Revision 5e751bf7
Added by Martin Fuchs over 17 years ago
| etc/pf.os | ||
|---|---|---|
| 1 |
# $FreeBSD: src/etc/pf.os,v 1.2 2004/06/06 11:46:27 schweikh Exp $
|
|
| 2 |
# $OpenBSD: pf.os,v 1.10 2003/09/06 01:37:07 frantzen Exp $
|
|
| 1 |
# $FreeBSD: src/etc/pf.os,v 1.4 2006/10/23 05:09:44 delphij Exp $
|
|
| 2 |
# $OpenBSD: pf.os,v 1.21 2006/07/28 21:51:12 david Exp $
|
|
| 3 | 3 |
# passive OS fingerprinting |
| 4 | 4 |
# ------------------------- |
| 5 | 5 |
# |
| ... | ... | |
| 22 | 22 |
# |
| 23 | 23 |
# |
| 24 | 24 |
# This fingerprint database is adapted from Michal Zalewski's p0f passive |
| 25 |
# operating system package. |
|
| 25 |
# operating system package. The last database sync was from a Nov 3 2003 |
|
| 26 |
# p0f.fp. |
|
| 26 | 27 |
# |
| 27 | 28 |
# |
| 28 | 29 |
# Each line in this file specifies a single fingerprint. Please read the |
| ... | ... | |
| 141 | 142 |
# Wnnn - window scaling option, value nnn (or * or %nnn) |
| 142 | 143 |
# Mnnn - maximum segment size option, value nnn (or * or %nnn) |
| 143 | 144 |
# S - selective ACK OK |
| 144 |
# T - timestamp
|
|
| 145 |
# T0 - timestamp with a zero value
|
|
| 145 |
# T - timestamp |
|
| 146 |
# T0 - timestamp with a zero value |
|
| 146 | 147 |
# |
| 147 | 148 |
# To denote no TCP options, use a single '.'. |
| 148 | 149 |
# |
| ... | ... | |
| 151 | 152 |
# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet |
| 152 | 153 |
# capture of the relevant SYN packet(s) |
| 153 | 154 |
# |
| 155 |
# A test and submission page is available at |
|
| 156 |
# http://lcamtuf.coredump.cx/p0f-help/ |
|
| 157 |
# |
|
| 158 |
# |
|
| 154 | 159 |
# WARNING WARNING WARNING |
| 155 | 160 |
# ----------------------- |
| 156 | 161 |
# |
| ... | ... | |
| 193 | 198 |
# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... |
| 194 | 199 |
# This is a shoddy hack, though. |
| 195 | 200 |
|
| 201 |
45046:64:0:44:M*: AIX:4.3::AIX 4.3 |
|
| 196 | 202 |
16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier |
| 197 | 203 |
|
| 198 | 204 |
16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 |
| ... | ... | |
| 205 | 211 |
|
| 206 | 212 |
# ----------------- Linux ------------------- |
| 207 | 213 |
|
| 214 |
# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support) |
|
| 208 | 215 |
512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x |
| 209 | 216 |
16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x |
| 210 | 217 |
|
| ... | ... | |
| 216 | 223 |
S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) |
| 217 | 224 |
|
| 218 | 225 |
S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) |
| 219 |
S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer |
|
| 220 |
S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 |
|
| 221 |
S4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6 |
|
| 226 |
S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer |
|
| 227 |
S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7 |
|
| 228 |
S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7 |
|
| 229 |
S4:64:1:60:M*,S,T,N,W7: Linux:2.6:8:Linux 2.6.8 and newer (?) |
|
| 222 | 230 |
|
| 223 |
S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 |
|
| 231 |
S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
|
|
| 224 | 232 |
S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 |
| 233 |
S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) |
|
| 234 |
S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) |
|
| 225 | 235 |
|
| 226 | 236 |
S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer |
| 227 | 237 |
S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 |
| ... | ... | |
| 251 | 261 |
|
| 252 | 262 |
# ----------------- FreeBSD ----------------- |
| 253 | 263 |
|
| 254 |
16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1
|
|
| 255 |
16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1
|
|
| 256 |
16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1
|
|
| 264 |
16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
|
|
| 265 |
16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
|
|
| 266 |
16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2
|
|
| 257 | 267 |
16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 |
| 258 | 268 |
|
| 259 | 269 |
1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 |
| 260 | 270 |
|
| 261 | 271 |
57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) |
| 262 |
57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8
|
|
| 272 |
57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.9::FreeBSD 4.6-4.9
|
|
| 263 | 273 |
|
| 264 |
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X)
|
|
| 274 |
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.1 (or MacOS X)
|
|
| 265 | 275 |
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) |
| 266 |
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) |
|
| 267 |
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) |
|
| 268 |
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1 |
|
| 269 |
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1 |
|
| 270 |
65535:64:1:64:M*,N,N,S,N,W0,N,N,T: FreeBSD:5.3-5.4::FreeBSD 5.3-5.4 |
|
| 276 |
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.2 (or MacOS X) |
|
| 277 |
