Re: Update pf.os with newer OS fingerprints

[Fernando Fernandez Mancera]

Hi Pablo,

On 2/8/19 5:07 PM, Pablo Neira Ayuso wrote:
> Hi Fernando,
> 
> On Fri, Feb 08, 2019 at 03:06:00PM +0100, Fernando Fernandez Mancera wrote:
>> Hi,
>>
>> I have been updating the pf.os signatures with more recent OS
>> fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
>> Linux and FreeBSD needed new ones. I have been doing this because it is
>> related with my work during the last Google Summer of Code. In addition,
>> Michal Zalewski is aware of the new fingerprints too.
>>
>> Thanks.
>>
>> P.S: Keep me on Cc. I'm not subscribed to the list.
>>
>> diff --git etc/pf.os etc/pf.os
>> index 41c1bc6a482..8f235876799 100644
>> --- etc/pf.os
>> +++ etc/pf.os
>> @@ -232,6 +232,11 @@ S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6
>> (newer, 3)
>>  T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4)
>>
>>  S10:64:1:60:M*,S,T,N,W4:Linux:3.0::Linux 3.0
>> +S10:64:1:60:M*,S,T,N,W6:Linux:3.1::Linux 3.1
>> +S10:64:1:60:M*,S,T,N,W7:Linux:3.4-3.10::Linux 3.4 - 3.10
>> +S20:64:1:60:M*,S,T,N,W7:Linux:3.11-3.19::Linux 3.11 - 3.19
>> +S20:64:1:60:M*,S,T,N,W7:Linux:4.0-4.19::Linux 4.0 - 4.19
> 
> Probably merge these two lines above? ie.
> > S20:64:1:60:M*,S,T,N,W7:Linux:3.11-4.19::Linux 3.11 - 4.19
> 

I split this one by following the pattern of similar situations for
other fingerprints. eg.

16384:64:1:44:M*:   FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
16384:64:1:44:M*:   FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
16384:64:1:44:M*:   FreeBSD:4.0-4.2::FreeBSD 2.0-4.2

65535:64:1:60:M*,N,W1,N,N,T:FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
65535:64:1:60:M*,N,W1,N,N,T:FreeBSD:5.0-5.2::FreeBSD 4.7-5.2

In my opinion I would make no changes to these two lines. Do you agree?

>> +S44:64:1:60:M*,S,T,N,W7:Linux:4.20::Linux 4.20
>>
>>  S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
>>  S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
>> @@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0:   Linux:2.2:ts:Linux 2.2
>> w/o timestamps
>>  65535:64:1:60:M*,N,W1,N,N,T:FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
>>  65535:64:1:60:M*,N,W1,N,N,T:FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
>>
>> +65535:64:1:60:M*,N,W6,S,T:  FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
>> +
>>  # XXX need quirks support
>>  # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
>>  # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)

Update pf.os with newer OS fingerprints

[Fernando Fernandez Mancera]

Hi,

I have been updating the pf.os signatures with more recent OS
fingerprints. I have checked out new Linux, FreeBSD and OpenBSD but only
Linux and FreeBSD needed new ones. I have been doing this because it is
related with my work during the last Google Summer of Code. In addition,
Michal Zalewski is aware of the new fingerprints too.

Thanks.

P.S: Keep me on Cc. I'm not subscribed to the list.

diff --git etc/pf.os etc/pf.os
index 41c1bc6a482..8f235876799 100644
--- etc/pf.os
+++ etc/pf.os
@@ -232,6 +232,11 @@ S4:64:1:60:M*,S,T,N,W7:Linux:2.6::Linux 2.6
(newer, 3)
 T4:64:1:60:M*,S,T,N,W7:Linux:2.6::Linux 2.6 (newer, 4)

 S10:64:1:60:M*,S,T,N,W4:   Linux:3.0::Linux 3.0
+S10:64:1:60:M*,S,T,N,W6:   Linux:3.1::Linux 3.1
+S10:64:1:60:M*,S,T,N,W7:   Linux:3.4-3.10::Linux 3.4 - 3.10
+S20:64:1:60:M*,S,T,N,W7:   Linux:3.11-3.19::Linux 3.11 - 3.19
+S20:64:1:60:M*,S,T,N,W7:   Linux:4.0-4.19::Linux 4.0 - 4.19
+S44:64:1:60:M*,S,T,N,W7:   Linux:4.20::Linux 4.20

 S3:64:1:60:M*,S,T,N,W1:Linux:2.5::Linux 2.5 (sometimes 2.4)
 S4:64:1:60:M*,S,T,N,W1:Linux:2.5-2.6::Linux 2.5/2.6
@@ -283,6 +288,8 @@ S22:64:1:52:M*,N,N,S,N,W0:  Linux:2.2:ts:Linux 2.2
w/o timestamps
 65535:64:1:60:M*,N,W1,N,N,T:   FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
 65535:64:1:60:M*,N,W1,N,N,T:   FreeBSD:5.0-5.2::FreeBSD 4.7-5.2

+65535:64:1:60:M*,N,W6,S,T: FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
+
 # XXX need quirks support
 # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
 # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)