Project

General

Profile

Feature #14444 » Sigdatabase.txt

p0f current database with 23.05 - Jonathan Lee, 06/02/2023 02:56 PM

 
1
;
2
; p0f - fingerprint database
3
; --------------------------
4
;
5
; See section 5 in the README for a detailed discussion of the format used here.
6
;
7
; Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
8
;
9
; Distributed under the terms and conditions of GNU LGPL.
10
;
11

    
12
classes = win,unix,other
13

    
14
; ==============
15
; MTU signatures
16
; ==============
17

    
18
[mtu]
19

    
20
; The most common values, used by Ethernet-homed systems, PPP over POTS, PPPoA
21
; DSL, etc:
22

    
23
label = Ethernet or modem
24
sig   = 576
25
sig   = 1500
26

    
27
; Common DSL-specific values (1492 is canonical for PPPoE, but ISPs tend to
28
; horse around a bit):
29

    
30
label = DSL
31
sig   = 1452
32
sig   = 1454
33
sig   = 1492
34

    
35
; Miscellanous tunnels (including VPNs, IPv6 tunneling, etc):
36

    
37
label = GIF
38
sig   = 1240
39
sig   = 1280
40

    
41
label = generic tunnel or VPN
42
sig   = 1300
43
sig   = 1400
44
sig   = 1420
45
sig   = 1440
46
sig   = 1450
47
sig   = 1460
48

    
49
label = IPSec or GRE
50
sig   = 1476
51

    
52
label = IPIP or SIT
53
sig   = 1480
54

    
55
label = PPTP
56
sig   = 1490
57

    
58
; Really exotic stuff:
59

    
60
label = AX.25 radio modem
61
sig   = 256
62

    
63
label = SLIP
64
sig   = 552
65

    
66
label = Google
67
sig   = 1470
68

    
69
label = VLAN
70
sig   = 1496
71

    
72
label = Ericsson HIS modem
73
sig   = 1656
74

    
75
label = jumbo Ethernet
76
sig   = 9000
77

    
78
; Loopback interfaces on Linux and other systems:
79

    
80
label = loopback
81
sig   = 3924
82
sig   = 16384
83
sig   = 16436
84

    
85
; ==================
86
; TCP SYN signatures
87
; ==================
88

    
89
[tcp:request]
90

    
91
; -----
92
; Linux
93
; -----
94

    
95
label = s:unix:Linux:3.11 and newer
96
sig   = *:64:0:*:mss*20,10:mss,sok,ts,nop,ws:df,id+:0
97
sig   = *:64:0:*:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
98

    
99
label = s:unix:Linux:3.1-3.10
100
sig   = *:64:0:*:mss*10,4:mss,sok,ts,nop,ws:df,id+:0
101
sig   = *:64:0:*:mss*10,5:mss,sok,ts,nop,ws:df,id+:0
102
sig   = *:64:0:*:mss*10,6:mss,sok,ts,nop,ws:df,id+:0
103
sig   = *:64:0:*:mss*10,7:mss,sok,ts,nop,ws:df,id+:0
104

    
105
; Fun fact: 2.6 with ws=7 seems to be really common for Amazon EC2, while 8 is
106
; common for Yahoo and Twitter. There seem to be some other (rare) uses, though,
107
; so not I'm not flagging these signatures in a special way.
108

    
109
label = s:unix:Linux:2.6.x
110
sig   = *:64:0:*:mss*4,6:mss,sok,ts,nop,ws:df,id+:0
111
sig   = *:64:0:*:mss*4,7:mss,sok,ts,nop,ws:df,id+:0
112
sig   = *:64:0:*:mss*4,8:mss,sok,ts,nop,ws:df,id+:0
113

    
114
label = s:unix:Linux:2.4.x
115
sig   = *:64:0:*:mss*4,0:mss,sok,ts,nop,ws:df,id+:0
116
sig   = *:64:0:*:mss*4,1:mss,sok,ts,nop,ws:df,id+:0
117
sig   = *:64:0:*:mss*4,2:mss,sok,ts,nop,ws:df,id+:0
118

    
119
; No real traffic seen for 2.2 & 2.0, signatures extrapolated from p0f2 data:
120

    
121
label = s:unix:Linux:2.2.x
122
sig   = *:64:0:*:mss*11,0:mss,sok,ts,nop,ws:df,id+:0
123
sig   = *:64:0:*:mss*20,0:mss,sok,ts,nop,ws:df,id+:0
124
sig   = *:64:0:*:mss*22,0:mss,sok,ts,nop,ws:df,id+:0
125

    
126
label = s:unix:Linux:2.0
127
sig   = *:64:0:*:mss*12,0:mss::0
128
sig   = *:64:0:*:16384,0:mss::0
129

    
130
; Just to keep people testing locally happy (IPv4 & IPv6):
131

    
132
label = s:unix:Linux:3.x (loopback)
133
sig   = *:64:0:16396:mss*2,4:mss,sok,ts,nop,ws:df,id+:0
134
sig   = *:64:0:16376:mss*2,4:mss,sok,ts,nop,ws:df,id+:0
135

    
136
label = s:unix:Linux:2.6.x (loopback)
137
sig   = *:64:0:16396:mss*2,2:mss,sok,ts,nop,ws:df,id+:0
138
sig   = *:64:0:16376:mss*2,2:mss,sok,ts,nop,ws:df,id+:0
139

    
140
label = s:unix:Linux:2.4.x (loopback)
141
sig   = *:64:0:16396:mss*2,0:mss,sok,ts,nop,ws:df,id+:0
142

    
143
label = s:unix:Linux:2.2.x (loopback)
144
sig   = *:64:0:3884:mss*8,0:mss,sok,ts,nop,ws:df,id+:0
145

    
146
; Various distinctive flavors of Linux:
147

    
148
label = s:unix:Linux:2.6.x (Google crawler)
149
sig   = 4:64:0:1430:mss*4,6:mss,sok,ts,nop,ws::0
150

    
151
label = s:unix:Linux:(Android)
152
sig   = *:64:0:*:mss*44,1:mss,sok,ts,nop,ws:df,id+:0
153
sig   = *:64:0:*:mss*44,3:mss,sok,ts,nop,ws:df,id+:0
154

    
155
; Catch-all rules:
156

    
157
label = g:unix:Linux:3.x
158
sig   = *:64:0:*:mss*10,*:mss,sok,ts,nop,ws:df,id+:0
159

    
160
label = g:unix:Linux:2.4.x-2.6.x
161
sig   = *:64:0:*:mss*4,*:mss,sok,ts,nop,ws:df,id+:0
162

    
163
label = g:unix:Linux:2.2.x-3.x
164
sig   = *:64:0:*:*,*:mss,sok,ts,nop,ws:df,id+:0
165

    
166
label = g:unix:Linux:2.2.x-3.x (no timestamps)
167
sig   = *:64:0:*:*,*:mss,nop,nop,sok,nop,ws:df,id+:0
168

    
169
label = g:unix:Linux:2.2.x-3.x (barebone)
170
sig   = *:64:0:*:*,0:mss:df,id+:0
171

