Doing something with OS fingerprint?
Jochen Bern
Jochen.Bern at binect.de
Thu Mar 4 18:31:42 AEDT 2021
On 03.03.21 20:47, Stef Bon wrote:
> Op ma 22 feb. 2021 om 10:56 schreef Jochen Bern <Jochen.Bern at binect.de>:
>> My - admittedly first ever - thoughts on that:
>> -- Doesn't OpenSSH already parse the peer's Hello String for that
>> purpose?
> > No as I know it that is only the software and version, not the os,
Well, yes, because to "meet the peer's flaws and maybe bugs", as you put
it, ssh and sshd would need to be able to *do something about them*, and
what these pieces of software do is to handle the SSH protocol, not to
(random example) second-guess what the behavior of the peer's OS is WRT
reassembly of overlapping TCP fragments.
Or am I just not thinking of the same sort of "purely OS-level flaws and
bugs" as you are?
>> -- osf can also differ from defaults (own fingerprint files being
>> loaded, --ttl param etc.)
>
> Huh what do you mean Jochen? You know something about this software?
I had a look at my local iptables-extensions manpage, which offers me
three different --ttl levels to modify osf's behavior and strongly
suggests that I am to specify rules in terms of "genres" and other terms
*derived* from the actual fingerprint as per the local fingerprints file.
(I.e., when you look at a fingerprint in that file like:
> 32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine
then the strictly formatted *left* hand side corresponds to the actual
test result but the *right* hand side is what I can have the iptables
rules match; have someone edit the fingerprint file to introduce an
earlier match named "MumbleFoo stupid middleboxes" and you'll never see
a "Spirent" reported again.)
By the way, you might want to look at the upstream maintainers' CVS log
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
for some choice comments, like with release 1.25. :-3
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210304/ffc7d100/attachment.p7s>
More information about the openssh-unix-dev
mailing list