etc/tcp-stray-ack.fp

   1 #
   2 # prads - stray ACK signatures
   3 # --------------------------
   4 #
   5 # .-------------------------------------------------------------------------.
   6 # | The purpose of this file is to cover signatures for stray ACK packets   |
   7 # | (established session data). This mode of operation is enabled with -XXX |
   8 # | option and is HIGHLY EXPERIMENTAL. Please refer to p0f.fp for more      |
   9 # | information on the metrics used and for a guide on adding new entries   |
  10 # | to this file. This database is looking for a caring maintainer.         |
  11 # `-------------------------------------------------------------------------'
  12 #
  13 # (C) Copyright 1996-2010 by Edward Fjellskål <edward@redpill-linpro.com>
  14 #
  15 # Submit all additions to the authors. Read p0f.fp before adding any
  16 # signatures. Run p0f -O -C after making any modifications. This file is
  17 # NOT compatible with SYN, SYN+ACK or RST+ modes. Use only with -O option.
  18 #
  19 # IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND ACKs
  20 # ----------------------------------------------------------------
  21 #
  22 # Some systems would have different ACK fingerprints depending on the initial
  23 # SYN or SYN+ACK received from the other party. More specifically, RFC1323,
  24 # RFC2018 and RFC1644 extensions sometimes show up only if the other party had
  25 # them enabled. Hence, the reliability of ACK fingerprints may be affected.
  26 #
  27 # IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp:
  28 # ----------------------------------------------------------------
  29 #
  30 # - Packet size MUST be wildcarded. ACK packets, by their nature, have
  31 #   variable sizes, depending on the amount of data carried as a payload.
  32 #
  33 # - Similarly, 'D' quirk is not checked for, and is not allowed in signatures
  34 #   in this file. A good number of ACK packets have payloads.
  35 #
  36 # - PUSH flag is excluded from 'F' quirk checks in this mode.
  37 #
  38 # - 'A' quirk is not a bug; all AC packets should have it set; also,
  39 #   'T' quirk is not an anomaly; its absence on systems with T option is.
  40 #
  41
  42 # PRADS addisions:
  43 # - We only display the 3 first options, as displaying more options
  44 #   will only spam the asset db.
  45 #   Also, as stray-acks are so unrelyable, this seems to be a good
  46 #   tradeoff to get more consistant fingerprints. With out the
  47 #   limit of 3 options, you get alot of (?nn) options.
  48
  49 #*:64:1:*:N,N,T:AT:Linux:2.4.2x (local?)
  50 #*:64:1:*:.:A:Linux:2.4.2x
  51 #*:64:0:*:.:A:Linux:2.0.3x
  52
  53 #*:64:1:*:N,N,T:AT:FreeBSD:4.8
  54 #%12:128:1:*:.:A:Windows:XP
  55 #S44:128:1:*:.:A:Windows:XP
  56
  57 ## Linux
  58 #46:64:1:*:N,N,T:AT!:Linux:2.6
  59 S4:64:1:0:.:A:Linux:2.6
  60 *:64:1:*:N,N,T:AT:Linux:2.4(newer)/2.6
  61 #14:64:1:0:N,N,T:ZAT:Linux:2.6
  62 *:64:1:0:N,N,T:ZAT:Linux:2.6
  63
  64 ## Freebsd
  65 #8326:64:1:*:N,N,T:AT!:Freebsd:freebsd.org
  66 #8305:64:1:0:N,N,T:AT:Freebsd: (UC)
  67 #8325:64:1:*:N,N,T:AT!:Freebsd: (UC)
  68
  69 ## Windows
  70 #*(65535):128:1:*:N,N,T:AT!:Windows:support.windows.com
  71 #*:64:1:0:.:A:Windows:www.microsoft.com
  72 *:128:1:0:.:A:Windows:XP
  73
  74 # Solaris
  75 32806:61:1:0:N,N,T:AT:Solaris:Sun OpenStorage 7310
  76
  77 # xnih13
  78 92:64:1:0:N,N,T:A:Netgear:Netgear WNR3500
  79 65535:128:1:0:N,N,?5:A:Windows:Windows XP
  80 32451:128:1:0:N,N,?5:A:Windows:Windows 7/2008 R2
  81
  82 # IronPort
  83 16560:64:1:0:.:A:Cisco:AsyncOS phoebe 7.1.x (Iron Port)