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.8-5.2 (or MacOS X) |
|
| 278 |
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2 |
|
| 279 |
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2 |
|
| 280 |
|
|
| 281 |
# XXX need quirks support |
|
| 282 |
# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1) |
|
| 283 |
# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2) |
|
| 284 |
# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3) |
|
| 285 |
# 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323) |
|
| 271 | 286 |
|
| 272 | 287 |
# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) |
| 273 | 288 |
|
| 274 | 289 |
# ----------------- NetBSD ------------------ |
| 275 | 290 |
|
| 291 |
16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 |
|
| 276 | 292 |
65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) |
| 277 | 293 |
16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 |
| 278 | 294 |
16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) |
| 279 |
16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 |
|
| 280 | 295 |
65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) |
| 296 |
65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF) |
|
| 297 |
32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization) |
|
| 281 | 298 |
|
| 282 | 299 |
# ----------------- OpenBSD ----------------- |
| 283 | 300 |
|
| 284 | 301 |
16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) |
| 285 |
16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4
|
|
| 286 |
16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df)
|
|
| 287 |
57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4
|
|
| 288 |
57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df)
|
|
| 302 |
16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0::OpenBSD 3.0-4.0
|
|
| 303 |
16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:no-df:OpenBSD 3.0-4.0 (scrub no-df)
|
|
| 304 |
57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0
|
|
| 305 |
57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df)
|
|
| 289 | 306 |
|
| 290 |
65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:opera:OpenBSD 3.0-3.4 (Opera)
|
|
| 307 |
65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera)
|
|
| 291 | 308 |
|
| 292 | 309 |
# ----------------- Solaris ----------------- |
| 293 | 310 |
|
| ... | ... | |
| 300 | 317 |
S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 |
| 301 | 318 |
S44:255:1:44:M*: Solaris:2.7::Solaris 7 |
| 302 | 319 |
|
| 320 |
4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x |
|
| 321 |
|
|
| 322 |
S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:beta:Solaris 10 (beta) |
|
| 323 |
32850:64:1:64:M*,N,N,T,N,W1,N,N,S: Solaris:10::Solaris 10 1203 |
|
| 324 |
|
|
| 303 | 325 |
# ----------------- IRIX -------------------- |
| 304 | 326 |
|
| 305 | 327 |
49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 |
| ... | ... | |
| 310 | 332 |
61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 |
| 311 | 333 |
49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 |
| 312 | 334 |
|
| 335 |
49152:60:0:64:M*,N,W2,N,N,T,N,N,S: IRIX:6.5:IP27:IRIX 6.5 IP27 |
|
| 336 |
|
|
| 337 |
|
|
| 313 | 338 |
# ----------------- Tru64 ------------------- |
| 314 | 339 |
|
| 315 |
32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 |
|
| 340 |
32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4)
|
|
| 316 | 341 |
32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 |
| 317 | 342 |
8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) |
| 318 |
|
|
| 319 |
# This looks awfully Linuxish :/ |
|
| 320 |
# S22:64:0:60:M*,S,T,N,W0: Tru64:5.0:a:Tru64 5.0a |
|
| 321 |
|
|
| 322 | 343 |
61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) |
| 323 | 344 |
|
| 324 |
|
|
| 325 | 345 |
# ----------------- OpenVMS ----------------- |
| 326 | 346 |
|
| 327 | 347 |
6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) |
| 328 | 348 |
|
| 329 | 349 |
# ----------------- MacOS ------------------- |
| 330 | 350 |
|
| 351 |
# XXX Need EOL tcp opt support |
|
| 352 |
# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic |
|
| 353 |
|
|
| 354 |
# XXX some of these use EOL too |
|
| 331 | 355 |
16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) |
| 332 | 356 |
16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) |
| 333 |
32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2 |
|
| 334 |
32768:64:0:60:M*,N,W0,N,N,T: MacOS:X:10.2:MacOS X 10.2 |
|
| 335 |
|
|
| 336 |
# ----------------- Windows ----------------- |
|
| 357 |
16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP) |
|
| 358 |
32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2 |
|
| 359 |
65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4) |
|
| 337 | 360 |
|
| 338 |
# Windows 95 - need more: |
|
| 339 | 361 |
|
| 340 |
8192:32:1:44:M*: Windows:95::Windows 95 (low TTL) |
|
| 341 |
|
|
| 342 |
# Windows 98 - plenty of silly signatures: |
|
| 343 |
S44:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) |
|
| 344 |
8192:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) |
|
| 362 |
# ----------------- Windows ----------------- |
|
| 345 | 363 |
|
| 346 |
%8192:64:1:48:M*,N,N,S: Windows:98::Windows 98 (or newer XP/2000 with tweaked TTL) |
