]

Definition at line 106 of file OSFinger.h. References err, and error(). { error(msg); err = true; }

bool OSFingerprint::Error (   )  const [inline]

Definition at line 88 of file OSFinger.h. References err. Referenced by load_config(), NetSessions::NetSessions(), and OSFingerprint(). { return err; }

int OSFingerprint::FindMatch (  struct os_type *  retval, uint16  tot, uint8  DF_flag, uint8  TTL, uint16  WSS, uint8  ocnt, uint8 *  op, uint16  MSS, uint8  win_scale, uint32  tstamp, uint32  quirks, uint8  ECN )  const

Definition at line 513 of file OSFinger.cc. References bh, os_type::desc, os_type::dist, GADGETECN, GADGETFIREWALL, GADGETNAT, GADGETNAT2, os_type::gadgets, GADGETUPTIME, id, os_type::match, MATCHFUZZY, MATCHGENERIC, MAXDIST, MOD_CONST, MOD_MSS, MOD_MTU, mode, os_type::os, p, PACKET_BIG, RST_FINGERPRINT_MODE, SIGHASH, uint16, uint32, uint8, and os_type::uptime. Referenced by NetSessions::Get_OS_From_SYN(). { uint32 j; //used for counter in loops struct fp_entry* p; uint8 orig_df = df; struct fp_entry* fuzzy = 0; uint8 fuzzy_now = 0; int id = 0; //return value: 0 indicates no match. retval->os="UNKNOWN"; retval->desc=NULL; retval->gadgets=0; retval->match=0; retval->uptime=0; re_lookup: p = bh[SIGHASH(tot,ocnt,quirks,df)]; while (p) { /* Cheap and specific checks first... */ /* psize set to zero means >= PACKET_BIG */ if (p->size) { if (tot ^ p->size) { p = p->next; continue; } } else if (tot < PACKET_BIG) { p = p->next; continue; } if (ocnt ^ p->optcnt) { p = p->next; continue; } if (p->zero_stamp ^ (!tstamp)) { p = p->next; continue; } if (p->df ^ df) { p = p->next; continue; } if (p->quirks ^ quirks) { p = p->next; continue; } /* Check MSS and WSCALE... */ if (!p->mss_mod) { if (mss ^ p->mss) { p = p->next; continue; } } else if (mss % p->mss) { p = p->next; continue; } if (!p->wsc_mod) { if (wsc ^ p->wsc) { p = p->next; continue; } } else if (wsc % p->wsc) { p = p->next; continue; } /* Then proceed with the most complex WSS check... */ switch (p->wsize_mod) { case 0: if (wss ^ p->wsize) { p = p->next; continue; } break; case MOD_CONST: if (wss % p->wsize) { p = p->next; continue; } break; case MOD_MSS: if (mss && !(wss % mss)) { if ((wss / mss) ^ p->wsize) { p = p->next; continue; } } else if (!(wss % 1460)) { if ((wss / 1460) ^ p->wsize) { p = p->next; continue; } } else { p = p->next; continue; } break; case MOD_MTU: if (mss && !(wss % (mss+40))) { if ((wss / (mss+40)) ^ p->wsize) { p = p->next; continue; } } else if (!(wss % 1500)) { if ((wss / 1500) ^ p->wsize) { p = p->next; continue; } } else { p = p->next; continue; } break; } /* Numbers agree. Let's check options */ for (j=0;j<ocnt;j++) if (p->opt[j] ^ op[j]) goto continue_search; /* Check TTLs last because we might want to go fuzzy. */ if (p->ttl < ttl) { if ( mode != RST_FINGERPRINT_MODE )fuzzy = p; p = p->next; continue; } /* Naah... can't happen ;-) */ if (!p->no_detail) if (p->ttl - ttl > MAXDIST) { if (mode != RST_FINGERPRINT_MODE ) fuzzy = p; p = p->next; continue; } continue_fuzzy: /* Match! */ id = p->line; if (mss & wss) { if (p->wsize_mod == MOD_MSS) { if ((wss % mss) && !(wss % 1460)) retval->gadgets|=GADGETNAT; } else if (p->wsize_mod == MOD_MTU) { if ((wss % (mss+40)) && !(wss % 1500)) retval->gadgets|=GADGETNAT2; } } retval->os=p->os; retval->desc=p->desc; retval->dist=p->ttl-ttl; if (ecn) retval->gadgets|=GADGETECN; if (orig_df ^ df) retval->gadgets|=GADGETFIREWALL; if (p->generic) retval->match=MATCHGENERIC; if (fuzzy_now) retval->match=MATCHFUZZY; if (!p->no_detail && tstamp) { retval->uptime=tstamp/360000; retval->gadgets|=GADGETUPTIME; } return id; continue_search: p = p->next; } if (!df) { df = 1; goto re_lookup; } //not found with df=0 do df=1 if (fuzzy) { df = orig_df; fuzzy_now = 1; p = fuzzy; fuzzy = 0; goto continue_fuzzy; } if (mss & wss) { if ((wss % mss) && !(wss % 1460)) retval->gadgets|=GADGETNAT; else if ((wss % (mss+40)) && !(wss % 1500)) retval->gadgets|=GADGETNAT2; } if (ecn) retval->gadgets|=GADGETECN; if (tstamp) { retval->uptime=tstamp/360000; retval->gadgets|=GADGETUPTIME; } return id; }

