diff -Naur snort-2.3.0RC1/doc/README.fp snort-2.3.0RC1fp/doc/README.fp --- snort-2.3.0RC1/doc/README.fp Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/doc/README.fp Mon Jan 24 13:46:43 2005 @@ -0,0 +1,173 @@ +Snort!(fp): Real-Time Passive Network Fingerprinting with Snort! + +------------ +Introduction +------------ + +Snort!(fp) extends the capability of the Snort! intrusion detection +open-source product to include OS and network daemon fingerprinting. + +Thus, with a properly configure Snort! environment (including the fp +extension), you would be able to determine, given an IDS alert: +(1) What operating system the (alert) source/destination system is running +(2) What network services/daemons the (alert) source/destination +system is running + +Example (1): +An IDS alert indicates a DCOM vulnerability (known to only affect +Windows System). Is the destination system running a Windows operating +system? Snort!(fp) will tell you! + +Example (2): +An IDS alert indicates a MS-SQL worm propogating on your network. Are the destination systems running MS-SQL? Snort!(fp) will tell you! + +Example (3): +What new systems have appeared on my network? What OSes are they +running? What services are they offering? Snort!(fp) will tell you! + +Example (4): +Are any of my old systems offering new network services that they +shouldn't be? Perhaps a backdoor of some kind? Snort!(fp) will tell you! + +------------ +Architecture +------------ + +Snort!(fp) is based on the following tools: + +IDS: Snort! (needs to be patched before building) +DB: MySQL (no modifications except to tables) +HTTPD: Apache (no modifications needed) +Interface: ACID (needs to be patched to support fingerprinting) +OS Fingerprinting: p0f (the 'p2s' utility converts to Snort!syntax) +Service Fingerprinting: native Snort! rules + +Both Snort!and ACID have been extended to support fingerprinting functions. The ACID database schema has also been modified to support fingerprinting. + +Snort! Modifications: + +The following Snort!syntax has been modified/added to support OS fingerprinting. With the addition of this syntax, p0f rules can be identically replicated in Snort! + +window:[%,S,T]value; Added modulus, "S" and "T" p0f window functions. +ttl:[<,>,=,<=,>=]value; Modified TTL to support <= and >= operators. +length:[>,<,=]value; Added tests for actual packet length (as compared to dsize). +tcpopts Added TCP options test. Multiple options separated by comma. +tcpopts:nop; NOP. +tcpopts:eol; EOL. +tcpopts:ws[=,%]value; Window Scale +tcpopts:mss[=,%]value; Maximum Segment Size +tcpopts:sack; Selective ACK +tcpopts:time[!,=]value; Timestamp +tcpopts:number=value; Generic TCP option number equals value. +quirks TCP Quirks checks (from p0f) +quirks:opeol; TCP options past EOL. +quirks:nzup; Non-zero urgent pointer. +quirks:nzuf; Non-zero unused (reserved) TCP flags +quirks:oddflags; Unususal TCP flags set. +quirks:extra; Extra TCP payload data. +quirks:broken; Broken TCP options. +quirks:seqack; Sequence number equals acknowledgement number. +quirks:rsttext; Text (payload data) found in RST packet. + +Additional modifications have been made in Snort! to support fingerprinting, especially within the database logging routines. These modifications had to be made to separate traditional alerts from fingerprint log information. + +Snort.conf and classification.config have also been modified. Most notably, an service-fingerprint and os-fingerprint classification type have been added. To increase efficiency, classification.config is now read earlier in snort.conf such that the database output plugin is aware of the fingerprinting data type. (This prevents a classification lookup for every packet logged.) + +Database Schema: + +The MySQL database schema (other DB's not yet supported) has been modified to support fingerprinting. Most notably, the addition of the "fpevent" table was created to separate standard alert events (originally and still in the "event" table) from fingerprint alerts. The fpevent table (and corresponding Snort!database routine functions) have been modified to store only the first and last fingerprint entries for a given IP and port number (OS fingerprints are identified by port 0). It is too impractical to store every fingerprint event. However, given the first and last timestamps, we can answer important questions such as "What new services have appeared on my network in the last 24 hours?" + +Additionally, generic fingerprint events are never replaced by existing specific fingerprint events. The standard Snort! "priority" field is used to identify more specific fingerprint descriptions. For example, a previously identified "specific" Apache Web Server should not be replaced by a "generic" TCP service fingerprint on port 80. Similar to Snort!alert syntax, a lower priority is considered a more specific fingerprint. + +ACID Modifications: + +Two major modifications have been added to ACID. First, the IP query (acid_stat_ipaddr) screen has been modified to include any fingerprints assocatied with the queried address. Second, a "Network Fingerprints" (acid_stat_fingerprints) query has been added to display a list of all fingerprints. Fingerprints can be sorted by address, port, signature, first seen (time), last seen (time), and service description. + +------------ +Installation +------------ + +These are general installation directions. The reader is assumed to +have knowledge of integrating ACID, MYSQL, Apache and Snort! + +1. Download, build and install MYSQL database (www.mysql.com) + +2. Download, build and install Apache httpd (www.apache.org) + +3. Snort! IDS + +3.1 Download the Snort! 2.1.2 source code (www.Snort.org) +3.2 Apply the 2.1.2fp patch + + $ cd snort-2.1.2 + $ patch -Np1 < snort-2.1.2fp.patch + +3.3 Build Snort! with MYSQL DB support enabled + + $ configure --with-mysql[=/mysql/directory/path] + $ make + + Warning(s) that can be safely ignored: + + spo_database.c:2417: warning: second parameter of `va_start' + not last named argument + + # make install + +4. Update MYSQL Schema + + Replace (as in destroy all previous data) MySQL database to support + fingerprinting. + YES, THIS WILL DESTROY ANY OLD DATA, so backup appropriately. + + $ mysql -u root -p < ./contrib/create_mysql_fp + +5. ACID + +5.1 Download, build and install ACID (http://www.andrew.cmu.edu/~rdanyliw/Snort/Snortacid.html, also available in ./contrib directory) + +5.2 Apply the acid-0.9.6b23fp.patch directly in your htdocs/acid directory (patch available in ./contrib directory) + + # cd /usr/local/apache2/htdocs/acid + # patch -Np1 < acid-0.9.6b23fp.patch + +6. Configure snort.conf for MYSQL database support -- be sure to use +the patched snort.conf and classification.conf files + +7. Copy osfp-syn.rules and servicefp.rules from the 2.1.2 patched +directory to your Snort! rules directory. + +8. Start your HTTPD, MYSQL, and Snort! daemons + +9. Browse ACID -- See the "Network Fingerprints" links on main page. + +--- +p2s +--- + +p2s is a conversion utility to convert p0f files to Snort! rules. +See ./contrib/p2s-2.1.tar.gz for more info, including source and README.p2s + +-------------- +TODO/NEED HELP +-------------- + +(1) Complete testing of the p0f Snort! signatures. See README.p2s in the +gzipped archive for testing status. +(2) Test on other platforms. Successfully tested on Red Hat Linux 8.0. +(3) Write DB routines in spo_database.c to support other databases. +Presently, only MYSQL supported. +(4) Write more OS and service signatures! + +------------ +Bugs/Support +------------ + +If you'd like to report a bug or contribute in another way to the Snort!