* Update pf.os with newer OS fingerprints
@ 2019-02-08 14:06 Fernando Fernandez Mancera
2019-02-08 16:07 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Fernando Fernandez Mancera @ 2019-02-08 14:06 UTC (permalink / raw)
To: tech; +Cc: netfilter-devel
Hi,
I have been updating the pf.os signatures with more recent OS
fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
Linux and FreeBSD needed new ones. I have been doing this because it is
related with my work during the last Google Summer of Code. In addition,
Michal Zalewski is aware of the new fingerprints too.
Thanks.
P.S: Keep me on Cc. I'm not subscribed to the list.
diff --git etc/pf.os etc/pf.os
index 41c1bc6a482..8f235876799 100644
--- etc/pf.os
+++ etc/pf.os
@@ -232,6 +232,11 @@ S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6
(newer, 3)
T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4)
S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0
+S10:64:1:60:M*,S,T,N,W6: Linux:3.1::Linux 3.1
+S10:64:1:60:M*,S,T,N,W7: Linux:3.4-3.10::Linux 3.4 - 3.10
+S20:64:1:60:M*,S,T,N,W7: Linux:3.11-3.19::Linux 3.11 - 3.19
+S20:64:1:60:M*,S,T,N,W7: Linux:4.0-4.19::Linux 4.0 - 4.19
+S44:64:1:60:M*,S,T,N,W7: Linux:4.20::Linux 4.20
S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
@@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2
w/o timestamps
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
+65535:64:1:60:M*,N,W6,S,T: FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
+
# XXX need quirks support
# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: Update pf.os with newer OS fingerprints
2019-02-08 14:06 Update pf.os with newer OS fingerprints Fernando Fernandez Mancera
@ 2019-02-08 16:07 ` Pablo Neira Ayuso
2019-02-08 16:25 ` Fernando Fernandez Mancera
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-02-08 16:07 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: tech, netfilter-devel
Hi Fernando,
On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
> Hi,
>
> I have been updating the pf.os signatures with more recent OS
> fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
> Linux and FreeBSD needed new ones. I have been doing this because it is
> related with my work during the last Google Summer of Code. In addition,
> Michal Zalewski is aware of the new fingerprints too.
>
> Thanks.
>
> P.S: Keep me on Cc. I'm not subscribed to the list.
>
> diff --git etc/pf.os etc/pf.os
> index 41c1bc6a482..8f235876799 100644
> --- etc/pf.os
> +++ etc/pf.os
> @@ -232,6 +232,11 @@ S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6
> (newer, 3)
> T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4)
>
> S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0
> +S10:64:1:60:M*,S,T,N,W6: Linux:3.1::Linux 3.1
> +S10:64:1:60:M*,S,T,N,W7: Linux:3.4-3.10::Linux 3.4 - 3.10
> +S20:64:1:60:M*,S,T,N,W7: Linux:3.11-3.19::Linux 3.11 - 3.19
> +S20:64:1:60:M*,S,T,N,W7: Linux:4.0-4.19::Linux 4.0 - 4.19
Probably merge these two lines above? ie.
S20:64:1:60:M*,S,T,N,W7: Linux:3.11-4.19::Linux 3.11 - 4.19
> +S44:64:1:60:M*,S,T,N,W7: Linux:4.20::Linux 4.20
>
> S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
> S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
> @@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2
> w/o timestamps
> 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
> 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
>
> +65535:64:1:60:M*,N,W6,S,T: FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
> +
> # XXX need quirks support
> # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
> # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Update pf.os with newer OS fingerprints
2019-02-08 16:07 ` Pablo Neira Ayuso
@ 2019-02-08 16:25 ` Fernando Fernandez Mancera
2019-02-08 16:45 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Fernando Fernandez Mancera @ 2019-02-08 16:25 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: tech, netfilter-devel
Hi Pablo,
On 2/8/19 5:07 PM, Pablo Neira Ayuso wrote:
> Hi Fernando,
>
> On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
>> Hi,
>>
>> I have been updating the pf.os signatures with more recent OS
>> fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
>> Linux and FreeBSD needed new ones. I have been doing this because it is
>> related with my work during the last Google Summer of Code. In addition,
>> Michal Zalewski is aware of the new fingerprints too.
>>
>> Thanks.
>>
>> P.S: Keep me on Cc. I'm not subscribed to the list.
>>
>> diff --git etc/pf.os etc/pf.os
>> index 41c1bc6a482..8f235876799 100644
>> --- etc/pf.os
>> +++ etc/pf.os
>> @@ -232,6 +232,11 @@ S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6
>> (newer, 3)
>> T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4)
>>
>> S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0
>> +S10:64:1:60:M*,S,T,N,W6: Linux:3.1::Linux 3.1
>> +S10:64:1:60:M*,S,T,N,W7: Linux:3.4-3.10::Linux 3.4 - 3.10
>> +S20:64:1:60:M*,S,T,N,W7: Linux:3.11-3.19::Linux 3.11 - 3.19
>> +S20:64:1:60:M*,S,T,N,W7: Linux:4.0-4.19::Linux 4.0 - 4.19
>
> Probably merge these two lines above? ie.
> > S20:64:1:60:M*,S,T,N,W7: Linux:3.11-4.19::Linux 3.11 - 4.19
>
I split this one by following the pattern of similar situations for
other fingerprints. eg.
16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
In my opinion I would make no changes to these two lines. Do you agree?
>> +S44:64:1:60:M*,S,T,N,W7: Linux:4.20::Linux 4.20
>>
>> S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
>> S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
>> @@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2
>> w/o timestamps
>> 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
>> 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
>>
>> +65535:64:1:60:M*,N,W6,S,T: FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
>> +
>> # XXX need quirks support
>> # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
>> # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Update pf.os with newer OS fingerprints
2019-02-08 16:25 ` Fernando Fernandez Mancera
@ 2019-02-08 16:45 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-02-08 16:45 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: tech, netfilter-devel
On Fri, Feb 08, 2019 at 05:25:38PM +0100, Fernando Fernandez Mancera wrote:
[...]
> On 2/8/19 5:07 PM, Pablo Neira Ayuso wrote:
[...]
> > On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
[...]
> >> +S20:64:1:60:M*,S,T,N,W7: Linux:3.11-3.19::Linux 3.11 - 3.19
> >> +S20:64:1:60:M*,S,T,N,W7: Linux:4.0-4.19::Linux 4.0 - 4.19
> >
> > Probably merge these two lines above? ie.
> > > S20:64:1:60:M*,S,T,N,W7: Linux:3.11-4.19::Linux 3.11 - 4.19
> >
>
> I split this one by following the pattern of similar situations for
> other fingerprints. eg.
>
> 16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
> 16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
> 16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2
>
> 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
> 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
>
> In my opinion I would make no changes to these two lines. Do you agree?
That's fine. Thanks for explaining.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-02-08 16:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-08 14:06 Update pf.os with newer OS fingerprints Fernando Fernandez Mancera
2019-02-08 16:07 ` Pablo Neira Ayuso
2019-02-08 16:25 ` Fernando Fernandez Mancera
2019-02-08 16:45 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).