1*a71a9546SAutomerger Merge WorkerThe osf module does passive operating system fingerprinting. This module 2*a71a9546SAutomerger Merge Workercompares some data (Window Size, MSS, options and their order, TTL, DF, 3*a71a9546SAutomerger Merge Workerand others) from packets with the SYN bit set. 4*a71a9546SAutomerger Merge Worker.TP 5*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-genre\fP \fIstring\fP 6*a71a9546SAutomerger Merge WorkerMatch an operating system genre by using a passive fingerprinting. 7*a71a9546SAutomerger Merge Worker.TP 8*a71a9546SAutomerger Merge Worker\fB\-\-ttl\fP \fIlevel\fP 9*a71a9546SAutomerger Merge WorkerDo additional TTL checks on the packet to determine the operating system. 10*a71a9546SAutomerger Merge Worker\fIlevel\fP can be one of the following values: 11*a71a9546SAutomerger Merge Worker.IP \(bu 4 12*a71a9546SAutomerger Merge Worker0 - True IP address and fingerprint TTL comparison. This generally works for 13*a71a9546SAutomerger Merge WorkerLANs. 14*a71a9546SAutomerger Merge Worker.IP \(bu 4 15*a71a9546SAutomerger Merge Worker1 - Check if the IP header's TTL is less than the fingerprint one. Works for 16*a71a9546SAutomerger Merge Workerglobally-routable addresses. 17*a71a9546SAutomerger Merge Worker.IP \(bu 4 18*a71a9546SAutomerger Merge Worker2 - Do not compare the TTL at all. 19*a71a9546SAutomerger Merge Worker.TP 20*a71a9546SAutomerger Merge Worker\fB\-\-log\fP \fIlevel\fP 21*a71a9546SAutomerger Merge WorkerLog determined genres into dmesg even if they do not match the desired one. 22*a71a9546SAutomerger Merge Worker\fIlevel\fP can be one of the following values: 23*a71a9546SAutomerger Merge Worker.IP \(bu 4 24*a71a9546SAutomerger Merge Worker0 - Log all matched or unknown signatures 25*a71a9546SAutomerger Merge Worker.IP \(bu 4 26*a71a9546SAutomerger Merge Worker1 - Log only the first one 27*a71a9546SAutomerger Merge Worker.IP \(bu 4 28*a71a9546SAutomerger Merge Worker2 - Log all known matched signatures 29*a71a9546SAutomerger Merge Worker.PP 30*a71a9546SAutomerger Merge WorkerYou may find something like this in syslog: 31*a71a9546SAutomerger Merge Worker.PP 32*a71a9546SAutomerger Merge WorkerWindows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 33*a71a9546SAutomerger Merge Worker11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 34*a71a9546SAutomerger Merge Worker.PP 35*a71a9546SAutomerger Merge WorkerOS fingerprints are loadable using the \fBnfnl_osf\fP program. To load 36*a71a9546SAutomerger Merge Workerfingerprints from a file, use: 37*a71a9546SAutomerger Merge Worker.PP 38*a71a9546SAutomerger Merge Worker\fBnfnl_osf \-f /usr/share/xtables/pf.os\fP 39*a71a9546SAutomerger Merge Worker.PP 40*a71a9546SAutomerger Merge WorkerTo remove them again, 41*a71a9546SAutomerger Merge Worker.PP 42*a71a9546SAutomerger Merge Worker\fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP 43*a71a9546SAutomerger Merge Worker.PP 44*a71a9546SAutomerger Merge WorkerThe fingerprint database can be downloaded from 45*a71a9546SAutomerger Merge Workerhttp://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . 46