(fp) project, +please contact me directly at sdreed@verizon.net. + +On-On! + + + + diff -Naur snort-2.3.0RC1/etc/classification.config snort-2.3.0RC1fp/etc/classification.config --- snort-2.3.0RC1/etc/classification.config Mon Oct 20 09:03:03 2003 +++ snort-2.3.0RC1fp/etc/classification.config Mon Jan 24 13:46:43 2005 @@ -41,6 +41,10 @@ config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 +# BEGIN ADD SDR +config classification: os-fingerprint,OS Fingerprint,3 +config classification: service-fingerprint,Service Fingerprint,3 +# END ADD SDR # NEW CLASSIFICATIONS config classification: rpc-portmap-decode,Decode of an RPC Query,2 diff -Naur snort-2.3.0RC1/etc/snort.conf snort-2.3.0RC1fp/etc/snort.conf --- snort-2.3.0RC1/etc/snort.conf Thu Nov 18 10:22:09 2004 +++ snort-2.3.0RC1fp/etc/snort.conf Mon Jan 24 13:46:43 2005 @@ -485,6 +485,20 @@ # # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 +# SDR: We need to move classification.config before the output plugins so that +# the database plugin can be initialized correctly for fingerprinting +# +# Include classification & priority settings +# + +include classification.config + +# +# Include reference systems +# + +include reference.config + #################################################################### # Step #3: Configure output plugins # @@ -518,6 +532,8 @@ # See the README.database file for more information about configuring # and using this plugin. # +# SDR: Be sure to enable the mysql output plugin for fingerprinting! +output database: log, mysql, user=[username] password=[password] dbname=snort host=[hostname] # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort @@ -574,16 +590,6 @@ # such as: c:\snort\etc\classification.config # -include classification.config - -# -# Include reference systems -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\reference.config -# - -include reference.config - #################################################################### # Step #4: Customize your rule set # @@ -682,6 +688,12 @@ # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules + +# SDR: We don't want fingerprinting to interfere with IDS functionality, so +# we put the fingerprinting rules last. Of course, we could also disable all other rules +# and configure just a fingerprinting engine... +include $RULE_PATH/servicefp.rules +include $RULE_PATH/osfp-syn.rules # Include any thresholding or suppression commands. See threshold.conf in the # /etc directory for details. Commands don't necessarily need to be diff -Naur snort-2.3.0RC1/rules/osfp-rst.rules snort-2.3.0RC1fp/rules/osfp-rst.rules --- snort-2.3.0RC1/rules/osfp-rst.rules Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/rules/osfp-rst.rules Mon Jan 24 13:46:43 2005 @@ -0,0 +1,55 @@ +# p2s: p0f to Snort rule conversion utility +# (c) Copyright 2004, Stephen D. Reed +# +# Options used to generate this file: +# Input Type: [RST] +# Initial Sid: [210000] +# Revision: [1] +# Source Net: [$HOME_NET] +# Dest Net: [any] +# Generic Rules: [included] + +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0/2.2 (refused)"; length:40; fragbits:!D; ttl:<=255; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210001; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (refused)"; length:40; fragbits:D; ttl:<=64; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210002; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-recent 2.4 (refused)"; length:40; id:0; fragbits:D; ttl:<=64; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210003; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (refused)"; length:40; fragbits:!D; ttl:<=128; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210004; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (refused) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=128; seq:0; ack:!=0; flags:RA+; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210005; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (dropped)"; length:40; fragbits:D; ttl:<=64; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210006; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0/2.2 or IOS 12.x (dropped)"; length:40; fragbits:!D; ttl:<=255; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210007; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-recent 2.4 (dropped)"; length:40; id:0; fragbits:D; ttl:<=64; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210008; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-early 2.4 (dropped)"; length:40; id:0; fragbits:D; ttl:<=255; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210009; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Xylan-OmniSwitch / Linksys WAP11 AP (dropped)"; length:40; fragbits:!D; ttl:<=32; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210010; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetIron-load balancer (dropped)"; length:40; fragbits:D; ttl:<=64; flags:R; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210011; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (dropped 2)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210012; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (1) (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210013; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (2) (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:seqack,nzup; classtype:os-fingerprint; priority:4; sid:210014; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing a lot (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210015; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (?) (dropped) (Generic)"; length:40; fragbits:D; ttl:<=128; flags:R; window:0; classtype:os-fingerprint; priority:5; sid:210016; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Ascend-TAOS or BayTech (dropped 2)"; length:40; fragbits:!D; ttl:<=64; ack:!=0; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210017; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-LocalDirector (dropped 2)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:R; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210018; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.x 'No TCP/No listener' (seldom SunOS 5.x) (dropped)"; length:58; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210019; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.5 'no tcp, reset' (dropped)"; length:53; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210020; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-X 'tcp_close, during connect' (dropped)"; length:65; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210021; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-X 'tcp_disconnect' (dropped)"; length:54; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210022; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP/UX-? 