Remove old, unmaintained p0f support.

Addresses GH-417
2025-10-05 08:08:19 +00:00 · 2019-06-19 09:29:32 -07:00 · 2019-06-19 09:29:32 -07:00 · 632e83de57
commit 632e83de57
parent 8f668ce82c
12 changed files with 7 additions and 1978 deletions
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -4,7 +4,6 @@

 #include "NetVar.h"
 #include "File.h"
-#include "OSFinger.h"
 #include "Event.h"

 #include "analyzer/protocol/pia/PIA.h"
@ -115,201 +114,6 @@ static RecordVal* build_syn_packet_val(int is_orig, const IP_Hdr* ip,
 	return v;
 	}

-static RecordVal* build_os_val(int is_orig, const IP_Hdr* ip,
-                               const struct tcphdr* tcp, uint32 tcp_hdr_len)
-	{
-	if ( ! is_orig )
-		// Later we might use SYN-ACK fingerprinting here.
-		return 0;
-
-	// Passive OS fingerprinting wants to know a lot about IP and TCP
-	// options: how many options there are, and in which order.
-	int winscale = 0;
-	int MSS = 0;
-	int optcount = 0;
-	uint32 quirks = 0;
-	uint32 tstamp = 0;
-	uint8 op[MAXOPT];
-
-	if ( ip->HdrLen() > 20 )
-		quirks |= QUIRK_IPOPT;
-
-	if ( ip->ID() == 0 )
-		quirks |= QUIRK_ZEROID;
-
-	if ( tcp->th_seq == 0 )
-		quirks |= QUIRK_SEQ0;
-
-	if ( tcp->th_seq == tcp->th_ack )
-		quirks |= QUIRK_SEQEQ;
-
-	if ( tcp->th_flags & ~(TH_SYN|TH_ACK|TH_RST|TH_ECE|TH_CWR) )
-		quirks |= QUIRK_FLAGS;
-
-	if ( ip->TotalLen() - ip->HdrLen() - tcp_hdr_len > 0 )
-		quirks |= QUIRK_DATA;	// SYN with data
-
-	if ( tcp->th_ack )
-		quirks |= QUIRK_ACK;
-	if ( tcp->th_urp )
-		quirks |= QUIRK_URG;
-	if ( tcp->th_x2 )
-		quirks |= QUIRK_X2;
-
-	// Parse TCP options.
-	u_char* options = (u_char*) tcp + sizeof(struct tcphdr);
-	u_char* opt_end = (u_char*) tcp + tcp_hdr_len;
-
-	while ( options < opt_end )
-		{
-		unsigned int opt = options[0];
-
-		if ( opt == TCPOPT_EOL )
-			{
-			op[optcount++] = TCPOPT_EOL;
-			if ( ++options < opt_end )
-				quirks |= QUIRK_PAST;
-
-			// All done - could flag if more junk left over ....
-			break;
-			}
-
-		if ( opt == TCPOPT_NOP )
-			{
-			op[optcount++] = TCPOPT_NOP;
-			++options;
-			continue;
-			}
-
-		if ( options + 1 >= opt_end )
-			{
-			// We've run off the end, no room for the length.
-			quirks |= QUIRK_BROKEN;
-			break;
-			}
-
-		unsigned int opt_len = options[1];
-
-		if ( options + opt_len > opt_end )
-			{
-			// No room for rest of the options.
-			quirks |= QUIRK_BROKEN;
-			break;
-			}
-
-		if ( opt_len == 0 )
-			// Trashed length field.
-			break;
-
-		switch ( opt ) {
-		case TCPOPT_SACK_PERMITTED:
-			// SACKOK LEN
-			op[optcount] = TCPOPT_SACK_PERMITTED;
-			break;
-
-		case TCPOPT_MAXSEG:
-			// MSS LEN D0 D1
-			if ( opt_len < 4 )
-				break;	// bad length
-
-			op[optcount] = TCPOPT_MAXSEG;
-			MSS = (options[2] << 8) | options[3];
-			break;
-
-		case TCPOPT_WINDOW:
-			// WSCALE LEN D0
-			if ( opt_len < 3 )
-				break;	// bad length
-
-			op[optcount] = TCPOPT_WINDOW;
-			winscale = options[2];
-			break;
-
-		case TCPOPT_TIMESTAMP:
-			// TSTAMP LEN T0 T1 T2 T3 A0 A1 A2 A3
-			if ( opt_len < 10 )
-				break;	// bad length
-
-			op[optcount] = TCPOPT_TIMESTAMP;
-
-			tstamp = ntohl(extract_uint32(options + 2));
-
-			if ( extract_uint32(options + 6) )
-				quirks |= QUIRK_T2;
-			break;
-
-		default:	// just skip over
-			op[optcount]=opt;
-			break;
-		}
-
-		if ( optcount < MAXOPT - 1 )
-			++optcount;
-		else
-			quirks |= QUIRK_BROKEN;
-
-		options += opt_len;
-		}
-
-	struct os_type os_from_print;
-	int id = sessions->Get_OS_From_SYN(&os_from_print,
-			uint16(ip->TotalLen()),
-			uint8(ip->DF()), uint8(ip->TTL()),
-			uint16(ntohs(tcp->th_win)),
-			uint8(optcount), op,
-			uint16(MSS), uint8(winscale),
-			tstamp, quirks,
-			uint8(tcp->th_flags & (TH_ECE|TH_CWR)));
-
-	if ( sessions->CompareWithPreviousOSMatch(ip->SrcAddr(), id) )
-		{
-		RecordVal* os = new RecordVal(OS_version);
-
-		os->Assign(0, new StringVal(os_from_print.os));
-
-		if ( os_from_print.desc )
-			os->Assign(1, new StringVal(os_from_print.desc));
-		else
-			os->Assign(1, val_mgr->GetEmptyString());
-
-		os->Assign(2, val_mgr->GetCount(os_from_print.dist));
-		os->Assign(3, OS_version_inference->GetVal(os_from_print.match));
-
-		return os;
-		}
-
-	return 0;
-	}
-
-
-static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig,
-                                const IP_Hdr* ip, const struct tcphdr* tp,
-                                uint32 tcp_hdr_len)
-	{
-	// is_orig will be removed once we can do SYN-ACK fingerprinting
-	if ( OS_version_found && is_orig )
-		{
-		const IPAddr& orig_addr = tcp->Conn()->OrigAddr();
-		AddrVal* src_addr_val = new AddrVal(orig_addr);
-
-		if ( generate_OS_version_event->Size() == 0 ||
-		     generate_OS_version_event->Lookup(src_addr_val) )
-			{
-			RecordVal* OS_val = build_os_val(is_orig, ip, tp, tcp_hdr_len);
-
-			if ( OS_val )
-				{ // found new OS version
-				tcp->ConnectionEventFast(OS_version_found, {
-					tcp->BuildConnVal(),
-					src_addr_val->Ref(),
-					OS_val,
-				});
-				}
-			}
-
-		Unref(src_addr_val);
-		}
-	}

 TCP_Analyzer::TCP_Analyzer(Connection* conn)
 : TransportLayerAnalyzer("TCP", conn)
@ -1286,8 +1090,6 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			});
 			}

-		passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len);
-
 		Unref(SYN_vals);
 		}