Update pf.os with newer OS fingerprints

Message ID 7d39a0dc-d7bd-7934-1d86-7268bf7c51b9@riseup.net
State Under Review
Delegated to: Pablo Neira
Headers show
Series
  • Update pf.os with newer OS fingerprints
Related show

Commit Message

Fernando Fernandez Mancera Feb. 8, 2019, 2:06 p.m.
Hi,

I have been updating the pf.os signatures with more recent OS
fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
Linux and FreeBSD needed new ones. I have been doing this because it is
related with my work during the last Google Summer of Code. In addition,
Michal Zalewski is aware of the new fingerprints too.

Thanks.

P.S: Keep me on Cc. I'm not subscribed to the list.

 S4:64:1:60:M*,S,T,N,W1:		Linux:2.5-2.6::Linux 2.5/2.6
@@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0:	Linux:2.2:ts:Linux 2.2
w/o timestamps
 65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
 65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:5.0-5.2::FreeBSD 4.7-5.2

+65535:64:1:60:M*,N,W6,S,T:	FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
+
 # XXX need quirks support
 # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
 # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)

Comments

Pablo Neira Ayuso Feb. 8, 2019, 4:07 p.m. | #1
Hi Fernando,

On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
> Hi,
> 
> I have been updating the pf.os signatures with more recent OS
> fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
> Linux and FreeBSD needed new ones. I have been doing this because it is
> related with my work during the last Google Summer of Code. In addition,
> Michal Zalewski is aware of the new fingerprints too.
> 
> Thanks.
> 
> P.S: Keep me on Cc. I'm not subscribed to the list.
> 
> diff --git etc/pf.os etc/pf.os
> index 41c1bc6a482..8f235876799 100644
> --- etc/pf.os
> +++ etc/pf.os
> @@ -232,6 +232,11 @@ S4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6
> (newer, 3)
>  T4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6 (newer, 4)
> 
>  S10:64:1:60:M*,S,T,N,W4:	Linux:3.0::Linux 3.0
> +S10:64:1:60:M*,S,T,N,W6:	Linux:3.1::Linux 3.1
> +S10:64:1:60:M*,S,T,N,W7:	Linux:3.4-3.10::Linux 3.4 - 3.10
> +S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-3.19::Linux 3.11 - 3.19
> +S20:64:1:60:M*,S,T,N,W7:	Linux:4.0-4.19::Linux 4.0 - 4.19

Probably merge these two lines above? ie.

S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-4.19::Linux 3.11 - 4.19

> +S44:64:1:60:M*,S,T,N,W7:	Linux:4.20::Linux 4.20
> 
>  S3:64:1:60:M*,S,T,N,W1:		Linux:2.5::Linux 2.5 (sometimes 2.4)
>  S4:64:1:60:M*,S,T,N,W1:		Linux:2.5-2.6::Linux 2.5/2.6
> @@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0:	Linux:2.2:ts:Linux 2.2
> w/o timestamps
>  65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
>  65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
> 
> +65535:64:1:60:M*,N,W6,S,T:	FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
> +
>  # XXX need quirks support
>  # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
>  # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
Fernando Fernandez Mancera Feb. 8, 2019, 4:25 p.m. | #2
Hi Pablo,