'tcp_fin_wait_2_timeout' (dropped)"; length:62; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210023; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.5 'tcp_disconnect' (dropped)"; length:54; fragbits:D; ttl:<=255; flags:R; window:32768; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210024; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Unknown- 'Go away' device (dropped) (Generic)"; length:63; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:5; sid:210025; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'new data when detached' (1) (dropped)"; length:62; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210026; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'new data when detached' (2) (dropped)"; length:62; fragbits:D; ttl:<=255; flags:R; window:32768; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210027; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'tcp_lift_anchor, can't wait' (dropped)"; length:67; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210028; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP/UX-11.00 'No TCP' (dropped)"; length:46; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210029; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-2.x 'tcp_disconnect' (dropped, lame)"; length:58; fragbits:D; ttl:<=255; ack:!=0; flags:RA+; window:S12; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210030; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AOL-proxy (dropped, lame)"; length:40; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; window:S43; classtype:os-fingerprint; priority:4; sid:210031; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (dropped, lame)"; length:40; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210032; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (?) (dropped, lame)"; length:52; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; tcpopts:nop,nop,time; classtype:os-fingerprint; priority:4; sid:210033; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"3Com-SuperStack II (dropped, lame)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; window:0; quirks:oddflags; classtype:os-fingerprint; priority:4; sid:210034; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Intel-Netport print server (dropped, lame)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210035; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linksys-BEF router (dropped, lame)"; length:40; fragbits:!D; ttl:<=150; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210036; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetWare-??? 'ehnc' (dropped, lame) (Generic)"; length:44; id:0; fragbits:!D; ttl:<=32; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:5; sid:210037; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BayTech-RPC-3 telnet host (dropped, lame)"; length:40; fragbits:!D; ttl:<=64; seq:0; flags:RA+; window:0; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210038; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-IOS/PIX NAT + data (1) (dropped, lame)"; length:>100; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210039; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a + data (dropped)"; length:>100; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210040; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Isolation-Infocrypt accelerator + data (dropped, lame)"; length:>100; fragbits:!D; ttl:<=255; seq:0; ack:!=0; flags:RA+; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210041; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-IOS/PIX NAT + data (2) (dropped)"; length:>100; fragbits:!D; ttl:<=255; ack:!=0; flags:R; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210042; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (?) + data (dropped, lame)"; length:>100; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; tcpopts:nop,nop,time; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210043; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 + data (dropped, lame)"; length:>100; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210044; rev:1; ) diff -Naur snort-2.3.0RC1/rules/osfp-syn.rules snort-2.3.0RC1fp/rules/osfp-syn.rules --- snort-2.3.0RC1/rules/osfp-syn.rules Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/rules/osfp-syn.rules Mon Jan 24 13:46:43 2005 @@ -0,0 +1,206 @@ +# p2s: p0f to Snort rule conversion utility +# (c) Copyright 2004, Stephen D. Reed +# +# Options used to generate this file: +# Input Type: [SYN] +# Initial Sid: [200000] +# Revision: [1] +# Source Net: [$HOME_NET] +# Dest Net: [any] +# Generic Rules: [included] + +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:45046; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200001; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.2 and earlier"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200002; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (1)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200003; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (2)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200004; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (3)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200005; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-5.3 ML1"; length:64; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200006; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:512; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200007; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200008; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:2; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200009; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:64; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200010; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Google crawlbot)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1360,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200011; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (big boy)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S2; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200012; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4.18 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200013; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4/2.