Skip to content

Commit

Permalink
Merge pull request #74 from nttcom/main_p0fk
Browse files Browse the repository at this point in the history
p0f-kの修正
  • Loading branch information
Shingo-Kashima authored Dec 7, 2022
2 parents 1a8cb48 + e3c930e commit cbdd9a1
Show file tree
Hide file tree
Showing 8 changed files with 202 additions and 34 deletions.
Binary file not shown.
4 changes: 4 additions & 0 deletions osect_sensor/Infrastructure/edge_cron/work/ot_tools/p0f/etc/p0f-k.fp
100755 → 100644
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ sig = *:64:0:*:*,0:mss:df,id+:0
; Windows
; -------

; Added by Noriki Okamoto
label = s:win:Windows:10[99,4,0]
sig = 4:128:0:*:mss*45,8:mss,nop,ws,sok,ts:df,id+:0
sig = 4:128:0:*:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0
Expand All @@ -182,6 +183,7 @@ sig = 6:64:0:*:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0
sig = 6:128:0:*:64000,0:mss,nop,ws,nop,nop,sok:flow:0
sig = 6:64:0:*:65535,8:mss,nop,ws,nop,nop,sok:flow:0

; Added by Noriki Okamoto
label = s:win:Windows:8/10[100,3,0]
sig = 4:128:0:*:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0

Expand Down Expand Up @@ -402,12 +404,14 @@ sig = *:64:0:*:mss*4,*:mss,nop,nop,sok,nop,ws:df:0
; Windows
; -------

; Added by Noriki Okamoto
label = s:win:Windows:10[1299,4,0]
sig = 4:128:0:*:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0
sig = 6:128:0:*:65535,8:mss,nop,ws,nop,nop,sok:flow:0
sig = 6:128:0:*:64000,0:mss,nop,ws,nop,nop,sok:flow:0
sig = 6:128:0:*:64000,0:mss,nop,nop,sok:flow:0

; Added by Noriki Okamoto
label = s:win:Windows:8/10[1300,3,0]
sig = 4:128:0:*:64000,0:mss,nop,ws,nop,nop,sok:df,id+:0

Expand Down
4 changes: 2 additions & 2 deletions p0f-k/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ P0f-k outputs the MAC address like this:

### 2. New format log output

P0f-k can output logs in tabbed format. This function logs the OS estimation by TCP SYN and SYN + ACK when the -O option is specified. The log output looks like this:
P0f-k can output logs in tabbed format. This function logs the OS estimation by TCP SYN and SYN + ACK when the -O option is specified. The log can be rotated in seconds specified by the -R option. The log output looks like this:

```bash
1578584182.881877 syn 192.168.1.4 00:11:22:33:44:55 Mac OS X 4:64+0:0:1460:65535,6:mss,nop,ws,nop,nop,ts,sok,eol+1:id-,ecn:0
Expand All @@ -76,7 +76,7 @@ P0f-k supports fingerprinting for new operating systems like Windows 10.

The usage of p0f-k is the same as the original p0f.

Here's how to use the added -O option. The -O and -o options cannot be executed at the same time.
Here's how to use the added -O option.

```bash
$ sudo ./p0f -i ens33 -d -O /var/log/p0f-k.log
Expand Down
6 changes: 3 additions & 3 deletions p0f-k/fp_tcp.c
Original file line number Diff line number Diff line change
Expand Up @@ -1182,15 +1182,15 @@ struct tcp_sig* fingerprint_tcp(u8 to_srv, struct packet_data* pk,

if ((m = sig->matched)) {

OBSERVF((m->class_id == -1 || f->sendsyn) ? 0 : 1,
OBSERVF(f->sendsyn ? 0 : 1,
(m->class_id == -1 || f->sendsyn) ? "app" : "os",
"%s%s%s",
fp_os_names[m->name_id], m->flavor ? " " : "",
m->flavor ? m->flavor : (u8*)"");

} else {

add_observation_field("os", NULL, 1);
add_observation_field("os", NULL, f->sendsyn ? 0 : 1);

}

Expand All @@ -1209,7 +1209,7 @@ struct tcp_sig* fingerprint_tcp(u8 to_srv, struct packet_data* pk,

add_observation_field("params", dump_flags(pk, sig), 0);

add_observation_field("raw_sig", dump_sig(pk, sig, f->syn_mss), 1);
add_observation_field("raw_sig", dump_sig(pk, sig, f->syn_mss), f->sendsyn ? 0 : 1);

if (pk->tcp_type == TCP_SYN) f->syn_mss = pk->mss;

Expand Down
Loading

0 comments on commit cbdd9a1

Please sign in to comment.