    
172
; -------
173
; Windows
174
; -------
175

    
176
label = s:win:Windows:XP
177
sig   = *:128:0:*:16384,0:mss,nop,nop,sok:df,id+:0
178
sig   = *:128:0:*:65535,0:mss,nop,nop,sok:df,id+:0
179
sig   = *:128:0:*:65535,0:mss,nop,ws,nop,nop,sok:df,id+:0
180
sig   = *:128:0:*:65535,1:mss,nop,ws,nop,nop,sok:df,id+:0
181
sig   = *:128:0:*:65535,2:mss,nop,ws,nop,nop,sok:df,id+:0
182

    
183
label = s:win:Windows:7 or 8
184
sig   = *:128:0:*:8192,0:mss,nop,nop,sok:df,id+:0
185
sig   = *:128:0:*:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0
186
sig   = *:128:0:*:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0
187
sig   = *:128:0:*:8192,2:mss,nop,ws,sok,ts:df,id+:0
188

    
189
; Robots with distinctive fingerprints:
190

    
191
label = s:win:Windows:7 (Websense crawler)
192
sig   = *:64:0:1380:mss*4,6:mss,nop,nop,ts,nop,ws:df,id+:0
193
sig   = *:64:0:1380:mss*4,7:mss,nop,nop,ts,nop,ws:df,id+:0
194

    
195
; Catch-all:
196

    
197
label = g:win:Windows:NT kernel 5.x
198
sig   = *:128:0:*:16384,*:mss,nop,nop,sok:df,id+:0
199
sig   = *:128:0:*:65535,*:mss,nop,nop,sok:df,id+:0
200
sig   = *:128:0:*:16384,*:mss,nop,ws,nop,nop,sok:df,id+:0
201
sig   = *:128:0:*:65535,*:mss,nop,ws,nop,nop,sok:df,id+:0
202

    
203
label = g:win:Windows:NT kernel 6.x
204
sig   = *:128:0:*:8192,*:mss,nop,nop,sok:df,id+:0
205
sig   = *:128:0:*:8192,*:mss,nop,ws,nop,nop,sok:df,id+:0
206

    
207
label = g:win:Windows:NT kernel
208
sig   = *:128:0:*:*,*:mss,nop,nop,sok:df,id+:0
209
sig   = *:128:0:*:*,*:mss,nop,ws,nop,nop,sok:df,id+:0
210

    
211
; ------
212
; Mac OS
213
; ------
214

    
215
label = s:unix:Mac OS X:10.x
216
sig   = *:64:0:*:65535,1:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0
217
sig   = *:64:0:*:65535,3:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0
218

    
219
label = s:unix:MacOS X:10.9 or newer (sometimes iPhone or iPad)
220
sig   = *:64:0:*:65535,4:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0
221

    
222
label = s:unix:iOS:iPhone or iPad
223
sig   = *:64:0:*:65535,2:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0
224

    
225
; Catch-all rules:
226

    
227
label = g:unix:Mac OS X:
228
sig   = *:64:0:*:65535,*:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0
229

    
230
; -------
231
; FreeBSD
232
; -------
233

    
234
label = s:unix:FreeBSD:9.x or newer
235
sig   = *:64:0:*:65535,6:mss,nop,ws,sok,ts:df,id+:0
236

    
237
label = s:unix:FreeBSD:8.x
238
sig   = *:64:0:*:65535,3:mss,nop,ws,sok,ts:df,id+:0
239

    
240
; Catch-all rules:
241

    
242
label = g:unix:FreeBSD:
243
sig   = *:64:0:*:65535,*:mss,nop,ws,sok,ts:df,id+:0
244

    
245
; -------
246
; OpenBSD
247
; -------
248

    
249
label = s:unix:OpenBSD:3.x
250
sig   = *:64:0:*:16384,0:mss,nop,nop,sok,nop,ws,nop,nop,ts:df,id+:0
251

    
252
label = s:unix:OpenBSD:4.x-5.x
253
sig   = *:64:0:*:16384,3:mss,nop,nop,sok,nop,ws,nop,nop,ts:df,id+:0
254

    
255
; -------
256
; Solaris
257
; -------
258

    
259
label = s:unix:Solaris:8
260
sig   = *:64:0:*:32850,1:nop,ws,nop,nop,ts,nop,nop,sok,mss:df,id+:0
261

    
262
label = s:unix:Solaris:10
263
sig   = *:64:0:*:mss*34,0:mss,nop,ws,nop,nop,sok:df,id+:0
264

    
265
; -------
266
; OpenVMS
267
; -------
268

    
269
label = s:unix:OpenVMS:8.x
270
sig   = 4:128:0:1460:mtu*2,0:mss,nop,ws::0
271

    
272
label = s:unix:OpenVMS:7.x
273
sig   = 4:64:0:1460:61440,0:mss,nop,ws::0
274

    
275
; --------
276
; NeXTSTEP
277
; --------
278

    
279
label = s:other:NeXTSTEP:
280
sig   = 4:64:0:1024:mss*4,0:mss::0
281

    
282
; -----
283
; Tru64
284
; -----
285

    
286
label = s:unix:Tru64:4.x
287
sig   = 4:64:0:1460:32768,0:mss,nop,ws:df,id+:0
288

    
289
; ----
290
; NMap
291
; ----
292

    
293
label = s:!:NMap:SYN scan
294
sys   = @unix,@win
295
sig   = *:64-:0:1460:1024,0:mss::0
296
sig   = *:64-:0:1460:2048,0:mss::0
297
sig   = *:64-:0:1460:3072,0:mss::0
298
sig   = *:64-:0:1460:4096,0:mss::0
299

    
300
label = s:!:NMap:OS detection
301
sys   = @unix,@win
302
sig   = *:64-:0:265:512,0:mss,sok,ts:ack+:0
303
sig   = *:64-:0:0:4,10:sok,ts,ws,eol+0:ack+:0
304
sig   = *:64-:0:1460:1,10:ws,nop,mss,ts,sok:ack+:0
305
sig   = *:64-:0:536:16,10:mss,sok,ts,ws,eol+0:ack+:0
306
sig   = *:64-:0:640:4,5:ts,nop,nop,ws,nop,mss:ack+:0
307
sig   = *:64-:0:1400:63,0:mss,ws,sok,ts,eol+0:ack+:0
308
sig   = *:64-:0:265:31337,10:ws,nop,mss,ts,sok:ack+:0
309
sig   = *:64-:0:1460:3,10:ws,nop,mss,sok,nop,nop:ecn,uptr+:0
310

    
311
; -----------
312
; p0f-sendsyn
313
; -----------
314

    
315
; These are intentionally goofy, to avoid colliding with any sensible real-world
316
; stacks. Do not tag these signatures as userspace, unless you want p0f to hide
317
; the responses!
318