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200014; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.5 (sometimes 2.4) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200015; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.5/2.6 (sometimes 2.4) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200016; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2.20 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S20; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200017; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200018; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S11; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200019; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 in cluster"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200020; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (late, uncommon)"; length:60; fragbits:D; ttl:<=64; flags:S; window:T4; tcpopts:mss=1412,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200021; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss=16396,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200022; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S8; tcpopts:mss=3884,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200023; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200024; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200025; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200026; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200027; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-2.0-4.1"; length:44; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200028; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200029; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:1024; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200030; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8 (no RFC1323)"; length:44; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200031; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8"; length:60; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200032; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8-5.1 (or MacOS X 10.2-10.3)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200033; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200034; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200035; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (1)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200036; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (2)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200037; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (3)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200038; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.3"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200039; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6 (Opera) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200040; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200041; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6W-current (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200042; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6X (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200043; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200044; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.3-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200045; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (scrub)"; length:64; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200046; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (Opera) (User Stack/Scanner)"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200047; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (RFC1323 on)"; length:64; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,ws=3,nop,nop,time=0,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200048; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200049; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-2.5 to 7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S17; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200050; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-2.6/7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S6; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200051; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200052; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-9"; length:48; fragbits:D; ttl:<=64; flags:S; window:S34; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200053; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S44; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200054; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-4.1.x"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200055; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.4"; length:44; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200056; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.2-6.5"; length:44; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200057; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (1)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200058; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (2)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200059; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (1)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200060; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (2)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200061; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-4.0 (or OS/2 Warp 4)"; length:48; fragbits:D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200062; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-5.0 (or OpenVMS 7.x on Compaq 5.0 stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200063; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-5.1 (no RFC1323) (or QNX 6)"; length:44; fragbits:!D; ttl:<=60; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200064; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200065; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenVMS-7.2 (Multinet 4.3-4.4 stack)"; length:60; fragbits:D; ttl:<=64; flags:S; window:6144; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200066; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.6 classic"; length:48; fragbits:D; ttl:<=255; flags:S; window:S2; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200067; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-7.3-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200068; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.1-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,nop,nop,nop,eol; classtype:os-fingerprint; priority:4; sid:200069; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.0-9.2"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200070; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (1) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss=1380,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200071; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (2) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:mss,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200072; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-X"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200073; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-3.11 (Tucows)"; length:44; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200074; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-95"; length:64; fragbits:D; ttl:<=64; flags:S; window:S44; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200075; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-95b"; length:64; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200076; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (1)"; length:48; fragbits:D; ttl:<=32; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200077; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (2)"; length:48; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200078; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (13)"; length:48; fragbits:D; ttl:<=64; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200079; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (15)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200080; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200081; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200082; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (3"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200083; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (16)"; length:64; fragbits:D; ttl:<=64; flags:S; window:T30; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200084; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (4)"; length:48; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200085; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (5)"; length:48; fragbits:D; ttl:<=64; flags:S; window:37300; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200086; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (RFC1323)"; length:52; fragbits:D; ttl:<=64; flags:S; window:46080; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200087; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (no sack)"; length:44; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200088; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (6)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200089; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (7)"; length:64; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200090; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (8)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S26; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200091; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (9)"; length:48; fragbits:D; ttl:<=128; flags:S; window:T30; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200092; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (10)"; length:52; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200093; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (11)"; length:48; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200094; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (12)"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,ws=2,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200095; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (1)"; length:44; fragbits:D; ttl:<=128; flags:S; window:T31; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200096; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (2)"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200097; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 (older)"; length:44; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200098; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP1"; length:48; fragbits:D; ttl:<=128; flags:S; window:65535; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200099; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP2+, XP SP1 (seldom 98 4.10.2222)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200100; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S20; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200101; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP 1 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S45; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200102; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4"; length:48; fragbits:D; ttl:<=128; flags:S; window:40320; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200103; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP, 2000 SP2+"; length:48; fragbits:D; ttl:<=128; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200104; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1 (1)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200105; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP Pro SP1, 2000 SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200106; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP3 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200107; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP4 (3)"; length:48; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200108; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 via Cisco"; length:48; fragbits:D; ttl:<=128; flags:S; window:S52; tcpopts:mss=1260,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200109; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP bare-bone"; length:48; fragbits:D; ttl:<=128; flags:S; window:65520; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200110; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 w/ZoneAlarm?"; length:52; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=536,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200111; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-.NET Enterprise Server"; length:40; fragbits:!D; ttl:<=255; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200112; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while downloading (leak!) (User Stack/Scanner)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; quirks:nzup; classtype:os-fingerprint; priority:4; sid:200113; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.10.20 "; length:44; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200114; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP-UX-11.00-11.11"; length:48; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200115; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.11.00 A (RFC1323)"; length:48; fragbits:!D; ttl:<=64; flags:S; window:0; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200116; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70-4.36 (inet 5.04)"; length:68; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200117; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70 inet 4.10"; length:44; fragbits:!D; ttl:<=32; flags:S; window:12288; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200118; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:".-RISC OS"; length:56; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200119; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BSD/OS-3.1-4.3 (or MacOS X 10.2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200120; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NewtonOS-2.1"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1420; classtype:os-fingerprint; priority:4; sid:200121; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NeXTSTEP-3.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S8; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200122; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0-5.1"; length:48; fragbits:!D; ttl:<=255; flags:S; window:1024; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200123; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0.x"; length:44; fragbits:!D; ttl:<=255; flags:S; window:12288; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200124; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R4/R5"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200125; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R3/M0"; length:44; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200126; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R5 + CF67032"; length:60; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200127; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/390-?"