On 2/8/19 5:07 PM, Pablo Neira Ayuso wrote:
> Hi Fernando,
> 
> On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
>> Hi,
>>
>> I have been updating the pf.os signatures with more recent OS
>> fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
>> Linux and FreeBSD needed new ones. I have been doing this because it is
>> related with my work during the last Google Summer of Code. In addition,
>> Michal Zalewski is aware of the new fingerprints too.
>>
>> Thanks.
>>
>> P.S: Keep me on Cc. I'm not subscribed to the list.
>>
>> diff --git etc/pf.os etc/pf.os
>> index 41c1bc6a482..8f235876799 100644
>> --- etc/pf.os
>> +++ etc/pf.os
>> @@ -232,6 +232,11 @@ S4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6
>> (newer, 3)
>>  T4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6 (newer, 4)
>>
>>  S10:64:1:60:M*,S,T,N,W4:	Linux:3.0::Linux 3.0
>> +S10:64:1:60:M*,S,T,N,W6:	Linux:3.1::Linux 3.1
>> +S10:64:1:60:M*,S,T,N,W7:	Linux:3.4-3.10::Linux 3.4 - 3.10
>> +S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-3.19::Linux 3.11 - 3.19
>> +S20:64:1:60:M*,S,T,N,W7:	Linux:4.0-4.19::Linux 4.0 - 4.19
> 
> Probably merge these two lines above? ie.
> > S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-4.19::Linux 3.11 - 4.19
> 

I split this one by following the pattern of similar situations for
other fingerprints. eg.

16384:64:1:44:M*:		FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
16384:64:1:44:M*:		FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
16384:64:1:44:M*:		FreeBSD:4.0-4.2::FreeBSD 2.0-4.2

65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:5.0-5.2::FreeBSD 4.7-5.2

In my opinion I would make no changes to these two lines. Do you agree?

>> +S44:64:1:60:M*,S,T,N,W7:	Linux:4.20::Linux 4.20
>>
>>  S3:64:1:60:M*,S,T,N,W1:		Linux:2.5::Linux 2.5 (sometimes 2.4)
>>  S4:64:1:60:M*,S,T,N,W1:		Linux:2.5-2.6::Linux 2.5/2.6
>> @@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0:	Linux:2.2:ts:Linux 2.2
>> w/o timestamps
>>  65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
>>  65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
>>
>> +65535:64:1:60:M*,N,W6,S,T:	FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
>> +
>>  # XXX need quirks support
>>  # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
>>  # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
Pablo Neira Ayuso Feb. 8, 2019, 4:45 p.m. | #3
On Fri, Feb 08, 2019 at 05:25:38PM +0100, Fernando Fernandez Mancera wrote:
[...]
> On 2/8/19 5:07 PM, Pablo Neira Ayuso wrote:
[...]
> > On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
[...]
> >> +S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-3.19::Linux 3.11 - 3.19
> >> +S20:64:1:60:M*,S,T,N,W7:	Linux:4.0-4.19::Linux 4.0 - 4.19
> > 
> > Probably merge these two lines above? ie.
> > > S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-4.19::Linux 3.11 - 4.19
> > 
> 
> I split this one by following the pattern of similar situations for
> other fingerprints. eg.
> 
> 16384:64:1:44:M*:		FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
> 16384:64:1:44:M*:		FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
> 16384:64:1:44:M*:		FreeBSD:4.0-4.2::FreeBSD 2.0-4.2
> 
> 65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
> 65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
> 
> In my opinion I would make no changes to these two lines. Do you agree?

That's fine. Thanks for explaining.

Patch

diff --git etc/pf.os etc/pf.os
index 41c1bc6a482..8f235876799 100644
--- etc/pf.os
+++ etc/pf.os
@@ -232,6 +232,11 @@  S4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6
(newer, 3)
 T4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6 (newer, 4)

 S10:64:1:60:M*,S,T,N,W4:	Linux:3.0::Linux 3.0
+S10:64:1:60:M*,S,T,N,W6:	Linux:3.1::Linux 3.1
+S10:64:1:60:M*,S,T,N,W7:	Linux:3.4-3.10::Linux 3.4 - 3.10
+S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-3.19::Linux 3.11 - 3.19
+S20:64:1:60:M*,S,T,N,W7:	Linux:4.0-4.19::Linux 4.0 - 4.19
+S44:64:1:60:M*,S,T,N,W7:	Linux:4.20::Linux 4.20

 S3:64:1:60:M*,S,T,N,W1:		Linux:2.5::Linux 2.5 (sometimes 2.4)