Feature #14444
open
Aliases options for custom OS fingerprints?
0%
Description
Idea for new feature, is there a way to add some custom fingerprints? I was able to find one manually but how can I add it? Maybe just for what we use on the network? Example: 200 machines that use the same Windows 11 OS and a system admin adds in that fingerprint for an ACL to pass traffic for only Windows 11. With such options the firewall in theory can block and distinguish between different Operating Systems. Take for example Docker containers with the new bleeding edge container of Kali's pentesting OS, something like that can data marshal the NIC card on a machine. Docker for one does not have the same fingerprints as the primary OS so in theory the firewall would know what traffic to allow and what to stop at an OS level even with the newest Docker containers. It is harder to spoof a custom fingerprint as the invasive actor would not know what is in use, and to just add that in would give users that full security tool back, Thus, Aliases options for OS fingerprints.
running: p0f -i (intrface)
Outputs this example of what would be used with OS aliases: 4:63+1:0:1460:65228,7:mss,nop,ws,sok,ts: :0
this is freeBSD 13.12 on Hypervisor V
The database just needs some updated signatures, the software still works great so the tool and features already built in should work great still.
How can I just add in the signatures I need as an Aliases and link them to the access control lists?
Files
| versionsig.PNG (29.2 KB) versionsig.PNG | Example of finding a OS fingerprint | ||
| Sigdatabase.txt (36 KB) Sigdatabase.txt | p0f current database with 23.05 | ||
| image001.png (177 KB) image001.png | Docker Signature Debian container | ||
| docker fingerprinting.docx (3.51 MB) docker fingerprinting.docx | Docker's Kali Container Fingerprint How to guide | ||
| kalisig9.PNG (447 KB) kalisig9.PNG | Fingerprinted | ||
| Kali10.PNG (263 KB) Kali10.PNG | Kali Fingerprint | ||
| docker fingerprinting.docx (3.72 MB) docker fingerprinting.docx | update to how to guide |
Updated by Jonathan Lee over 1 year ago
I am aware that the current tool is outdated with the signatures with https://redmine.pfsense.org/issues/7260
This is only to bring an idea on how to activate this feature again with custom use fingerprints without updating the f03 database.
Updated by Jonathan Lee over 1 year ago
- File image001.png image001.png added
Example: Same laptop running Ubuntu with Docker installed
sudo apt install docker.io -y
sudo docker run -itd --rm --osfingerprints debian
sudo docker exec -it osfingerprints sh
entering the debian container
at shell
apt install net-tools
netstat -i
got eth0
apt install p0f
p0f -i eth0
open new tab log in to docker container again and generate traffic proves that the signatures are different for a docker container OS installed in Ubuntu that is running inside of Hyper-V on Windows 10
raw_sig = 4:64+0:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0
we can see the differences within the docker debian container and the freeBSD version
Therefor we could in theory also see them at the firewall with a custom alias for access control lists.
Updated by Jonathan Lee over 1 year ago
- File docker fingerprinting.docx docker fingerprinting.docx added
- File kalisig9.PNG kalisig9.PNG added
Docker’s Kali Container OS fingerprint is 4:64+0:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0
Updated by Jonathan Lee over 1 year ago
Did you know you can essentially adapt the old p0f.fp OS database in pfSense and use OS specific access control lists that can see the NIC being data marshalled in theory? This is a tool to see containers running as the fingerprints are different when they pass traffic to the firewall. Under advanced pfSense has a source OS option.
Updated by Jonathan Lee over 1 year ago
- File docker fingerprinting.docx docker fingerprinting.docx added
- File Kali10.PNG Kali10.PNG added
Docker’s Kali Container is 4:42+22:0:1372:mss*20,7:mss,nop,nop,sok,nop,ws:df:0
Update the signature before is not the correct IP
Corrections to guide
Updated by Jonathan Lee over 1 year ago
In theory we could just adapt an Access Control List to what ever Docker container OS fingerprint that needs to be blocked out on a network for invasive actors. Again the pfSense software needs that OS fingerprint Aliases option to help with this security feature use.
Updated by Jonathan Lee over 1 year ago
Location of current database in pfSense if you want to add any OS fingerprints to it
/etc/pf.os
Updated by Jonathan Lee over 1 year ago
Main Issue: pfSense's ACL (access control list) under advanced has a source OS option, this would work again if we could add OS alias fingerprints into it bypassing the outdated OS fingerprint database that is showing.