etc/tcp-rst.fp

   1 #
   2 # prads - RST signatures
   3 # --------------------------
   4 #
   5 # .-------------------------------------------------------------------------.
   6 # | The purpose of this file is to cover signatures for RST packets.        |
   7 # | This database is looking for a caring maintainer.                       |
   8 # `-------------------------------------------------------------------------'
   9 #
  10 # (C) Copyright 2009-2010 by Edward Fjellskål <edward@redpill-linpro.com>
  11 #
  12 # Submit all additions to the authors.
  13 #
  14 # IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND RST+ACKs
  15 # --------------------------------------------------------------------
  16 #
  17 # Some silly systems may copy WSS from the SYN packet you've sent,
  18 # in which case, you need to wildcard the value. Use test/sendsyn.c for
  19 # "connection refused" and test/sendack.c for "connection dropped" signatures
  20 # - both tools use a distinct WSS of 12345, which is an easy way to tell
  21 # if WSS should be wildcarded.
  22 #
  23 # IMPORTANT INFORMATION ABOUT COMMON IMPLEMENTATION FLAWS
  24 # --------------------------------------------------------------------
  25 #
  26 # There are several types of RST packets you will surely encounter.
  27 # Some systems, including most reputable ones, are severily brain-damaged
  28 # and generate some illegal combinations from time to time. This is WAY
  29 # more common than with other packet types, because a broken RST does not
  30 # have any immediately noticable consequences; besides, the RFC793 is fairly
  31 # difficult to comprehend when it comes to this type of responses.
  32 #
  33 # P0f will give you a hint on new RST signatures, but it is your duty to
  34 # diagnose the problem and append the proper description when adding the
  35 # signature. Below is a list of valid and invalid states:
  36 #
  37 # - "Connection refused" message: this is a RST+ACK packet, SEQ number
  38 #   set to zero, ACK number non-zero. This is a valid response and
  39 #   is denoted by p0f as "refused" (quirk combination: K, 0, A).
  40 #
  41 #   There are some very cases when this is incorrectly sent in response
  42 #   to an unexpected ACK packet.
  43 #
  44 # - Illegal combination: RST+ACK packet, SEQ number set to zero, ACK
  45 #   number zero. This is denoted by p0f as "invalid-K0" (quirk combination:
  46 #   K and 0, no A).
  47 #
  48 # - Illegal combination: RST+ACK, SEQ number non-zero, ACK number zero
  49 #   or non-zero. This is denoted by p0f as "invalid-K" and
  50 #   "invalid-KA", respectively (quirk combinations, K, sometimes A, no 0).
  51 #
  52 #   This combination is frequently generated by Cisco routers in certain
  53 #   configurations in response to ACK (!). Brain dead, by all means, and
  54 #   usually a result of (incorrectly) setting ACK flag on a valid RST packet.
  55 #
  56 # - "Connection dropped": RST, sequence number non-zero, ACK zero or
  57 #   non-zero. This is denoted as "dropped" and "dropped 2" respectively
  58 #   (quirk combinations: no K, sometimes A, no 0). While the ACK value should
  59 #   be zeroed, it is not strictly against the RFC, and some systems either
  60 #   leak memory there or set it to the value of SEQ.
  61 #
  62 #   The latter variant, with non-zero ACK, is particularly common on
  63 #   Windows.
  64 #
  65 # - Ilegal combination: RST, SEQ number zero, ACK zero or non-zero.
  66 #   Denoted as "invalid-0" and "invalid-0A". Obviously incorrect, and
  67 #   will not have the desired effect.
  68 #
  69 # Ok. That's it. RFC793 does not get much respect nowadays.
  70 #
  71 #
  72 # IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp:
  73 # ----------------------------------------------------------------
  74 #
  75 # - Packet size may be wildcarded. The meaning of wildcard is, however,
  76 #   hardcoded as 'size > PACKET_BIG' (defined as 100 in config.h). This is
  77 #   because some stupid devices (including Ciscos) tend to send back RST
  78 #   packets quoting anything you have sent them in ACK packet previously.
  79 #   Use sparingly, only if -X confirms the device actually bounces back
  80 #   whatever you send.