    
319
label = s:unix:p0f:sendsyn utility
320
sig   = *:192:0:1331:1337,0:mss,nop,eol+18::0
321
sig   = *:192:0:1331:1337,0:mss,ts,nop,eol+8::0
322
sig   = *:192:0:1331:1337,5:mss,ws,nop,eol+15::0
323
sig   = *:192:0:1331:1337,0:mss,sok,nop,eol+16::0
324
sig   = *:192:0:1331:1337,5:mss,ws,ts,nop,eol+5::0
325
sig   = *:192:0:1331:1337,0:mss,sok,ts,nop,eol+6::0
326
sig   = *:192:0:1331:1337,5:mss,ws,sok,nop,eol+13::0
327
sig   = *:192:0:1331:1337,5:mss,ws,sok,ts,nop,eol+3::0
328

    
329
; -------------
330
; Odds and ends
331
; -------------
332

    
333
label = s:other:Blackberry:
334
sig   = *:128:0:1452:65535,0:mss,nop,nop,sok,nop,nop,ts::0
335

    
336
label = s:other:Nintendo:3DS
337
sig   = *:64:0:1360:32768,0:mss,nop,nop,sok:df,id+:0
338

    
339
label = s:other:Nintendo:Wii
340
sig   = 4:64:0:1460:32768,0:mss,nop,nop,sok:df,id+:0
341

    
342
label = s:unix:BaiduSpider:
343
sig   = *:64:0:1460:mss*4,7:mss,sok,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,ws:df,id+:0
344
sig   = *:64:0:1460:mss*4,2:mss,sok,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,ws:df,id+:0
345

    
346
; ======================
347
; TCP SYN+ACK signatures
348
; ======================
349

    
350
[tcp:response]
351

    
352
; -----
353
; Linux
354
; -----
355

    
356
; The variation here is due to ws, sok, or ts being adaptively removed if the
357
; client initiating the connection doesn't support them. Use tools/p0f-sendsyn
358
; to get a full set of up to 8 signatures.
359

    
360

    
361
label = s:unix:Linux:3.x
362
sig   = *:64:0:*:mss*10,0:mss:df:0
363
sig   = *:64:0:*:mss*10,0:mss,sok,ts:df:0
364
sig   = *:64:0:*:mss*10,0:mss,nop,nop,ts:df:0
365
sig   = *:64:0:*:mss*10,0:mss,nop,nop,sok:df:0
366
sig   = *:64:0:*:mss*10,*:mss,nop,ws:df:0
367
sig   = *:64:0:*:mss*10,*:mss,sok,ts,nop,ws:df:0
368
sig   = *:64:0:*:mss*10,*:mss,nop,nop,ts,nop,ws:df:0
369
sig   = *:64:0:*:mss*10,*:mss,nop,nop,sok,nop,ws:df:0
370

    
371
label = s:unix:Linux:2.4-2.6
372
sig   = *:64:0:*:mss*4,0:mss:df:0
373
sig   = *:64:0:*:mss*4,0:mss,sok,ts:df:0
374
sig   = *:64:0:*:mss*4,0:mss,nop,nop,ts:df:0
375
sig   = *:64:0:*:mss*4,0:mss,nop,nop,sok:df:0
376

    
377
label = s:unix:Linux:2.4.x
378
sig   = *:64:0:*:mss*4,0:mss,nop,ws:df:0
379
sig   = *:64:0:*:mss*4,0:mss,sok,ts,nop,ws:df:0
380
sig   = *:64:0:*:mss*4,0:mss,nop,nop,ts,nop,ws:df:0
381
sig   = *:64:0:*:mss*4,0:mss,nop,nop,sok,nop,ws:df:0
382

    
383
label = s:unix:Linux:2.6.x
384
sig   = *:64:0:*:mss*4,*:mss,nop,ws:df:0
385
sig   = *:64:0:*:mss*4,*:mss,sok,ts,nop,ws:df:0
386
sig   = *:64:0:*:mss*4,*:mss,nop,nop,ts,nop,ws:df:0
387
sig   = *:64:0:*:mss*4,*:mss,nop,nop,sok,nop,ws:df:0
388

    
389
; -------
390
; Windows
391
; -------
392

    
393
label = s:win:Windows:XP
394
sig   = *:128:0:*:65535,0:mss:df,id+:0
395
sig   = *:128:0:*:65535,0:mss,nop,ws:df,id+:0
396
sig   = *:128:0:*:65535,0:mss,nop,nop,sok:df,id+:0
397
sig   = *:128:0:*:65535,0:mss,nop,nop,ts:df,id+,ts1-:0
398
sig   = *:128:0:*:65535,0:mss,nop,ws,nop,nop,sok:df,id+:0
399
sig   = *:128:0:*:65535,0:mss,nop,ws,nop,nop,ts:df,id+,ts1-:0
400
sig   = *:128:0:*:65535,0:mss,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0
401
sig   = *:128:0:*:65535,0:mss,nop,ws,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0
402

    
403
sig   = *:128:0:*:16384,0:mss:df,id+:0
404
sig   = *:128:0:*:16384,0:mss,nop,ws:df,id+:0
405
sig   = *:128:0:*:16384,0:mss,nop,nop,sok:df,id+:0
406
sig   = *:128:0:*:16384,0:mss,nop,nop,ts:df,id+,ts1-:0
407
sig   = *:128:0:*:16384,0:mss,nop,ws,nop,nop,sok:df,id+:0
408
sig   = *:128:0:*:16384,0:mss,nop,ws,nop,nop,ts:df,id+,ts1-:0
409
sig   = *:128:0:*:16384,0:mss,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0
410
sig   = *:128:0:*:16384,0:mss,nop,ws,nop,nop,ts,nop,nop,sok:df,id+,ts1-:0
411

    
412
label = s:win:Windows:7 or 8
413
sig   = *:128:0:*:8192,0:mss:df,id+:0
414
sig   = *:128:0:*:8192,0:mss,sok,ts:df,id+:0
415
sig   = *:128:0:*:8192,8:mss,nop,ws:df,id+:0
416
sig   = *:128:0:*:8192,0:mss,nop,nop,ts:df,id+:0
417
sig   = *:128:0:*:8192,0:mss,nop,nop,sok:df,id+:0
418
sig   = *:128:0:*:8192,8:mss,nop,ws,sok,ts:df,id+:0
419
sig   = *:128:0:*:8192,8:mss,nop,ws,nop,nop,ts:df,id+:0
420
sig   = *:128:0:*:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0
421

    
422
; -------
423
; FreeBSD
424
; -------
425

    
426
label = s:unix:FreeBSD:9.x
427
sig   = *:64:0:*:65535,6:mss,nop,ws:df,id+:0
428
sig   = *:64:0:*:65535,6:mss,nop,ws,sok,ts:df,id+:0
429
sig   = *:64:0:*:65535,6:mss,nop,ws,sok,eol+1:df,id+:0
430
sig   = *:64:0:*:65535,6:mss,nop,ws,nop,nop,ts:df,id+:0
431