int OSFingerprint::Get_OS_From_SYN (  struct os_type *  retval, uint16  tot, uint8  DF_flag, uint8  TTL, uint16  WSS, uint8  ocnt, uint8 *  op, uint16  MSS, uint8  win_scale, uint32  tstamp, uint32  quirks, uint8  ecn )  const

void OSFingerprint::load_config (  char *  file  )

Definition at line 283 of file OSFinger.cc. References bh, collide(), Error(), file, gencnt, MAXLINE, MAXOPT, MAXSIGS, MOD_CONST, MOD_MSS, MOD_MTU, mode, p, QUIRK_ACK, QUIRK_BROKEN, QUIRK_DATA, QUIRK_FLAGS, QUIRK_IPOPT, QUIRK_PAST, QUIRK_RSTACK, QUIRK_SEQ0, QUIRK_SEQEQ, QUIRK_T2, QUIRK_URG, QUIRK_X2, QUIRK_ZEROID, RST_FINGERPRINT_MODE, search_for_file(), sig, sigcnt, SIGHASH, sscanf(), TCPOPT_EOL, TCPOPT_MAXSEG, TCPOPT_NOP, TCPOPT_SACK_PERMITTED, TCPOPT_TIMESTAMP, TCPOPT_WINDOW, tolower(), toupper(), uint32, and uint8. Referenced by OSFingerprint(). { uint32 ln=0; char buf[MAXLINE]; char* p; FILE* c = search_for_file( file, "osf", 0); if (!c) { Error("Can't open OS passive fingerprinting signature file", file); return; } sigcnt=0; //every time we read config we reset it to 0; while ((p=fgets(buf,sizeof(buf),c))) { uint32 l; char obuf[MAXLINE],genre[MAXLINE],desc[MAXLINE],quirks[MAXLINE]; char w[MAXLINE],sb[MAXLINE]; char* gptr = genre; uint32 t,d,s; struct fp_entry* e; ln++; /* Remove leading and trailing blanks */ while (isspace(*p)) p++; l=strlen(p); while (l && isspace(*(p+l-1))) *(p+(l--)-1)=0; /* Skip empty lines and comments */ if (!l) continue; if (*p == '#') continue; if (sscanf(p,"%[0-9%*()ST]:%d:%d:%[0-9()*]:%[^:]:%[^ :]:%[^:]:%[^:]", w, &t,&d,sb, obuf, quirks,genre,desc) != 8) Error("OS fingerprinting: Syntax error in p0f signature config line %d.\n",(uint32)ln); gptr = genre; if (*sb != '*') s = atoi(sb); else s = 0; reparse_ptr: switch (*gptr) { case '-': sig[sigcnt].userland = 1; gptr++; goto reparse_ptr; case '*': sig[sigcnt].no_detail = 1; gptr++; goto reparse_ptr; case '@': sig[sigcnt].generic = 1; gptr++; gencnt++; goto reparse_ptr; case 0: Error("OS fingerprinting: Empty OS genre in line",(uint32)ln); } sig[sigcnt].os = strdup(gptr); sig[sigcnt].desc = strdup(desc); sig[sigcnt].ttl = t; sig[sigcnt].size = s; sig[sigcnt].df = d; if (w[0] == '*') { sig[sigcnt].wsize = 1; sig[sigcnt].wsize_mod = MOD_CONST; } else if (tolower(w[0]) == 's') { sig[sigcnt].wsize_mod = MOD_MSS; if (!isdigit(*(w+1))) Error("OS fingerprinting: Bad Snn value in WSS in line",(uint32)ln); sig[sigcnt].wsize = atoi(w+1); } else if (tolower(w[0]) == 't') { sig[sigcnt].wsize_mod = MOD_MTU; if (!isdigit(*(w+1))) Error("OS fingerprinting: Bad Tnn value in WSS in line",(uint32)ln); sig[sigcnt].wsize = atoi(w+1); } else if (w[0] == '%') { if (!