This repository has been archived by the owner on Jun 24, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
p0fo.fp
48 lines (46 loc) · 2.12 KB
/
p0fo.fp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#
# p0f - stray ACK signatures
# --------------------------
#
# .-------------------------------------------------------------------------.
# | The purpose of this file is to cover signatures for stray ACK packets |
# | (established session data). This mode of operation is enabled with -O |
# | option and is HIGHLY EXPERIMENTAL. Please refer to p0f.fp for more |
# | information on the metrics used and for a guide on adding new entries |
# | to this file. This database is looking for a caring maintainer. |
# `-------------------------------------------------------------------------'
#
# (C) Copyright 2000-2006 by Michal Zalewski <lcamtuf@coredump.cx>
#
# Submit all additions to the authors. Read p0f.fp before adding any
# signatures. Run p0f -O -C after making any modifications. This file is
# NOT compatible with SYN, SYN+ACK or RST+ modes. Use only with -O option.
#
# IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND ACKs
# ----------------------------------------------------------------
#
# Some systems would have different ACK fingerprints depending on the initial
# SYN or SYN+ACK received from the other party. More specifically, RFC1323,
# RFC2018 and RFC1644 extensions sometimes show up only if the other party had
# them enabled. Hence, the reliability of ACK fingerprints may be affected.
#
# IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp:
# ----------------------------------------------------------------
#
# - Packet size MUST be wildcarded. ACK packets, by their nature, have
# variable sizes, depending on the amount of data carried as a payload.
#
# - Similarly, 'D' quirk is not checked for, and is not allowed in signatures
# in this file. A good number of ACK packets have payloads.
#
# - PUSH flag is excluded from 'F' quirk checks in this mode.
#
# - 'A' quirk is not a bug; all AC packets should have it set; also,
# 'T' quirk is not an anomaly; its absence on systems with T option is.
#
32767:64:1:*:N,N,T:AT:Linux:2.4.2x (local?)
*:64:1:*:.:A:Linux:2.4.2x
32736:64:0:*:.:A:Linux:2.0.3x
57600:64:1:*:N,N,T:AT:FreeBSD:4.8
%12:128:1:*:.:A:Windows:XP
S44:128:1:*:.:A:Windows:XP