    
432
label = s:unix:FreeBSD:8.x
433
sig   = *:64:0:*:65535,3:mss,nop,ws:df,id+:0
434
sig   = *:64:0:*:65535,3:mss,nop,ws,sok,ts:df,id+:0
435
sig   = *:64:0:*:65535,3:mss,nop,ws,sok,eol+1:df,id+:0
436
sig   = *:64:0:*:65535,3:mss,nop,ws,nop,nop,ts:df,id+:0
437

    
438
label = s:unix:FreeBSD:8.x-9.x
439
sig   = *:64:0:*:65535,0:mss,sok,ts:df,id+:0
440
sig   = *:64:0:*:65535,0:mss,sok,eol+1:df,id+:0
441
sig   = *:64:0:*:65535,0:mss,nop,nop,ts:df,id+:0
442

    
443
; -------
444
; OpenBSD
445
; -------
446

    
447
label = s:unix:OpenBSD:5.x
448
sig   = *:64:0:1460:16384,0:mss,nop,nop,sok:df,id+:0
449
sig   = *:64:0:1460:16384,3:mss,nop,ws:df,id+:0
450
sig   = *:64:0:1460:16384,3:mss,nop,nop,sok,nop,ws:df,id+:0
451
sig   = *:64:0:1460:16384,0:mss,nop,nop,ts:df,id+:0
452
sig   = *:64:0:1460:16384,0:mss,nop,nop,sok,nop,nop,ts:df,id+:0
453
sig   = *:64:0:1460:16384,3:mss,nop,ws,nop,nop,ts:df,id+:0
454
sig   = *:64:0:1460:16384,3:mss,nop,nop,sok,nop,ws,nop,nop,ts:df,id+:0
455

    
456
; This one resembles Windows, but almost nobody will be seeing it:
457
; sig   = *:64:0:1460:16384,0:mss:df,id+:0
458

    
459
; --------
460
; Mac OS X
461
; --------
462

    
463
label = s:unix:Mac OS X:10.x
464
sig   = *:64:0:*:65535,0:mss,nop,ws:df,id+:0
465
sig   = *:64:0:*:65535,0:mss,sok,eol+1:df,id+:0
466
sig   = *:64:0:*:65535,0:mss,nop,nop,ts:df,id+:0
467
sig   = *:64:0:*:65535,0:mss,nop,ws,sok,eol+1:df,id+:0
468
sig   = *:64:0:*:65535,0:mss,nop,ws,nop,nop,ts:df,id+:0
469
sig   = *:64:0:*:65535,0:mss,nop,nop,ts,sok,eol+1:df,id+:0
470
sig   = *:64:0:*:65535,0:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0
471

    
472
; Ditto:
473
; sig   = *:64:0:*:65535,0:mss:df,id+:0
474

    
475
; -------
476
; Solaris
477
; -------
478

    
479
label = s:unix:Solaris:6
480
sig   = 4:255:0:*:mss*7,0:mss:df,id+:0
481
sig   = 4:255:0:*:mss*7,0:nop,ws,mss:df,id+:0
482
sig   = 4:255:0:*:mss*7,0:nop,nop,ts,mss:df,id+:0
483
sig   = 4:255:0:*:mss*7,0:nop,nop,ts,nop,ws,mss:df,id+:0
484

    
485
label = s:unix:Solaris:8
486
sig   = *:64:0:*:mss*19,0:mss:df,id+:0
487
sig   = *:64:0:*:mss*19,0:nop,ws,mss:df,id+:0
488
sig   = *:64:0:*:mss*19,0:nop,nop,ts,mss:df,id+:0
489
sig   = *:64:0:*:mss*19,0:nop,nop,sok,mss:df,id+:0
490
sig   = *:64:0:*:mss*19,0:nop,nop,ts,nop,ws,mss:df,id+:0
491
sig   = *:64:0:*:mss*19,0:nop,ws,nop,nop,sok,mss:df,id+:0
492
sig   = *:64:0:*:mss*19,0:nop,nop,ts,nop,nop,sok,mss:df,id+:0
493
sig   = *:64:0:*:mss*19,0:nop,nop,ts,nop,ws,nop,nop,sok,mss:df,id+:0
494

    
495
label = s:unix:Solaris:10
496
sig   = *:64:0:*:mss*37,0:mss:df,id+:0
497
sig   = *:64:0:*:mss*37,0:mss,nop,ws:df,id+:0
498
sig   = *:64:0:*:mss*37,0:nop,nop,ts,mss:df,id+:0
499
sig   = *:64:0:*:mss*37,0:mss,nop,nop,sok:df,id+:0
500
sig   = *:64:0:*:mss*37,0:nop,nop,ts,mss,nop,ws:df,id+:0
501
sig   = *:64:0:*:mss*37,0:mss,nop,ws,nop,nop,sok:df,id+:0
502
sig   = *:64:0:*:mss*37,0:nop,nop,ts,mss,nop,nop,sok:df,id+:0
503
sig   = *:64:0:*:mss*37,0:nop,nop,ts,mss,nop,ws,nop,nop,sok:df,id+:0
504

    
505
; -----
506
; HP-UX
507
; -----
508

    
509
label = s:unix:HP-UX:11.x
510
sig   = *:64:0:*:32768,0:mss:df,id+:0
511
sig   = *:64:0:*:32768,0:mss,ws,nop:df,id+:0
512
sig   = *:64:0:*:32768,0:mss,nop,nop,ts:df,id+:0
513
sig   = *:64:0:*:32768,0:mss,nop,nop,sok:df,id+:0
514
sig   = *:64:0:*:32768,0:mss,ws,nop,nop,nop,ts:df,id+:0
515
sig   = *:64:0:*:32768,0:mss,nop,nop,sok,ws,nop:df,id+:0
516
sig   = *:64:0:*:32768,0:mss,nop,nop,sok,nop,nop,ts:df,id+:0
517
sig   = *:64:0:*:32768,0:mss,nop,nop,sok,ws,nop,nop,nop,ts:df,id+:0
518

    
519
; -------
520
; OpenVMS
521
; -------
522

    
523
label = s:other:OpenVMS:7.x
524
sig   = 4:64:0:1460:3993,0:mss::0
525
sig   = 4:64:0:1460:3993,0:mss,nop,ws::0
526

    
527
; -----
528
; Tru64
529
; -----
530

    
531
label = s:unix:Tru64:4.x
532
sig   = 4:64:0:1460:mss*25,0:mss,nop,ws:df,id+:0
533
sig   = 4:64:0:1460:mss*25,0:mss:df,id+:0
534

    
535
; ======================
536
; HTTP client signatures
537
; ======================
538

    
539
; Safari and Firefox are frequently seen using HTTP/1.0 when going through
540
; proxies; this is far less common for MSIE, Chrome, etc. I wildcarded some of
541
; the signatures accordingly.
542
;
543
; Also note that there are several proxies that mess with HTTP headers for no
544
; reason. For example, BlueCoat proxy appears to change 'keep-alive' to
545
; 'Keep-Alive' for a tiny percentage of users (why?!).
546

    
547
[http:request]
548

    
549
ua_os = Linux,Windows,iOS=[iPad],iOS=[iPhone],Mac OS X,FreeBSD,OpenBSD,NetBSD,Solaris=[SunOS]
550