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:28672; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200128; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"ULTRIX-4.5"; length:40; fragbits:!D; ttl:<=64; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200129; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"QNX-demodisk"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S16; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200130; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Novell-NetWare 5.0"; length:44; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200131; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Novell-IntranetWare 4.11"; length:44; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200132; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Novell-Netware 6 SP3"; length:52; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss,ws=0,nop,sack,nop,nop; classtype:os-fingerprint; priority:4; sid:200133; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SCO-UnixWare 7.1"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200134; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SCO-OpenServer 5.0"; length:44; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:mss=1380; classtype:os-fingerprint; priority:4; sid:200135; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"DOS-Arachne via WATTCP/1.05"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2048; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200136; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/2-4"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S56; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200137; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"TOPS-20-version 7"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:0; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200138; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AMIGA-3.9 BB2 with Miami stack"; length:56; fragbits:D; ttl:<=64; flags:S; window:S32; tcpopts:mss,nop,nop,sack,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200139; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 1) (Generic)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1460; classtype:os-fingerprint; priority:5; sid:200140; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 2) (Generic)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:5; sid:200141; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"ExtremeWare-4.x"; length:44; fragbits:!D; ttl:<=32; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200142; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Clavister-firewall 7.x"; length:52; fragbits:!D; ttl:<=64; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200143; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Nokia-IPSO w/Checkpoint NG FP3"; length:68; fragbits:!D; ttl:<=64; flags:S; window:S32; tcpopts:mss=512,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200144; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FortiNet-FortiGate 50"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:ws=0,nop,sack,time,mss=1460; classtype:os-fingerprint; priority:4; sid:200145; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-7200, Catalyst 3500, et"; length:44; id:0; fragbits:!D; ttl:<=255; flags:S; window:4128; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200146; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-12008"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S8; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200147; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Alteon-ACEswitch"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200148; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Nortel-Contivity Client"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1370; classtype:os-fingerprint; priority:4; sid:200149; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-5.2"; length:64; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200150; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200151; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3-5.5"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,nop,sack,nop,ws,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200152; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-4.1"; length:64; fragbits:D; ttl:<=64; flags:S; window:20480; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200153; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-Data OnTap 5.x"; length:64; fragbits:D; ttl:<=64; flags:S; window:32850; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200154; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS ?"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200155; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS 1.1"; length:60; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1380,nop,nop,nop,nop,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200156; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-Content Engine"; length:48; fragbits:!D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200157; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Dell-PowerApp cache (Linux-based)"; length:40; fragbits:!D; ttl:<=128; flags:S; window:27085; classtype:os-fingerprint; priority:4; sid:200158; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Inktomi-crawler"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:nop,ws=1,mss=1460; classtype:os-fingerprint; priority:4; sid:200159; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"LookSmart-ZyBorg"; length:60; fragbits:D; ttl:<=255; flags:S; window:S1; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200160; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Proxyblocker-(what's this?)"; length:40; fragbits:!D; ttl:<=255; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200161; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-Tungsten C"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S9; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200162; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-3/4"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200163; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S4; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200164; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5.3 (Handera)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2948; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200165; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SymbianOS-7"; length:64; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:4; sid:200166; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SymbianOS-6048 (on Nokia 7650?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200167; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SymbianOS-(on Nokia 9210?