|
| 364 |
# Windows TCP/IP stack is a mess. For most recent XP, 2000 and |
|
| 365 |
# even 98, the pathlevel, not the actual OS version, is more |
|
| 366 |
# relevant to the signature. They share the same code, so it would |
|
| 367 |
# seem. Luckily for us, almost all Windows 9x boxes have an |
|
| 368 |
# awkward MSS of 536, which I use to tell one from another |
|
| 369 |
# in most difficult cases. |
|
| 370 |
|
|
| 371 |
8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows) |
|
| 372 |
S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95 |
|
| 373 |
8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b |
|
| 374 |
|
|
| 375 |
# There were so many tweaking tools and so many stack versions for |
|
| 376 |
# Windows 98 it is no longer possible to tell them from each other |
|
| 377 |
# without some very serious research. Until then, there's an insane |
|
| 378 |
# number of signatures, for your amusement: |
|
| 379 |
|
|
| 380 |
S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) |
|
| 381 |
8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) |
|
| 382 |
%8192:64:1:48:M536,N,N,S: Windows:98::Windows 98 |
|
| 383 |
%8192:128:1:48:M536,N,N,S: Windows:98::Windows 98 |
|
| 347 | 384 |
S4:64:1:48:M*,N,N,S: Windows:98::Windows 98 |
| 348 | 385 |
S6:64:1:48:M*,N,N,S: Windows:98::Windows 98 |
| 349 | 386 |
S12:64:1:48:M*,N,N,S: Windows:98::Windows 98 |
| 387 |
T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 |
|
| 350 | 388 |
32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 |
| 351 | 389 |
37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 |
| 352 | 390 |
46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) |
| 353 |
65535:64:1:44:M*: Windows:98:noSACK:Windows 98 (no sack) |
|
| 354 |
|
|
| 391 |
65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack) |
|
| 355 | 392 |
S16:128:1:48:M*,N,N,S: Windows:98::Windows 98 |
| 356 | 393 |
S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 |
| 357 | 394 |
S26:128:1:48:M*,N,N,S: Windows:98::Windows 98 |
| ... | ... | |
| 360 | 397 |
60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 |
| 361 | 398 |
60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 |
| 362 | 399 |
|
| 363 |
# Windows NT 4.0 - need more:
|
|
| 364 |
|
|
| 400 |
# What's with 1414 on NT?
|
|
| 401 |
T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a |
|
| 365 | 402 |
64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a |
| 366 | 403 |
8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) |
| 367 |
6144:128:1:52:M*,W0,N,S,N,N: Windows:NT:4.0:Windows NT 4.0 (RFC1323) |
|
| 368 | 404 |
|
| 369 | 405 |
# Windows XP and 2000. Most of the signatures that were |
| 370 | 406 |
# either dubious or non-specific (no service pack data) |
| 371 | 407 |
# were deleted and replaced with generics at the end. |
| 372 | 408 |
|
| 373 | 409 |
65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 |
| 374 |
%8192:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 |
|
| 375 |
S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 |
|
| 376 |
S6:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows XP SP1, 2000 SP4 |
|
| 377 |
S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP Pro SP1, 2000 SP3 |
|
| 378 |
|
|
| 379 |
S6:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1, 2000 SP4 |
|
| 380 |
S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP Pro SP1, 2000 SP3 |
|
| 381 |
64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 |
|
| 382 |
32767:128:1:48:M1452,N,N,S: Windows:XP:SP1:Windows XP SP1 |
|
| 383 | 410 |
65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 |
| 384 |
%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 |
|
| 411 |
%8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) |
|
| 412 |
%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) |
|
| 413 |
S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3 |
|
| 414 |