    
551
; -------
552
; Firefox
553
; -------
554

    
555
label = s:!:Firefox:2.x
556
sys   = Windows,@unix
557
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip,deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],Keep-Alive=[300],Connection=[keep-alive]::Firefox/
558

    
559
label = s:!:Firefox:3.x
560
sys   = Windows,@unix
561
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip,deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],Keep-Alive=[115],Connection=[keep-alive],?Referer::Firefox/
562

    
563
label = s:!:Firefox:4.x
564
sys   = Windows,@unix
565
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],Keep-Alive=[115],Connection=[keep-alive],?Referer::Firefox/
566

    
567
; I have no idea where this 'UTF-8' variant comes from, but it happens on *BSD.
568
; Likewise, no clue why Referer is in a different place for some users.
569

    
570
label = s:!:Firefox:5.x-9.x
571
sys   = Windows,@unix
572
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],?DNT=[1],Connection=[keep-alive],?Referer:Keep-Alive:Firefox/
573
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[UTF-8,*],?DNT=[1],Connection=[keep-alive],?Referer:Keep-Alive:Firefox/
574
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[UTF-8,*],?DNT=[1],?Referer,Connection=[keep-alive]:Keep-Alive:Firefox/
575
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],?DNT=[1],?Referer,Connection=[keep-alive]:Keep-Alive:Firefox/
576
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language,Accept-Encoding=[gzip, deflate],Accept-Charset=[utf-8;q=0.7,*;q=0.7],?Referer,?DNT=[1],Connection=[keep-alive]:Keep-Alive:Firefox/
577

    
578
label = s:!:Firefox:10.x or newer
579
sys   = Windows,@unix
580
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language=[;q=],Accept-Encoding=[gzip, deflate],?DNT=[1],Connection=[keep-alive],?Referer:Accept-Charset,Keep-Alive:Firefox/
581
sig   = *:Host,User-Agent,Accept=[,*/*;q=],?Accept-Language=[;q=],Accept-Encoding=[gzip, deflate],?DNT=[1],?Referer,Connection=[keep-alive]:Accept-Charset,Keep-Alive:Firefox/
582

    
583
; There is this one weird case where Firefox 10.x is indistinguishable
584
; from Safari 5.1:
585

    
586
label = s:!:Firefox:10.x or Safari 5.x
587
sys   = Windows,@unix
588
sig   = *:Host,User-Agent,Accept=[xml;q=0.9,*/*;q=0.8],Accept-Language,Accept-Encoding=[gzip, deflate],Connection=[keep-alive]:Keep-Alive,Accept-Charset,DNT,Referer:Gecko
589

    
590
; ----
591
; MSIE
592
; ----
593

    
594
; MSIE 11 no longer sends the 'MSIE' part in U-A, but we don't consider
595
; U-A to be a robust signal for fingerprinting, so no dice.
596

    
597
label = s:!:MSIE:8 or newer
598
sys   = Windows
599
sig   = 1:Accept=[*/*],?Referer,?Accept-Language,User-Agent,Accept-Encoding=[gzip, deflate],Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset,UA-CPU:Trident/
600
sig   = 1:Accept=[*/*],?Referer,?Accept-Language,Accept-Encoding=[gzip, deflate],User-Agent,Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset:(compatible; MSIE
601

    
602
label = s:!:MSIE:7
603
sys   = Windows
604
sig   = 1:Accept=[*/*],?Referer,?Accept-Language,UA-CPU,User-Agent,Accept-Encoding=[gzip, deflate],Host,Connection=[Keep-Alive]:Keep-Alive,Accept-Charset:(compatible; MSIE
605

    
606
; TODO: Check if this one ever uses Accept-Language, etc. Also try to find MSIE 5.
607

    
608
label = s:!:MSIE:6
609
sys   = Windows
610
sig   = 0:Accept=[*/*],?Referer,User-Agent,Host:Keep-Alive,Connection,Accept-Encoding,Accept-Language,Accept-Charset:(compatible; MSIE
611
sig   = 1:Accept=[*/*],Connection=[Keep-Alive],Host,?Pragma=[no-cache],?Range,?Referer,User-Agent:Keep-Alive,Accept-Encoding,Accept-Language,Accept-Charset:(compatible; MSIE
612

    
613
; ------
614
; Chrome
615
; ------
616

    
617
label = s:!:Chrome:11.x to 26.x
618
sys   = Windows,@unix
619
sig   = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3]:: Chrom
620
sig   = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[UTF-8,*;q=0.5]:: Chrom
621
sig   = 1:Host,User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3],Connection=[keep-alive]::Chrom
622

    
623
label = s:!:Chrome:27.x to 42.x
624
sys   = Windows,@unix
625
sig   = 1:Host,Connection=[keep-alive],Accept=[*/*],User-Agent,?Referer,Accept-Encoding=[gzip,deflate,sdch],Accept-Language:Accept-Charset,Keep-Alive: Chrom
626

    
627
label = s:!:Chrome:43.x or 50.x
628
sys   = Windows,@unix
629
sig   = 1:Host,Connection=[keep-alive],Accept=[*/*],User-Agent,?Referer,Accept-Encoding=[gzip, deflate, sdch],Accept-Language:Accept-Charset,Keep-Alive: Chrom
630

    
631
label = s:!:Chrome:51.x or newer
632
sys   = Windows,@unix
633
sig   = 1:Host,Connection=[keep-alive],Upgrade-Insecure-Requests=[1],User-Agent,Accept=[*/*],Accept-Encoding=[gzip, deflate, sdch],Accept-Language:Accept-Charset,Keep-Alive: Chrom
634

    
635
; -----
636
; Opera
637
; -----
638

    
639
label = s:!:Opera:19.x or newer
640
sys   = Windows,@unix
641
sig   = 1:Host,Connection=[keep-alive],Accept=[*/*;q=0.8],User-Agent,Accept-Encoding=[gzip,deflate,lzma,sdch],Accept-Language=[;q=0.]:Accept-Charset,Keep-Alive:OPR/
642

    
643
label = s:!:Opera:15.x-18.x
644
sys   = Windows,@unix
645
sig   = 1:Host,Connection=[keep-alive],Accept=[*/*;q=0.8],User-Agent,Accept-Encoding=[gzip, deflate],Accept-Language=[;q=0.]:Accept-Charset,Keep-Alive:OPR/
646

    
647
label = s:!:Opera:11.x-14.x
648
sys   = Windows,@unix
649
sig   = 1:User-Agent,Host,Accept=[*/*;q=0.1],?Accept-Language=[;q=0.],Accept-Encoding=[gzip, deflate],Connection=[Keep-Alive]:Accept-Charset,X-OperaMini-Phone-UA:) Presto/
650

    
651
label = s:!:Opera:10.x
652
sys   = Windows,@unix
653
sig   = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[;q=0.],Accept-Charset=[utf-8, utf-16, *;q=0.1],Accept-Encoding=[deflate, gzip, x-gzip, identity, *;q=0],Connection=[Keep-Alive]::Presto/
654
sig   = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[en],Accept-Encoding=[gzip, deflate],Connection=[Keep-Alive]:Accept-Charset:Opera/
655