  81 #
  82 # - A new quirk, 'K', is introduced to denote RST+ACK packets (as opposed
  83 #   to plain RST). This quirk is only compatible with this mode.
  84 #
  85 # - A new quirk, 'Q', is used to denote SEQ number equal to ACK number.
  86 #   This happens from time to time in RST and RST+ACK packets, but
  87 #   is practically unheard of in other modes.
  88 #
  89 # - A new quirk, '0', is used to denote packets with SEQ number set to 0.
  90 #   This happens on some RSTs, and is once again unheard of in other modes.
  91 #
  92 # - 'D' quirk is not a bug; some devices send verbose text messages
  93 #   describing why a connection got dropped; it's actually suggested
  94 #   by RFC1122. Of course, some systems have their own standards, and
  95 #   put all kinds of crap in their RST responses (including FreeBSD and
  96 #   Cisco). Use -X to examine those values.
  97 #
  98 # - 'A' and 'T' quirks are not an anomaly in certain cases for the reasons
  99 #   described in p0fa.fp.
 100 #
 101 # QUIRK REMINDERS
 102 # ----------------------------------------------------------------
 103 # K = RST+ACK ('A' should also be present)
 104 # 0 = Sequense number = 0
 105 #
 106 # Z = Zero ID
 107 # T = 2nd Timestamp is present
 108 # P = options past EOL,
 109 # Z = zero IP ID,
 110 # I = IP options specified,
 111 # U = urg pointer non-zero,
 112 # X = unused (x2) field non-zero,
 113 # A = ACK number non-zero,
 114 # T = non-zero second timestamp,
 115 # F = unusual flags (PUSH, URG, etc),
 116 # D = data payload,
 117 # ! = broken options segment.
 118 #
 119
 120 ################################
 121 # Connection refused - RST+ACK #
 122 ################################
 123
 124 0:255:0:40:.:K0A:Linux:2.0/2.2 (refused)
 125 0:64:1:40:.:K0A:FreeBSD:4.8 (refused)
 126 0:64:1:40:.:K0ZA:Linux:recent 2.4/2.6 (refused)
 127 0:64:1:*:.:K0ZA:Linux:2.6 (refused)
 128 0:128:0:40:.:K0A:Windows:XP/2000 (refused)
 129 0:128:0:40:.:K0UA:-Windows:XP/2000 while browsing (refused)
 130
 131 ## Windows
 132 #*:128:1:*:E:KPA!:Windows:support.microsoft.com
 133 #0:128:1:40:.:KA:Windows:Win2K (UC)
 134
 135 ######################################
 136 # Connection dropped / timeout - RST #
 137 ######################################
 138
 139 0:64:1:40:.:.:FreeBSD:4.8 (Linux?) (dropped)
 140 0:255:0:40:.:.:Linux:2.0/2.2 or IOS 12.x (dropped)
 141 0:64:1:40:.:Z:Linux:recent 2.4/2.6 (dropped)
 142 0:255:1:40:.:Z:Linux:early 2.4 (dropped)
 143 0:32:0:40:.:.:Xylan:OmniSwitch / Linksys WAP11 AP (dropped)
 144 0:64:1:40:.:U:NetIron:load balancer (dropped)
 145
 146 0:64:1:40:.:A:Cisco:AsyncOS phoebe 7.1.x (Iron Port)
 147
 148 0:128:1:40:.:QA:Windows:XP/2000 (dropped 2)
 149 0:128:1:40:.:A:Windows:XP/2000 while browsing (1) (dropped 2)
 150 0:128:1:40:.:QUA:-Windows:XP/2000 while browsing (2) (dropped 2)
 151 0:128:1:40:.:UA:-Windows:XP/2000 while browsing a lot (dropped 2)
 152 0:128:1:40:.:.:@Windows:98 (?) (dropped)
 153
 154 0:64:0:40:.:A:Ascend:TAOS or BayTech (dropped 2)
 155