S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3 |
|
| 415 |
S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1 |
|
| 416 |
S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1 |
|
| 417 |
40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 |
|
| 418 |
|
|
| 419 |
S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+ |
|
| 420 |
S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+ |
|
| 421 |
S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 |
|
| 422 |
S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3 |
|
| 423 |
S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3 |
|
| 424 |
64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3 |
|
| 425 |
64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3 |
|
| 426 |
32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4 |
|
| 427 |
32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4 |
|
| 385 | 428 |
|
| 386 | 429 |
# Odds, ends, mods: |
| 387 | 430 |
|
| 388 |
S52:128:1:48:M1260,N,N,S: Windows:XP:Cisco:Windows XP/2000 via Cisco |
|
| 389 |
S52:128:1:48:M1260,N,N,S: Windows:2000:Cisco:Windows XP/2000 via Cisco |
|
| 431 |
S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco |
|
| 432 |
S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco |
|
| 433 |
65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone |
|
| 434 |
16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm? |
|
| 435 |
2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server |
|
| 390 | 436 |
|
| 391 |
# HUNT DOWN: |
|
| 392 |
# *:128:1:48:M*,N,N,S:U:@Windows:XP (leak) (PLEASE REPORT) |
|
| 437 |
44620:64:0:48:M*,N,N,S: Windows:ME::Windows ME no SP (?) |
|
| 438 |
S6:255:1:48:M536,N,N,S: Windows:95:winsock2:Windows 95 winsock 2 |
|
| 439 |
32768:32:1:52:M1460,N,W0,N,N,S: Windows:2003:AS:Windows 2003 AS |
|
| 440 |
|
|
| 441 |
|
|
| 442 |
# No need to be more specific, it passes: |
|
| 443 |
# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk |
|
| 444 |
# there is an equiv similar generic sig w/o the quirk |
|
| 393 | 445 |
|
| 394 | 446 |
# ----------------- HP/UX ------------------- |
| 395 | 447 |
|
| ... | ... | |
| 401 | 453 |
# Whoa. Hardcore WSS. |
| 402 | 454 |
0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) |
| 403 | 455 |
|
| 404 |
|
|
| 405 | 456 |
# ----------------- RiscOS ------------------ |
| 406 | 457 |
|
| 407 | 458 |
# We don't yet support the ?12 TCP option |
| 408 | 459 |
#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 |
| 460 |
12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10 |
|
| 461 |
|
|
| 462 |
# XXX quirk |
|
| 463 |
# 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00 |
|
| 464 |
|
|
| 465 |
|
|
| 409 | 466 |
|
| 410 | 467 |
# ----------------- BSD/OS ------------------ |
| 411 | 468 |
|
| ... | ... | |
| 420 | 477 |
|
| 421 | 478 |
# ---------------- NeXTSTEP ----------------- |
| 422 | 479 |
|
| 480 |
S4:64:0:44:M1024: NeXTSTEP:3.3::NeXTSTEP 3.3 |
|
| 423 | 481 |
S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 |
| 424 | 482 |
|
| 425 | 483 |
# ------------------ BeOS ------------------- |
| ... | ... | |
| 433 | 491 |
8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 |
| 434 | 492 |
4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 |
| 435 | 493 |
|
| 494 |
# XXX quirk |
|
| 495 |
# 28672:64:0:44:M1460:A:OS/390:? |
|
| 436 | 496 |
|
| 437 | 497 |
# ------------------ ULTRIX ----------------- |
| 438 | 498 |
|
| ... | ... | |
| 446 | 506 |
|
| 447 | 507 |
16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 |
| 448 | 508 |
6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 |
| 509 |
6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ? |
|
| 510 |
|
|
| 511 |
6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3 |
|
| 512 |
|
|
| 449 | 513 |
|
| 450 | 514 |
# ----------------- SCO ------------------ |
| 451 |
S17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