    
656
label = s:!:Opera:Mini
657
sys   = Linux
658
sig   = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[;q=0.],Accept-Encoding=[gzip, deflate],Connection=[Keep-Alive],X-OperaMini-Phone-UA,X-OperaMini-Features,X-OperaMini-Phone,x-forwarded-for:Accept-Charset:Opera Mini/
659

    
660
label = s:!:Opera:on Nintendo Wii
661
sys   = Nintendo
662
sig   = 1:User-Agent,Host,Accept=[*/*;q=0.1],Accept-Language=[en],Accept-Charset=[iso-8859-1, utf-8, utf-16, *;q=0.1],Accept-Encoding=[deflate, gzip, x-gzip, identity, *;q=0],Connection=[Keep-Alive]::Nintendo
663

    
664
; ---------------
665
; Android browser
666
; ---------------
667

    
668
label = s:!:Android:2.x
669
sys   = Linux
670
sig   = 1:Host,Accept-Encoding=[gzip],Accept-Language,User-Agent,Accept=[,*/*;q=0.5],Accept-Charset=[utf-16, *;q=0.7]:Connection:Android
671
sig   = 1:Host,Connection=[keep-alive],Accept-Encoding=[gzip],Accept-Language,User-Agent,Accept=[,*/*;q=0.5],Accept-Charset=[utf-16, *;q=0.7]::Android
672
sig   = 1:Host,Accept-Encoding=[gzip],Accept-Language=[en-US],Accept=[*/*;q=0.5],User-Agent,Accept-Charset=[utf-16, *;q=0.7]:Connection:Android
673

    
674
label = s:!:Android:4.x
675
sys   = Linux
676
sig   = 1:Host,Connection=[keep-alive],Accept=[,*/*;q=0.8],User-Agent,Accept-Encoding=[gzip,deflate],Accept-Language,Accept-Charset=[utf-16, *;q=0.7]::Android
677

    
678
; ------
679
; Safari
680
; ------
681

    
682
label = s:!:Safari:7 or newer
683
sys   = @unix
684
sig   = *:Host,Accept-Encoding=[gzip, deflate],Connection=[keep-alive],Accept=[*/*],User-Agent,Accept-Language,?Referer,?DNT:Accept-Charset,Keep-Alive:KHTML, like Gecko)
685

    
686
label = s:!:Safari:5.1-6
687
sys   = Windows,@unix
688
sig   = *:Host,User-Agent,Accept=[*/*],?Referer,Accept-Language,Accept-Encoding=[gzip, deflate],Connection=[keep-alive]:Accept-Charset:KHTML, like Gecko)
689
sig   = *:Host,User-Agent,Accept=[*/*],?Referer,Accept-Encoding=[gzip, deflate],Accept-Language,Connection=[keep-alive]:Accept-Charset:KHTML, like Gecko)
690

    
691
label = s:!:Safari:5.0 or earlier
692
sys   = Mac OS X
693
sig   = 0:Host,User-Agent,Connection=[close]:Accept,Accept-Encoding,Accept-Language,Accept-Charset:CFNetwork/
694

    
695
; ---------
696
; Konqueror
697
; ---------
698

    
699
label = s:!:Konqueror:4.6 or earlier
700
sys   = Linux,FreeBSD,OpenBSD
701
sig   = 1:Host,Connection=[Keep-Alive],User-Agent,?Pragma,?Cache-control,Accept=[*/*],Accept-Encoding=[x-gzip, x-deflate, gzip, deflate],Accept-Charset=[;q=0.5, *;q=0.5],Accept-Language::Konqueror/
702

    
703
label = s:!:Konqueror:4.7 or newer
704
sys   = Linux,FreeBSD,OpenBSD
705
sig   = 1:Host,Connection=[keep-alive],User-Agent,Accept=[*/*],Accept-Encoding=[gzip, deflate, x-gzip, x-deflate],Accept-Charset=[,*;q=0.5],Accept-Language::Konqueror/
706

    
707
; -------------------
708
; Major search robots
709
; -------------------
710

    
711
label = s:!:BaiduSpider:
712
sys   = BaiduSpider
713
sig   = 1:Host,Connection=[close],User-Agent,Accept=[*/*]:Accept-Encoding,Accept-Language,Accept-Charset:Baiduspider-image
714
sig   = 1:Host,Accept-Language=[zh-cn],Connection=[close],User-Agent:Accept,Accept-Encoding,Accept-Charset:Baiduspider
715
sig   = 1:Host,Connection=[close],User-Agent,Accept-Language=[zh-cn,zh-tw],Accept-Encoding=[gzip],Accept=[*/*]:Accept-Charset:Baiduspider
716
sig   = 1:Host,Connection=[close],User-Agent,Accept-Language=[tr-TR],Accept-Encoding=[gzip],Accept=[*/*]:Accept-Charset:Baiduspider
717
sig   = 1:Host,Connection=[close],User-Agent,Accept-Encoding=[gzip],?Accept-Language=[zh-cn,zh-tw],Accept=[*/*]:Accept-Charset:Baiduspider
718
sig   = 1:Host,Connection=[close],User-Agent,Accept-Encoding=[gzip],Accept-Language=[tr-TR],Accept=[*/*]:Accept-Charset:Baiduspider
719

    
720
label = s:!:Googlebot:
721
sys   = Linux
722
sig   = 1:Host,Connection=[Keep-alive],Accept=[*/*],From=[googlebot(at)googlebot.com],User-Agent,Accept-Encoding=[gzip,deflate],?If-Modified-Since:Accept-Language,Accept-Charset:Googlebot
723
sig   = 1:Host,Connection=[Keep-alive],Accept=[text/plain],Accept=[text/html],From=[googlebot(at)googlebot.com],User-Agent,Accept-Encoding=[gzip,deflate]:Accept-Language,Accept-Charset:Googlebot
724

    
725
label = s:!:Googlebot:feed fetcher
726
sys   = Linux
727
sig   = 1:Host,Connection=[Keep-alive],Accept=[*/*],User-Agent,Accept-Encoding=[gzip,deflate],?If-Modified-Since:Accept-Language,Accept-Charset:-Google
728
sig   = 1:User-Agent,?X-shindig-dos=[on],Cache-Control,Host,?X-Forwarded-For,Accept-Encoding=[gzip],?Accept-Language:Connection,Accept,Accept-Charset:Feedfetcher-Google
729

    
730
label = s:!:Bingbot:
731
sys   = Windows
732
sig   = 1:Cache-Control,Connection=[Keep-Alive],Pragma=[no-cache],Accept=[*/*],Accept-Encoding,Host,User-Agent:Accept-Language,Accept-Charset:bingbot/
733

    
734
; MSNbot has a really silly Accept header, only a tiny part of which is preserved here:
735