(sig[sigcnt].wsize = atoi(w+1))) Error("OS fingerprinting: Null modulo for window size in config line",(uint32)ln); sig[sigcnt].wsize_mod = MOD_CONST; } else sig[sigcnt].wsize = atoi(w); /* Now let's parse options */ p=obuf; sig[sigcnt].zero_stamp = 1; if (*p=='.') p++; while (*p) { uint8 optcnt = sig[sigcnt].optcnt; switch (tolower(*p)) { case 'n': sig[sigcnt].opt[optcnt] = TCPOPT_NOP; break; case 'e': sig[sigcnt].opt[optcnt] = TCPOPT_EOL; if (*(p+1)) Error("OS fingerprinting: EOL not the last option, line",(uint32)ln); break; case 's': sig[sigcnt].opt[optcnt] = TCPOPT_SACK_PERMITTED; break; case 't': sig[sigcnt].opt[optcnt] = TCPOPT_TIMESTAMP; if (*(p+1)!='0') { sig[sigcnt].zero_stamp=0; if (isdigit(*(p+1))) Error("OS fingerprinting: Bogus Tstamp specification in line",(uint32)ln); } break; case 'w': sig[sigcnt].opt[optcnt] = TCPOPT_WINDOW; if (p[1] == '*') { sig[sigcnt].wsc = 1; sig[sigcnt].wsc_mod = MOD_CONST; } else if (p[1] == '%') { if (!(sig[sigcnt].wsc = atoi(p+2))) Error("OS fingerprinting: Null modulo for wscale in config line",(uint32)ln); sig[sigcnt].wsc_mod = MOD_CONST; } else if (!isdigit(*(p+1))) Error("OS fingerprinting: Incorrect W value in line",(uint32)ln); else sig[sigcnt].wsc = atoi(p+1); break; case 'm': sig[sigcnt].opt[optcnt] = TCPOPT_MAXSEG; if (p[1] == '*') { sig[sigcnt].mss = 1; sig[sigcnt].mss_mod = MOD_CONST; } else if (p[1] == '%') { if (!(sig[sigcnt].mss = atoi(p+2))) Error("OS fingerprinting: Null modulo for MSS in config line",(uint32)ln); sig[sigcnt].mss_mod = MOD_CONST; } else if (!isdigit(*(p+1))) Error("OS fingerprinting: Incorrect M value in line",(uint32)ln); else sig[sigcnt].mss = atoi(p+1); break; /* Yuck! */ case '?': if (!isdigit(*(p+1))) Error("OS fingerprinting: Bogus ?nn value in line",(uint32)ln); else sig[sigcnt].opt[optcnt] = atoi(p+1); break; default: Error("OS fingerprinting: Unknown TCP option in config line",(uint32)ln); } if (++sig[sigcnt].optcnt >= MAXOPT) Error("OS fingerprinting: Too many TCP options specified in config line",(uint32)ln); /* Skip separators */ do { p++; } while (*p && !isalpha(*p) && *p != '?'); } sig[sigcnt].line = ln; p = quirks; while (*p) switch (toupper(*(p++))) { case 'E': Error("OS fingerprinting: Quirk 'E' is obsolete. Remove it, append E to the options. Line",(uint32)ln); case 