|
|
| 452 |
S17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
|
|
| 453 |
S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
|
|
| 515 |
S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
|
|
| 516 |
S17:64:1:60:M1380,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3
|
|
| 517 |
S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0
|
|
| 454 | 518 |
|
| 455 | 519 |
# ------------------- DOS ------------------- |
| 456 | 520 |
|
| 457 | 521 |
2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 |
| 522 |
T2:255:0:44:M984: DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro) |
|
| 523 |
|
|
| 524 |
# ------------------ OS/2 ------------------- |
|
| 525 |
|
|
| 526 |
S56:64:0:44:M512: OS/2:4::OS/2 4 |
|
| 527 |
28672:64:0:44:M1460: OS/2:4::OS/2 Warp 4.0 |
|
| 528 |
|
|
| 529 |
# ----------------- TOPS-20 ----------------- |
|
| 530 |
|
|
| 531 |
# Another hardcore MSS, one of the ACK leakers hunted down. |
|
| 532 |
# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7 |
|
| 533 |
0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7 |
|
| 534 |
|
|
| 535 |
# ----------------- FreeMiNT ---------------- |
|
| 536 |
|
|
| 537 |
S44:255:0:44:M536: FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari) |
|
| 538 |
|
|
| 539 |
# ------------------ AMIGA ------------------ |
|
| 540 |
|
|
| 541 |
# XXX TCP option 12 |
|
| 542 |
# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack |
|
| 543 |
|
|
| 544 |
# ------------------ Plan9 ------------------ |
|
| 545 |
|
|
| 546 |
65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4 |
|
| 547 |
|
|
| 548 |
# ----------------- AMIGAOS ----------------- |
|
| 549 |
|
|
| 550 |
16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX |
|
| 458 | 551 |
|
| 459 | 552 |
########################################### |
| 460 | 553 |
# Appliance / embedded / other signatures # |
| ... | ... | |
| 465 | 558 |
S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) |
| 466 | 559 |
S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) |
| 467 | 560 |
4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x |
| 468 |
60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x |
|
| 561 |
|
|
| 562 |
# XXX TCP option 12 |
|
| 563 |
# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3 |
|
| 564 |
# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026 |
|
| 565 |
|
|
| 566 |
S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50 |
|
| 567 |
|
|
| 568 |
8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway |
|
| 569 |
|
|
| 570 |
S52:128:1:48:M1260,N,N,N,N: LinkSys:WRV54G::LinkSys WRV54G VPN router |
|
| 571 |
|
|
| 572 |
|
|
| 469 | 573 |
|
| 470 | 574 |
# ------- Switches and other stuff ---------- |
| 471 | 575 |
|
| ... | ... | |
| 481 | 585 |
|
| 482 | 586 |
32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x |
| 483 | 587 |
16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 |
| 484 |
65535:64:0:64:M1460,N,N,S,N,W3,N,N,T: NetApp:5.3:1:NetApp 5.3.1
|
|
| 588 |
65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5
|
|
| 485 | 589 |
65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow |
| 486 | 590 |
8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 |
| 591 |
20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1 |
|
| 592 |
|
|
| 593 |
65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1 |
|
| 594 |
8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1 |
|
| 487 | 595 |
|
| 488 | 596 |
S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine |
| 489 | 597 |
|
| ... | ... | |
| 492 | 600 |
65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler |
| 493 | 601 |
S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg |
| 494 | 602 |
|
| 495 |
|
|
| 496 | 603 |
16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) |
| 497 | 604 |
|
| 605 |
65535:255:0:48:M*,N,N,S: Redline:::Redline T|X 2200 |
