-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathp0f.fp-example
200 lines (199 loc) · 9.27 KB
/
p0f.fp-example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
#
# p0f - passive OS fingerprinting
# -------------------------------
# (C) Copyright 2000, 2001 by Michal Zalewski <[email protected]>
# (C) Copyright 2001 by William Stearns <[email protected]>
#
# Every entry in this file is a description of unique TCP parameters
# specific for the first SYN packet sent by a remote party while
# establishing a connection. Those parameters include: window size (wss),
# maximum segment size (mss), don't fragment flag (DF), window scaling
# (wscale), sackOK flag, nop flag, initial time to live (TTL) and SYN
# packet size (as declared).
#
# Normally, p0f reports unknown OSes providing you with all parameters,
# so you can simply find out what system your party runs, and then,
# add appropriate rule to this file. There's only thing you have to do
# - determine initial TTL of a packet. Well, usually it is equal to the first
# power of 2 greater than TTL you're seeing, given that your remote party is
# not too far away (if traceroute shows more than 20-25 hosts, be careful).
# So, for example, if you get TTL of 55 in a fingerprint returned by p0f,
# initial TTL probably was 64. NOTE: it is better to overestimate it (will
# affect distance prediction) than to underestimate (will not work at all in
# some cases).
#
# There are some brain-damaged devices, like network printers, that
# have initial TTLs set to values like 60. However, if you see HP LaserJet
# trying to connect your server, you probably should have a break :)
#
# Format:
#
# wwww:ttt:mmm:D:W:S:N:I:OS Description
#
# wwww - window size
# ttt - time to live
# mmm - maximum segment size
# D - don't fragment flag (0=unset, 1=set)
# W - window scaling (-1=not present, other=value)
# S - sackOK flag (0=unset, 1=set)
# N - nop flag (0=unset, 1=set)
# I - packet size (-1 = irrevelant)
#
31072:64:3884:1:0:1:1:-1:Linux 2.2.12-20 (RH 6.1)
512:64:1460:0:0:0:0:44:Linux 2.0.35 - 2.0.38
32120:64:1460:1:0:1:1:60:Linux 2.2.9 - 2.2.18
16384:64:1460:1:0:0:0:44:FreeBSD 4.0-STABLE, 3.2-RELEASE
8760:64:1460:1:0:0:0:-1:Solaris 2.6 (2)
9140:255:9140:1:0:0:0:-1:Solaris 2.6 (sunsite)
49152:64:1460:0:0:0:0:44:IRIX 6.5 / 6.4
8760:255:1460:1:0:0:0:44:Solaris 2.6 or 2.7 (1)
8192:128:1460:1:0:0:0:44:Windows NT 4.0 (1)
8192:128:1460:1:0:1:1:48:Windows 9x (1)
8192:128:536:1:0:1:1:48:Windows 9x (2)
2144:64:536:1:0:1:1:60:Windows 9x (4)
16384:128:1460:1:0:1:1:48:Windows 2000 (1)
32120:32:1460:1:0:1:1:60:Linux 2.2.13 (1)
8192:32:1460:1:0:0:0:44:Windows NT 4.0 (2)
5840:128:536:1:0:1:1:48:Windows 95 (3)
16060:64:1460:1:0:1:1:60:Debian/Caldera Linux 2.2.x (check)
8760:255:1380:1:0:0:0:44:Solaris 2.7
8192:128:1456:1:0:1:1:64:Linux 2.2.13 (2)
32768:64:1432:0:0:0:0:44:PlusGSM, InterNetia proxy ???
