mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
Initial import of svn+ssh:://svn.icir.org/bro/trunk/bro as of r7088
This commit is contained in:
Robin Sommer
commit
61757ac78b
1383 changed files with 380824 additions and 0 deletions
169
src/OSFinger.h
Normal file
169
src/OSFinger.h
Normal file
|
|
@ -0,0 +1,169 @@
|
|||
// $Id: OSFinger.h 5857 2008-06-26 23:00:03Z vern $
|
||||
|
||||
// Taken with permission from:
|
||||
//
|
||||
// p0f - passive OS fingerprinting (GNU LESSER GENERAL PUBLIC LICENSE)
|
||||
// -------------------------------------------------------------------
|
||||
//
|
||||
// "If you sit down at a poker game and don't see a sucker,
|
||||
// get up. You're the sucker."
|
||||
//
|
||||
// (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
|
||||
|
||||
#ifndef osfinger_h
|
||||
#define osfinger_h
|
||||
|
||||
#include "util.h"
|
||||
#include "Dict.h"
|
||||
|
||||
|
||||
// Size limit for size wildcards.
|
||||
#define PACKET_BIG 100
|
||||
|
||||
// Maximum number of signatures allowed in the config file.
|
||||
#define MAXSIGS 1024
|
||||
|
||||
// Max signature line length.
|
||||
#define MAXLINE 1024
|
||||
|
||||
// Maximum distance from a host to be taken seriously. Between 35 and 64
|
||||
// is sane. Making it too high might result in some (very rare) false
|
||||
// positives, too low will result in needless UNKNOWNs.
|
||||
#define MAXDIST 40
|
||||
|
||||
// Maximum number of TCP options. A TCP packet can have at most 64 bytes
|
||||
// of header, 20 of which are non-options. Thus, if a single option
|
||||
// consumes 1 bytes (the minimum, there can only be 44 bytes of options.
|
||||
// We err on the safe side.
|
||||
#define MAXOPT 64
|
||||
|
||||
declare(PDict,int);
|
||||
|
||||
struct os_type {
|
||||
const char* os;
|
||||
char* desc;
|
||||
uint8 dist;
|
||||
uint16 gadgets;
|
||||
uint16 match;
|
||||
uint32 uptime;
|
||||
};
|
||||
|
||||
struct fp_entry {
|
||||
struct fp_entry* next;
|
||||
char* os; // OS genre
|
||||
char* desc; // OS description
|
||||
uint8 no_detail; // disable guesstimates
|
||||
uint8 generic; // generic hit
|
||||
uint8 userland; // userland stack
|
||||
uint16 wsize; // window size
|
||||
uint8 wsize_mod; // MOD_* for wsize
|
||||
uint8 ttl; // TTL
|
||||
uint8 df; // don't fragment bit
|
||||
uint8 zero_stamp; // timestamp option but zero value?
|
||||
uint16 size; // packet size
|
||||
uint8 optcnt; // option count
|
||||
uint8 opt[MAXOPT]; // TCPOPT_*
|
||||
uint16 wsc; // window scaling option
|
||||
uint16 mss; // MSS option
|
||||
uint8 wsc_mod; // modulo for WSCALE (NONE or CONST)
|
||||
uint8 mss_mod; // modulo for MSS (NONE or CONST)
|
||||
uint32 quirks; // packet quirks and bugs
|
||||
uint32 line; // config file line
|
||||
};
|
||||
|
||||
struct mtu_def {
|
||||
uint16 mtu;
|
||||
char* dev;
|
||||
};
|
||||
|
||||
enum FingerprintMode {
|
||||
SYN_FINGERPRINT_MODE, SYN_ACK_FINGERPRINT_MODE, RST_FINGERPRINT_MODE,
|
||||
};
|
||||
|
||||
class OSFingerprint {
|
||||
public:
|
||||
OSFingerprint(FingerprintMode mode);
|
||||
~OSFingerprint() {}
|
||||
|
||||
bool Error() const { return err; }
|
||||
|
||||
int FindMatch(struct os_type* retval, uint16 tot, uint8 DF_flag,
|
||||
uint8 TTL, uint16 WSS, uint8 ocnt, uint8* op, uint16 MSS,
|
||||
uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ECN) const;
|
||||
bool CacheMatch(uint32 addr, int id);
|
||||
|
||||
int Get_OS_From_SYN(struct os_type* retval,
|
||||
uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
|
||||
uint8 ocnt, uint8* op, uint16 MSS, uint8 win_scale,
|
||||
uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
|
||||
uint8 ecn) const;
|
||||
|
||||
void load_config(const char* file);
|
||||
|
||||
protected:
|
||||
void collide(uint32 id);
|
||||
|
||||
void Error(const char* msg)
|
||||
{
|
||||
error(msg);
|
||||
err = true;
|
||||
}
|
||||
|
||||
void Error(const char* msg, int n)
|
||||
{
|
||||
error(msg, n);
|
||||
err = true;
|
||||
}
|
||||
|
||||
void Error(const char* msg, const char* s)
|
||||
{
|
||||
error(msg, s);
|
||||
err = true;
|
||||
}
|
||||
|
||||
private:
|
||||
bool err; // if true, a fatal error has occurred
|
||||
unsigned int mode;
|
||||
uint32 sigcnt, gencnt;
|
||||
uint8 problems;
|
||||
struct fp_entry sig[MAXSIGS];
|
||||
|
||||
/* By hash */
|
||||
#define OSHSIZE 16
|
||||
struct fp_entry* bh[OSHSIZE];
|
||||
|
||||
PDict(int) os_matches;
|
||||
};
|
||||
|
||||
#define SIGHASH(tsize, optcnt, q, df) \
|
||||
((uint8(((tsize) << 1) ^ ((optcnt) << 1) ^ (df) ^ (q) )) & 0x0f)
|
||||
|
||||
#define MOD_NONE 0
|
||||
#define MOD_CONST 1
|
||||
#define MOD_MSS 2
|
||||
#define MOD_MTU 3
|
||||
|
||||
#define QUIRK_PAST 0x1 /* P */
|
||||
#define QUIRK_ZEROID 0x2 /* Z */
|
||||
#define QUIRK_IPOPT 0x4 /* I */
|
||||
#define QUIRK_URG 0x8 /* U */
|
||||
#define QUIRK_X2 0x10 /* X */
|
||||
#define QUIRK_ACK 0x20 /* A */
|
||||
#define QUIRK_T2 0x40 /* T */
|
||||
#define QUIRK_FLAGS 0x80 /* F */
|
||||
#define QUIRK_DATA 0x100 /* D */
|
||||
#define QUIRK_BROKEN 0x200 /* ! */
|
||||
#define QUIRK_RSTACK 0x400 /* K */
|
||||
#define QUIRK_SEQEQ 0x800 /* Q */
|
||||
#define QUIRK_SEQ0 0x1000 /* 0 */
|
||||
|
||||
#define GADGETNAT 0x1
|
||||
#define GADGETNAT2 0x2
|
||||
#define GADGETFIREWALL 0x4
|
||||
#define GADGETECN 0x8
|
||||
#define GADGETUPTIME 0x10
|
||||
|
||||
#define MATCHGENERIC 0x1
|
||||
#define MATCHFUZZY 0x2
|
||||
|
||||
#endif
|
||||
Loading…
Add table
Add a link
Reference in a new issue