|
| 606 |
|
|
| 607 |
32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine |
|
| 608 |
|
|
| 498 | 609 |
# ----------- Embedded systems -------------- |
| 499 | 610 |
|
| 500 | 611 |
S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C |
| ... | ... | |
| 502 | 613 |
S5:255:0:44:M536: PalmOS:4::PalmOS 3/4 |
| 503 | 614 |
S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 |
| 504 | 615 |
2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) |
| 616 |
S29:255:0:44:M536: PalmOS:5::PalmOS 5.0 |
|
| 617 |
16384:255:0:44:M1398: PalmOS:5.2:Clie:PalmOS 5.2 (Clie) |
|
| 618 |
S14:255:0:44:M1350: PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo) |
|
| 505 | 619 |
|
| 506 | 620 |
S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 |
| 507 |
8192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?) |
|
| 508 |
8192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?) |
|
| 621 |
|
|
| 622 |
8192:255:0:44:M1460: SymbianOS:6048::Symbian OS 6048 (Nokia 7650?) |
|
| 623 |
8192:255:0:44:M536: SymbianOS:9210::Symbian OS (Nokia 9210?) |
|
| 624 |
S22:64:1:56:M1460,T,S: SymbianOS:P800::Symbian OS ? (SE P800?) |
|
| 625 |
S36:64:1:56:M1360,T,S: SymbianOS:6600::Symbian OS 60xx (Nokia 6600?) |
|
| 509 | 626 |
|
| 510 | 627 |
|
| 511 | 628 |
# Perhaps S4? |
| ... | ... | |
| 516 | 633 |
S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 |
| 517 | 634 |
|
| 518 | 635 |
4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 |
| 636 |
T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027) |
|
| 637 |
S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?) |
|
| 519 | 638 |
|
| 520 | 639 |
S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 |
| 521 | 640 |
|
| 522 |
|
|
| 641 |
3100:32:1:44:M1460: Windows:CE:2.0:Windows CE 2.0 |
|
| 523 | 642 |
|
| 524 | 643 |
#################### |
| 525 | 644 |
# Fancy signatures # |
| ... | ... | |
| 530 | 649 |
3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) |
| 531 | 650 |
4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) |
| 532 | 651 |
|
| 652 |
# Requires quirks support |
|
| 653 |
# 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1) |
|
| 654 |
# 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2) |
|
| 655 |
# 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3) |
|
| 656 |
# 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4) |
|
| 657 |
|
|
| 533 | 658 |
1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) |
| 534 | 659 |
2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) |
| 535 | 660 |
3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) |
| 536 | 661 |
4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) |
| 537 | 662 |
|
| 663 |
32767:64:0:40:.: *NAST:::NASTsyn scan |
|
| 664 |
|
|
| 665 |
# Requires quirks support |
|
| 666 |
# 12345:255:0:40:.:A:-p0f:sendsyn utility |
|
| 667 |
|
|
| 668 |
|
|
| 538 | 669 |
##################################### |
| 539 | 670 |
# Generic signatures - just in case # |
| 540 | 671 |
##################################### |
| ... | ... | |
| 544 | 675 |
|
| 545 | 676 |
*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) |
| 546 | 677 |
*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) |
| 678 |
*:128:1:52:M*,N,W*,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) |
|
| 679 |
*:128:1:52:M*,N,W*,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) |
|
| 547 | 680 |
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) |
| 548 | 681 |
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) |
| 549 | 682 |
*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) |
| 683 |
*:128:1:48:M536,N,N,S: @Windows:98::Windows 98 |
|
| 550 | 684 |
*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 |
| 551 | 685 |
*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 |
| 686 |
|
|
| 687 |
|
|
Also available in: Unified diff
Ticket #1551: /etc/pf.os outdated