16384:255:1460:1:0:0:1:48:FreeBSD 2.2.6-RELEASE
8192:64:1460:1:0:0:1:60:BSDI BSD/OS 3.1 - 4.0
16384:64:1460:0:0:0:1:60:NetBSD 1.3/i386
24820:64:1460:1:0:0:0:44:SCO UnixWare 7.0.1, Win 9x
32768:64:1460:1:0:0:0:44:HP-UX B.10.01 A 9000/712
16384:64:512:0:0:0:0:44:AIX 3.2, 4.2 - 4.3
32768:64:1460:1:0:0:1:48:Digital UNIX V4.0E, Mac OS X
32694:255:536:0:0:0:0:-1:3Com HiPer ARC, System V4.2.32
4128:255:556:0:0:0:0:-1:Cisco IOS 1750/12.0(5), 2500/11.3(1), 3600/12.0(7)
4288:255:1460:0:-1:0:0:-1:Cisco IOS 3620/11.2(17)P
512:64:0:0:-1:0:0:-1:Linux 2.0.35 - 2.0.37
8192:128:1460:1:-1:1:0:44:Windows NT
32120:64:1460:1:190:1:1:60:Linux 2.2.16
32696:64:536:0:0:1:1:60:SCO UnixWare 7.1.0 x86 (1)
24820:64:1460:1:0:0:1:60:SCO UnixWare 7.1.0 x86 (2), Linux 2.4.0
24820:64:1460:1:0:0:1:48:SCO UnixWare 7.1.0 x86 ? (3)
32120:64:1460:0:-1:0:0:44:Linux 2.0.38 (2)
65535:128:1368:1:-1:0:0:44:BorderManager 3.0 - 3.5, Windows 98, Windows NT 5.0
33580:255:1460:1:-1:0:0:44:Solaris 7
8192:128:25443:1:-1:1:1:-1:Microsoft NT 4.0 Server SP5
8192:64:1460:1:-1:0:0:44:AXCENT Raptor Firewall Windows NT 4.0/SP3
8192:32:1456:1:-1:0:0:44:Windows 95 (4)
16384:64:0:0:-1:0:0:-1:ULTRIX V4.5 (Rev. 47)
16384:64:512:0:0:0:1:60:OpenBSD 2.6-2.8
32768:128:1460:1:-1:0:0:-1:Novell NetWare 4.11
16384:64:1460:1:0:0:1:44:FreeBSD 2.2.8-RELEASE
4288:255:536:0:-1:0:0:-1:Cisco IOS 1600/11.2(15)P, 2500/11.2(5)P, 4500/11.1(7)
4096:32:1024:0:245:0:0:-1:Alcatel (Xylan) OmniStack 5024
2144:255:536:0:-1:0:0:-1:Cisco IGS 3000 IOS 11.x(16), 2500 IOS 11.2(3)P
4128:255:1460:0:-1:0:0:-1:Cisco IOS 2611/11.3(2)XA4, C2600/12.0(5)T1, 4500/12.0(9), 3640/12.1(2), 3620/12.0(8) or 11.3(11a)
61440:64:1460:0:-1:0:0:44:IRIX 6.3
61440:64:512:0:-1:0:0:-1:IRIX 5.3 / 4.0.5F
31856:64:1460:1:0:1:1:60:Linux 2.3.99-ac - 2.4.0-test1
4096:32:1024:0:245:0:0:-1:Alcatel (Xylan) OmniStack 5024 v3.4.5
4096:32:1024:0:-1:0:0:-1:Chorus MiX V.3.2 r4.1.5 COMP-386
32120:64:1460:1:101:1:1:60:Linux 2.2.15
32120:64:1460:0:-1:0:0:-1:Linux 2.0.33 (1)
512:64:1460:0:52:0:0:44:Linux 2.0.33 (2)
32120:64:1460:0:0:1:1:60:Linux 2.2.19
5840:64:1460:1:0:1:1:60:Linux 2.4.2 - 2.4.14 (1)
32768:255:1460:1:0:0:1:48:Mac OS 9 (1)
65535:255:1460:1:1:0:1:48:Mac OS 9 (2)
24820:64:1460:1:-1:1:1:48:SunOS 5.8
32768:32:1460:1:-1:0:0:44:Windows CE 3.0 (Ipaq 3670) (1)
32768:32:1460:1:-1:0:1:44:Windows CE 3.0 (Ipaq 3670) (2)
24820:64:1460:1:-1:1:1:-1:SunOS 5.8 Sparc