    
736
label = s:!:MSNbot:
737
sys   = Windows
738
sig   = 1:Connection=[Close],Accept,Accept-Encoding=[gzip, deflate],From=[msnbot(at)microsoft.com],Host,User-Agent:Accept-Language,Accept-Charset:msnbot
739

    
740
label = s:!:Yandex:crawler
741
sys   = FreeBSD
742
sig   = 1:Host,Connection=[Keep-Alive],Accept=[*/*],Accept-Encoding=[gzip,deflate],Accept-Language=[en-us, en;q=0.7, *;q=0.01],User-Agent,From=[support@search.yandex.ru]:Accept-Charset:YandexBot/
743
sig   = 1:Host,Connection=[Keep-Alive],Accept=[image/jpeg, image/pjpeg, image/png, image/gif],User-Agent,From=[support@search.yandex.ru]:Accept-Encoding,Accept-Language,Accept-Charset:YandexImages/
744
sig   = 1:Host,Connection=[Keep-Alive],User-Agent,From=[support@search.yandex.ru]:Accept,Accept-Encoding,Accept-Language,Accept-Charset:YandexBot/
745

    
746
label = s:!:Yahoo:crawler
747
sys   = Linux
748
sig   = 0:Host,User-Agent,Accept=[,image/png,*/*;q=0.5],Accept-Language=[en-us,en;q=0.5],Accept-Encoding=[gzip],Accept-Charset=[,utf-8;q=0.7,*;q=0.7]:Connection:Slurp
749

    
750
; -----------------
751
; Misc other robots
752
; -----------------
753

    
754
label = s:!:Flipboard:crawler
755
sys   = Linux
756
sig   = 1:User-Agent,Accept-Language=[en-us,en;q=0.5],Accept-Charset=[;q=0.7,*;q=0.5],Accept-Encoding=[gzip],Host,Accept=[*; q=.2, */*; q=.2],Connection=[keep-alive]::FlipboardProxy
757
sig   = 1:Accept-language=[en-us,en;q=0.5],Accept-encoding=[gzip],Accept=[;q=0.9,*/*;q=0.8],User-agent,Host:User-Agent,Connection,Accept-Encoding,Accept-Language,Accept-Charset:FlipboardProxy
758

    
759
label = s:!:Spinn3r:crawler
760
sys   = Linux
761
sig   = 1:User-Agent,Accept-Encoding=[gzip],Host,Accept=[*; q=.2, */*; q=.2],Connection=[close]:Accept-Language,Accept-Charset:Spinn3r
762

    
763
label = s:!:Facebook:crawler
764
sys   = Linux
765
sig   = 1:User-Agent,Host,Accept=[*/*],Accept-Encoding=[deflate, gzip],Connection=[close]:Accept-Language,Accept-Charset:facebookexternalhit/
766
sig   = 1:User-Agent,Host,Accept=[*/*],Connection=[close]:Accept-Encoding,Accept-Language,Accept-Charset:facebookexternalhit/
767

    
768
label = s:!:paper.li:crawler
769
sys   = Linux
770
sig   = 1:Accept-Language=[en-us,en;q=0.5],Accept=[*/*],User-Agent,Connection=[close],Accept-Encoding=[gzip,identity],?Referer,Host,Accept-Charset=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]::PaperLiBot/
771

    
772
label = s:!:Twitter:crawler
773
sys   = Linux
774
sig   = 1:User-Agent=[Twitterbot/],Host,Accept=[*; q=.2, */*; q=.2],Cache-Control,Connection=[keep-alive]:Accept-Encoding,Accept-Language,Accept-Charset:Twitterbot/
775

    
776
label = s:!:linkdex:crawler
777
sys   = Linux
778
sig   = 0:Host,Connection=[Keep-Alive],User-Agent,Accept-Encoding=[gzip,deflate]:Accept,Accept-Language,Accept-Charset:linkdex.com/
779

    
780
label = s:!:Yodaobot:
781
sys   = Linux
782
sig   = 1:Accept-Encoding=[identity;q=0.5, *;q=0.1],User-Agent,Host:Connection,Accept,Accept-Language,Accept-Charset:YodaoBot/
783

    
784
label = s:!:Tweetmeme:crawler
785
sys   = Linux
786
sig   = 1:Host,User-Agent,Accept=[,image/png,*/*;q=0.5],Accept-Language=[en-gb,en;q=0.5],Accept-Charset=[ISO-8859-1,utf-8;q=0.7,*;q=0.7]:Connection,Accept-Encoding:TweetmemeBot/
787

    
788
label = s:!:Archive.org:crawler
789
sys   = Linux
790
sig   = 0:User-Agent,Connection=[close],Accept=[application/xml;q=0.9,*/*;q=0.8],Host:Accept-Encoding,Accept-Language,Accept-Charset:archive.org
791

    
792
label = s:!:Yahoo Pipes:
793
sys   = Linux
794
sig   = 0:Client-IP,X-Forwarded-For,X-YQL-Depth,User-Agent,Host,Connection=[keep-alive],Via:Accept,Accept-Encoding,Accept-Language,Accept-Charset:Yahoo Pipes
795
sig   = 1:Client-IP,X-Forwarded-For,X-YQL-Depth,User-Agent,Host,Via:Connection,Accept,Accept-Encoding,Accept-Language,Accept-Charset:Yahoo Pipes
796

    
797
label = s:!:Google Web Preview:
798
sys   = Linux
799
sig   = 1:Referer,User-Agent,Accept-Encoding=[gzip,deflate],Host,X-Forwarded-For:Connection,Accept,Accept-Language,Accept-Charset:Web Preview
800

    
801
; --------------------------------
802
; Command-line tools and libraries
803
; --------------------------------
804

    
805
label = s:!:wget:
806
sys   = @unix,Windows
807
sig   = *:User-Agent,Accept=[*/*],Host,Connection=[Keep-Alive]:Accept-Encoding,Accept-Language,Accept-Charset:Wget/
808

    
809
label = s:!:Lynx:
810
sys   = @unix,Windows
811
sig   = 0:Host,Accept=[text/sgml, */*;q=0.01],Accept-Encoding=[gzip, compress],Accept-Language,User-Agent:Connection,Accept-Charset:Lynx/
812

    
813
label = s:!:curl:
814
sys   = @unix,Windows
815
sig   = 1:User-Agent,Host,Accept=[*/*]:Connection,Accept-Encoding,Accept-Language,Accept-Charset:curl/
816

    
817
label = s:!:links:
818
sys   = @unix,Windows
819
sig   = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip, deflate, bzip2],Accept-Charset=[us-ascii],Accept-Language=[;q=0.1],Connection=[Keep-Alive]::Links
820
sig   = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip,deflate,bzip2],Accept-Charset=[us-ascii],Accept-Language=[;q=0.1],Connection=[keep-alive]::Links
821

    
822
label = s:!:elinks:
823
sys   = @unix,Windows
824
sig   = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[bzip2, deflate, gzip],Accept-Language:Connection,Accept-Charset:ELinks/
825