 156 # too generic, may be win XP
 157 *:255:0:40:.:QA:Cisco:LocalDirector (dropped 2)
 158
 159 0:64:1:40:.:A:Hasbani:WindWeb (dropped 2)
 160 S23:255:1:40:.:.:Solaris:2.5 (dropped)
 161
 162 #######################################################
 163 # Connection dropped / timeout - RST with description #
 164 #######################################################
 165
 166 0:255:1:58:.:D:MacOS:9.x "No TCP/No listener" (seldom SunOS 5.x) (dropped)
 167 0:255:1:53:.:D:MacOS:8.5 "no tcp, reset" (dropped)
 168 0:255:1:65:.:D:MacOS:X "tcp_close, during connect" (dropped)
 169 0:255:1:54:.:D:MacOS:X "tcp_disconnect" (dropped)
 170 0:255:1:62:.:D:HP/UX:? "tcp_fin_wait_2_timeout" (dropped)
 171 32768:255:1:54:.:D:MacOS:8.5 "tcp_disconnect" (dropped)
 172 0:255:1:63:.:D:@Unknown: "Go away" device (dropped)
 173
 174 0:255:0:62:.:D:SunOS:5.x "new data when detached" (1) (dropped)
 175 32768:255:1:62:.:D:SunOS:5.x "new data when detached" (2) (dropped)
 176 0:255:1:67:.:D:SunOS:5.x "tcp_lift_anchor, can't wait" (dropped)
 177
 178 0:255:0:46:.:D:HP/UX:11.00 "No TCP" (dropped)
 179
 180 # More obscure ones:
 181 # 648:255:1:54:.:D:MacOS:??? "tcp_disconnect" (dropped)
 182 # 0:45:1:53:.:D:MacOS:7.x "no tcp, reset" (dropped)
 183
 184 ##############################################
 185 # Connection dropped / timeout - broken RSTs #
 186 ##############################################
 187
 188 S12:255:1:58:.:KAD:Solaris:2.x "tcp_disconnect" (dropped, lame)
 189 S43:64:1:40:.:KA:AOL:proxy (dropped, lame)
 190 1:64:1:40:.:KA:Linux:2.4/2.6 (dropped, lame)
 191 1:64:1:52:N,N,T:KAT:Linux:2.6 (dropped, lame)
 192 63:64:1:40:.:KA:Linux:2.4 (newer) mips
 193 54:64:1:*:N,N,T:KAT:Linux:2.6 (dropped, lame) (UC)
 194 S2:64:1:*:.:KA:Linux:2.6 (dropped, lame) (UC)
 195 #*:64:1:40:.:KA:FreeBSD:4.8 (dropped, lame)
 196 #*:64:1:52:N,N,T:KAT:Linux:2.4 (dropped, lame)
 197 0:255:0:40:.:KAF:3Com:SuperStack II (dropped, lame)
 198 *:255:0:40:.:KA:Intel:Netport print server (dropped, lame)
 199 *:150:0:40:.:KA:Linksys:BEF router (dropped, lame)
 200
 201 *:32:0:44:.:KZD:@NetWare:??? "ehnc" (dropped, lame)
 202 0:64:0:40:.:KQ0:BayTech:RPC-3 telnet host (dropped, lame)
 203
 204 #*:128:1:*:E:KPA!:Windows:support.microsoft.com
 205 0:128:1:40:.:KA:Windows:Win2K (UC)/Win7/2008R2
 206
 207 16560:64:1:40:.:KA:Cisco:AsyncOS phoebe 7.1.x (Iron Port)
 208
 209 #############################################
 210 # Connection dropped / timeout - extra data #
 211 #############################################
 212
 213 *:255:0:*:.:KAD:Cisco:IOS/PIX NAT + data (1) (dropped, lame)
 214 0:255:0:*:.:D:Windows:NT 4.0 SP6a + data (dropped)
 215 0:255:0:*:.:K0AD:Isolation:Infocrypt accelerator + data (dropped, lame)
 216
 217 *:255:0:*:.:AD:Cisco:IOS/PIX NAT + data (2) (dropped)
 218
 219 *:64:1:*:N,N,T:KATD:Linux:2.4 (?) + data (dropped, lame)
 220 *:64:1:*:.:KAD:FreeBSD:4.8 + data (dropped, lame)
 221 0:64:1:40:.:K0A:Solaris:Sun OpenStorage 7310
 222
 223 # xnih13
 224 92:64:1:52:N,N,T:KAT:Netgear:Netgear WNR3500