12288:255:1460:0:-1:0:0:44:BeOS 5.0 (1)
12288:255:1460:0:-1:0:1:44:BeOS 5.0 (2)
32768:128:1460:1:0:0:1:48:Dec V4.0 OSF1
16384:64:1460:0:-1:0:0:44:AIX 4.3 - 4.3.3, Windows 98
61440:64:1460:0:-1:1:1:48:IRIX 6.5.10
5840:64:1460:1:0:1:1:52:Linux 2.4.1-14 (1)
44032:128:64059:1:-1:1:1:-1:Windows 2000 SP2 (1)
44032:128:1452:1:-1:1:1:48:Windows 2000 SP2 (2)
16384:128:25275:1:-1:1:1:-1:Windows 2000 (2)
1024:64:0:0:-1:0:0:40:NMAP scan (distance inaccurate) (1)
1024:64:265:0:10:0:1:60:NMAP scan (distance inaccurate) (2)
1024:64:536:0:-1:0:0:40:NMAP scan (distance inaccurate) (3)
3072:64:0:0:-1:0:0:40:NMAP scan (distance inaccurate) (4)
3072:64:265:0:10:0:1:60:NMAP scan (distance inaccurate) (5)
3072:64:536:0:-1:0:0:40:NMAP scan (distance inaccurate) (6)
2048:64:0:0:-1:0:0:40:NMAP scan (distance inaccurate) (7)
2048:64:265:0:10:0:1:60:NMAP scan (distance inaccurate) (8)
2048:64:536:0:-1:0:0:40:NMAP scan (distance inaccurate) (9)
4096:64:0:0:-1:0:0:40:NMAP scan (distance inaccurate) (10)
4096:64:265:0:10:0:1:60:NMAP scan (distance inaccurate) (11)
4096:64:536:0:-1:0:0:40:NMAP scan (distance inaccurate) (12)
16384:64:1460:1:94:0:1:44:FreeBSD 4.0-STABLE, 3.2-RELEASE (2)
16384:64:1460:1:98:0:0:44:FreeBSD 4.0-STABLE, 3.2-RELEASE (3)
16384:64:1460:1:112:0:0:44:FreeBSD 4.0-STABLE, 3.2-RELEASE (4)
16384:64:1460:1:0:0:1:60:Linux 2.4.2 - 2.4.14 (2)
8760:255:1460:1:-1:0:1:44:Solaris 2.6 or 2.7 (2)
8192:128:1460:1:0:1:1:64:Windows 9x (5)
8192:128:1460:1:0:1:1:44:Windows 9x (6)
5840:64:1460:1:0:1:1:48:Linux 2.4.1-14 (2)
5840:64:1460:1:0:0:1:60:Linux 2.4.13-ac7
4660:255:0:0:-1:0:0:40:Queso 1.2 (OS unknown, Linux, Solaris, *BSD, others?)
64240:128:1460:1:-1:1:1:48:Windows XP Pro, Windows 2000 Pro
16384:128:1440:1:-1:1:1:48:Windows XP Pro
32767:118:1412:1:0:0:1:Windows XP
16384:118:1412:1:-1:1:1:Microsoft Windows XP Professional
32696:64:536:1:0:1:1:60:Anonymizer.com proxy (Unixware?)
8192:64:1460:1:0:1:1:64:WebTV netcache engine (BSDI)
65535:64:1460:0:1:0:1:48:AOL proxy, Compaq Tru64 UNIX V5.1 (Rev. 732)
32320:64:1616:1:0:1:1:60:Linux (unknown?) (1)
5840:64:1460:0:0:1:1:60:Linux (unknown?) (2)
5840:128:1460:1:-1:1:1:48:Windows 95 or early NT4
8192:128:536:1:-1:1:1:48:Windows 9x or 2000
5808:64:1452:1:0:1:1:60:Linux 2.4.10 (1)
5808:64:1452:1:111:1:1:60:Linux 2.4.10 (2)
16384:128:1460:1:75:1:1:48:Windows ME
32767:114:1360:1:0:0:Windows ME (2)
15972:64:1452:1:0:1:1:60:Windows 98 (?)