    
826
label = s:!:Java:JRE
827
sys   = @unix,@win
828
sig   = 1:User-Agent,Host,Accept=[*; q=.2, */*; q=.2],Connection=[keep-alive]:Accept-Encoding,Accept-Language,Accept-Charset:Java/
829

    
830
label = s:!:Python:urllib
831
sys   = @unix,Windows
832
sig   = 1:Accept-Encoding=[identity],Host,Connection=[close],User-Agent:Accept,Accept-Language,Accept-Charset:Python-urllib/
833

    
834
label = s:!:w3m:
835
sys   = @unix,Windows
836
sig   = 0:User-Agent,Accept=[image/*],Accept-Encoding=[gzip, compress, bzip, bzip2, deflate],Accept-Language=[;q=1.0],Host:Connection,Accept-Charset:w3m/
837

    
838
label = s:!:libfetch:
839
sys   = @unix
840
sig   = 1:Host,User-Agent,Connection=[close]:Accept,Accept-Encoding,Accept-Language,Accept-Charset:libfetch/
841

    
842
; -------------
843
; Odds and ends
844
; -------------
845

    
846
label = s:!:Google AppEngine:
847
sys   = Linux
848
sig   = 1:User-Agent,Host,Accept-Encoding=[gzip]:Connection,Accept,Accept-Language,Accept-Charset:AppEngine-Google
849

    
850
label = s:!:WebOS:
851
sys   = Linux
852
sig   = 1:Host,Accept-Encoding=[gzip, deflate],User-Agent,Accept=[,*/*;q=0.5],Accept-Language,Accept-Charset=[utf-8;q=0.7,*;q=0.3]:Connection:wOSBrowser
853

    
854
label = s:!:xxxterm:
855
sys   = @unix
856
sig   = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip]:Connection,Accept-Language,Accept-Charset:xxxterm
857

    
858
label = s:!:Google Desktop:
859
sys   = Windows
860
sig   = 1:Accept=[*/*],Accept-Encoding=[gzip],User-Agent,Host,Connection=[Keep-Alive]:Accept-Language,Accept-Charset:Google Desktop/
861

    
862
label = s:!:luakit:
863
sys   = @unix
864
sig   = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip],Connection=[Keep-Alive]:Accept-Language,Accept-Charset:luakit
865

    
866
label = s:!:Epiphany:
867
sys   = @unix
868
sig   = 1:Host,User-Agent,Accept=[*/*],Accept-Encoding=[gzip],Accept-Language:Connection,Accept-Charset,Keep-Alive:Epiphany/
869

    
870
; ======================
871
; HTTP server signatures
872
; ======================
873

    
874
[http:response]
875

    
876
; ------
877
; Apache
878
; ------
879

    
880
label = s:!:Apache:2.x
881
sys   = @unix,Windows
882
sig   = 1:Date,Server,?Last-Modified,?Accept-Ranges=[bytes],?Content-Length,?Content-Range,Keep-Alive=[timeout],Connection=[Keep-Alive],?Transfer-Encoding=[chunked],Content-Type::Apache
883
sig   = 1:Date,Server,?Last-Modified,?Accept-Ranges=[bytes],?Content-Length,?Connection=[close],?Transfer-Encoding=[chunked],Content-Type:Keep-Alive:Apache
884
sig   = 1:Date,Server,Connection=[Keep-Alive],Keep-Alive=[timeout]:Content-Type,Accept-Ranges:Apache
885
sig   = 1:Date,Server,?Last-Modified,?Accept-Ranges=[bytes],?Content-Length,Content-Type,Keep-Alive=[timeout],Connection=[Keep-Alive]::Apache
886

    
887
label = s:!:Apache:1.x
888
sys   = @unix,Windows
889
sig   = 1:Server,Content-Type,?Content-Length,Date,Connection=[keep-alive]:Keep-Alive,Accept-Ranges:Apache
890
sig   = 1:Server,Content-Type,?Content-Length,Date,Connection=[close]:Keep-Alive,Accept-Ranges:Apache
891

    
892
; ---
893
; IIS
894
; ---
895

    
896
label = s:!:IIS:7.x
897
sys   = Windows
898
sig   = 1:?Content-Length,Content-Type,?Etag,Server,Date:Connection,Keep-Alive,Accept-Ranges:Microsoft-IIS/
899
sig   = 1:?Content-Length,Content-Type,?Etag,Server,Date,Connection=[close]:Keep-Alive,Accept-Ranges:Microsoft-IIS/
900

    
901
; --------
902
; lighttpd
903
; --------
904

    
905
label = s:!:lighttpd:2.x
906
sys   = @unix
907
sig   = 1:?ETag,?Last-Modified,Accept-Ranges=[bytes],Content-Type,?Vary,?Content-Length,Date,Server:Connection,Keep-Alive:lighttpd/
908
sig   = 1:?ETag,?Last-Modified,Transfer-Encoding=[chunked],Content-Type,?Vary,?Content-Length,Date,Server:Connection,Keep-Alive:lighttpd/
909

    
910
label = s:!:lighttpd:1.x
911
sys   = @unix
912
sig   = 1:Content-Type,Accept-Ranges=[bytes],?ETag,?Last-Modified,Date,Server:Connection,Keep-Alive:lighttpd/
913
sig   = 1:Content-Type,Transfer-Encoding=[chunked],?ETag,?Last-Modified,Date,Server:Connection,Keep-Alive:lighttpd/
914
sig   = 0:Content-Type,Content-Length,Connection=[close],Date,Server:Keep-Alive,Accept-Ranges:lighttpd/
915

    
916
; -----
917
; nginx
918
; -----
919

    
920
label = s:!:nginx:1.x
921
sys   = @unix
922
sig   = 1:Server,Date,Content-Type,?Content-Length,?Last-Modified,Connection=[keep-alive],Keep-Alive=[timeout],Accept-Ranges=[bytes]::nginx/
923
sig   = 1:Server,Date,Content-Type,?Content-Length,?Last-Modified,Connection=[close]:Keep-Alive,Accept-Ranges:nginx/
924

    
925
label = s:!:nginx:0.x
926
sys   = @unix
927
sig   = 1:Server,Date,Content-Type,?Content-Length,Connection=[keep-alive],?Last-Modified:Keep-Alive,Accept-Ranges:nginx/
928
sig   = 1:Server,Date,Content-Type,?Content-Length,Connection=[close],?Last-Modified:Keep-Alive,Accept-Ranges:nginx/
929

    
930
; -------------
931
; Odds and ends
932
; -------------
933

    
934
label = s:!:Google Web Server:
935
sys   = Linux
936
sig   = *:Content-Type,X-Content-Type-Options=[nosniff],Date,Server=[sffe]:Connection,Accept-Ranges,Keep-Alive,Connection:
937
sig   = *:Date,Content-Type,Server=[gws]:Connection,Accept-Ranges,Keep-Alive:
938
sig   = *:Content-Type,X-Content-Type-Options=[nosniff],Server=[GSE]:Connection,Accept-Ranges,Keep-Alive:
939

    
940
|
941

(2-2/7)