'K': if ( mode != RST_FINGERPRINT_MODE ) Error("OS fingerprinting: Quirk 'K' is valid only in RST+ (-R) mode (wrong config file?). Line",(uint32)ln); sig[sigcnt].quirks |= QUIRK_RSTACK; break; case 'Q': sig[sigcnt].quirks |= QUIRK_SEQEQ; break; case '0': sig[sigcnt].quirks |= QUIRK_SEQ0; break; case 'P': sig[sigcnt].quirks |= QUIRK_PAST; break; case 'Z': sig[sigcnt].quirks |= QUIRK_ZEROID; break; case 'I': sig[sigcnt].quirks |= QUIRK_IPOPT; break; case 'U': sig[sigcnt].quirks |= QUIRK_URG; break; case 'X': sig[sigcnt].quirks |= QUIRK_X2; break; case 'A': sig[sigcnt].quirks |= QUIRK_ACK; break; case 'T': sig[sigcnt].quirks |= QUIRK_T2; break; case 'F': sig[sigcnt].quirks |= QUIRK_FLAGS; break; case 'D': sig[sigcnt].quirks |= QUIRK_DATA; break; case '!': sig[sigcnt].quirks |= QUIRK_BROKEN; break; case '.': break; default: Error("OS fingerprinting: Bad quirk in line",(uint32)ln); } e = bh[SIGHASH(s,sig[sigcnt].optcnt,sig[sigcnt].quirks,d)]; if (!e) { bh[SIGHASH(s,sig[sigcnt].optcnt,sig[sigcnt].quirks,d)] = &sig[sigcnt]; } else { while (e->next) e = e->next; e->next = &sig[sigcnt]; } collide(sigcnt); if (++sigcnt >= MAXSIGS) Error("OS fingerprinting: Maximum signature count exceeded.\n"); } fclose(c); if (!sigcnt) Error("OS fingerprinting: no signatures loaded from config file."); }

OSFingerprint::PDict (  int   )  [private]

---

Member Data Documentation

struct fp_entry* OSFingerprint::bh[OSHSIZE] [private]

Definition at line 133 of file OSFinger.h. Referenced by FindMatch(), load_config(), and OSFingerprint().

bool OSFingerprint::err [private]

Definition at line 125 of file OSFinger.h. Referenced by Error(), and OSFingerprint().

uint32 OSFingerprint::gencnt [private]

Definition at line 127 of file OSFinger.h. Referenced by load_config(), and OSFingerprint().

unsigned int OSFingerprint::mode [private]

Definition at line 126 of file OSFinger.h. Referenced by FindMatch(), and load_config().

uint8 OSFingerprint::problems [private]

Definition at line 128 of file OSFinger.h. Referenced by collide(), and OSFingerprint().

struct fp_entry OSFingerprint::sig[MAXSIGS] [private]

Definition at line 129 of file OSFinger.h. Referenced by collide(), load_config(), and OSFingerprint().

uint32 OSFingerprint::sigcnt [private]

Definition at line 127 of file OSFinger.h. Referenced by load_config(), and OSFingerprint().

---

The documentation for this class was generated from the following files:

• OSFinger.h
• OSFinger.cc

---