16384:128:1452:1:-1:1:1:48:Windows 2000 (4)
16384:128:1360:1:-1:1:1:48:Windows 2000 (5)
8192:128:1460:0:-1:1:1:48:Windows 95 (?) (6)
8192:128:1414:1:-1:1:1:48:Windows 9x or NT4
8760:128:536:1:-1:1:1:48:Windows 2000 Pro (2128)
64240:255:1460:1:-1:0:0:44:Linux 2.1.xx (?)
16384:128:1414:1:-1:1:1:48:Windows 2000 (8)
8192:128:1360:1:-1:1:1:48:Windows 9x (9)
65535:64:1460:0:0:0:1:60:CacheOS 3.1 on a CacheFlow 6000
31944:64:1412:1:0:1:1:60:Linux 2.2
16384:128:1460:1:-1:1:1:48:Windows 2000 (9)
8192:64:1460:0:-1:0:0:44:CacheFlow 500x CacheOS 2.1.08 - 2.2.1
5535:64:1460:1:0:0:1:60:FreeBSD 2.2.1 - 4.1
512:64:1460:0:-1:0:0:44:Linux 2.0.34-38
65535:64:1432:0:-1:0:0:44:Cisco webcache
16384:128:55370:1:-1:1:1:48:early Windows 2000
2144:64:536:1:0:1:1:48:Windows 9x (10)
8192:64:1460:1:0:1:1:60:BSDI BSD/OS 3.0 - 4.0 (or MacOS, NetBSD)
16384:64:1460:1:0:0:1:68:FreeBSD 4.3 - 4.4PRERELEASE
8760:255:1460:1:-1:1:0:44:Solaris 2.6 - 2.7
32120:64:1460:1:9:1:1:60:Linux 2.2.x
4288:128:1460:1:-1:1:1:48:Windows NT SP3 (1)
8192:128:1456:1:-1:1:1:48:Windows NT SP3 (2)
16384:64:572:1:0:1:1:64:OpenBSD 3.0
63903:128:0:0:-1:0:0:40:Linux 2.2.x or 2.4.x
16384:128:1272:1:-1:1:1:48:Windows NT SP3 (3)
16616:255:1460:1:0:0:0:48:Mac OS 7.x-9.x
16384:128:572:1:-1:1:1:48:Windows NT SP4+
32768:64:1460:1:0:0:1:60:Mac OS X 10.1
32768:64:1460:1:122:0:1:60:Mac OS X 10.1 (2)
32120:64:1460:1:100:1:1:60:Linux 2.2.14
65535:128:1372:1:-1:1:1:48:Windows 98 (2)
5840:64:1460:1:223:1:1:60:Linux-2.4.13-ac7
8192:128:1460:1:52:1:1:48:Windows 98 (3)
65535:128:1460:1:-1:1:1:48:Windows 98 (4)
16384:128:1460:1:52:1:1:48:Windows NT 5.0 (1)
8760:128:1460:1:-1:1:1:48:Windows NT 5.0 (2)
60352:64:1360:1:2:1:1:52:Windows NT 5.0 (3)
11400:64:3800:1:0:1:1:60:Linux 2.4.0-0.99.11 Redhat 7.0 Beta (Fischer)
16384:55:1412:0:0:0:1:NetBSD 1.6
57344:53:1412:1:-1:0:0:FreeBSD 4.7-STABLE
64240:58:1412:1:0:0:1:Windows XP Professional
32768:53:1412:1:-1:0:0:Macos X 10.2.3
31944:54:1412:1:-1:1:0:Linux 2.2.19
5840:54:1412:1:-1:0:1:Linux 2.4.20+grsec