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200168; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Zaurus-3.10"; length:60; fragbits:D; ttl:<=64; flags:S; window:5840; tcpopts:mss=1452,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200169; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PocketPC-2002"; length:64; fragbits:D; ttl:<=128; flags:S; window:32768; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200170; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Contiki-1.1-rc0"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S1; tcpopts:mss=346; classtype:os-fingerprint; priority:4; sid:200171; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast Dreamkey 3.0"; length:44; fragbits:!D; ttl:<=128; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200172; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast HKT-3020 (browser disc 51027)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:T5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200173; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Sony-Playstation 2 (SOCOM?)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200174; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AXIS-Printer Server 5600 v5.64"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1452; classtype:os-fingerprint; priority:4; sid:200175; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (1) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:1024; classtype:os-fingerprint; priority:4; sid:200176; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (2) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200177; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (3) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:3072; classtype:os-fingerprint; priority:4; sid:200178; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (4) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:4096; classtype:os-fingerprint; priority:4; sid:200179; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200180; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200181; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200182; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200183; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200184; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200185; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200186; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200187; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"p0f-sendsyn utility (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:S; window:12345; classtype:os-fingerprint; priority:4; sid:200188; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Mysterious-port scanner (?) (Generic) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=128; ack:!=0; flags:S; window:56922; classtype:os-fingerprint; priority:5; sid:200189; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Mysterious-NAT device (2nd tstamp) (Generic) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:5792; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:5; sid:200190; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323 no tstamp) (Generic)"; length:52; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200191; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200192; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP (RFC1323, w+) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200193; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200194; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200195; rev:1; ) diff -Naur snort-2.3.0RC1/rules/servicefp.rules snort-2.3.0RC1fp/rules/servicefp.rules --- snort-2.3.0RC1/rules/servicefp.rules Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/rules/servicefp.rules Mon Jan 24 13:46:43 2005 @@ -0,0 +1,53 @@ +# Sample Service Fingerprint File +# Stephen D. Reed +# +# +# Generic rules should always have a higher priority (less significant) than +# specific rules (more significant). For example, we don't want a correctly +# identified Apache web server to be replaced by a Generic TCP Service on +# port 80. + +# +# TCP Specific Service Rules +# + +# HTTP Servers +log tcp any any -> any any (msg:"NetCache Appliance Web Server Version 5.3.1R4"; flags:A+; content:"Server\: NetCache appliance (NetApp/5.3.1R4)"; classtype:service-fingerprint; priority:2; sid:300001;) +log tcp any any -> any any (msg:"FFE Web Server Version 1.0"; flags:A+; content:"Server\: FFE/1.0"; classtype:service-fingerprint; priority:2; sid:300002;) +log tcp any any -> any any (msg:"GWS Web Server Version 2.0"; flags:A+; content:"Server\: GWS/2.0"; classtype:service-fingerprint; priority:2; sid:300003;) + +log tcp any any -> any any (msg:"Netscape Enterprise Web Server Version 4.1"; flags:A+; content:"Server\: Netscape-Enterprise/4.1"; classtype:service-fingerprint; priority:2; sid:300004;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 6.0"; flags:A+; content:"Server\: Microsoft-IIS/6.0"; classtype:service-fingerprint; priority:2; sid:300005;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 5.0"; flags:A+; content:"Server\: Microsoft-IIS/5.0"; classtype:service-fingerprint; priority:2; sid:300006;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 4.0"; flags:A+; content:"Server\: Microsoft-IIS/4.0"; classtype:service-fingerprint; priority:2; sid:300007;) + +log tcp any any -> any any (msg:"Apache Web Server Version 2.0.x"; flags:A+; content:"Server\: Apache/2.0"; classtype:service-fingerprint; priority:2; sid:300008;) +log tcp any any -> any any (msg:"Apache Web Server Version 1.3.x"; flags:A+; content:"Server\: Apache/1.3"; classtype:service-fingerprint; priority:2; sid:300009;) + +# FTP Servers +log tcp any any -> any any (msg:"WU-FTP Server Version 2.6.x"; flags:A+; content:"Version wu-2.6"; classtype:service-fingerprint; priority:2; sid:300010;) + + +# +# TCP Service Rules +# + +# HTTP Servers +log tcp any any -> any any (msg:"NetCache Appliance Web Server"; flags:A+; content:"Server\: NetCache appliance"; classtype:service-fingerprint; priority:3; sid:300011;) +log tcp any any -> any any (msg:"Netscape Enterprise Web Server"; flags:A+; content:"Server\: Netscape-Enterprise"; classtype:service-fingerprint; priority:3; sid:300012;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server"; flags:A+; content:"Server\: Microsoft-IIS"; classtype:service-fingerprint; priority:3; sid:300013;) +log tcp any any -> any any (msg:"MDN Web Server"; flags:A+; content:"Server\: MDNServer"; classtype:service-fingerprint; priority:3; sid:300014;) +log tcp any any -> any any (msg:"Apache Web Server"; flags:A+; content:"Server\: Apache"; classtype:service-fingerprint; priority:3; sid:300015;) + +# FTP Servers +log tcp any any -> any any (msg:"WU-FTP Server"; flags:A+; content:"Version wu-"; classtype:service-fingerprint; priority:3; sid:300016;) +log tcp any any -> any any (msg:"Web Server"; flags:A+; content:"Server\:"; classtype:service-fingerprint; priority:4; sid:300017;) + +# +# Generic Rules +# + +log udp any any -> any 1:1024 (msg:"UDP Service (Generic)"; classtype:service-fingerprint; priority:6; sid:300018;) +log tcp any any -> any any (msg:"TCP Service (Generic)"; flags:SA+; classtype:service-fingerprint; priority:5; sid:300019;) + + diff -Naur snort-2.3.0RC1/schemas/create_mysql_fp snort-2.3.0RC1fp/schemas/create_mysql_fp --- snort-2.3.0RC1/schemas/create_mysql_fp Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/schemas/create_mysql_fp Mon Jan 24 13:46:43 2005 @@ -0,0 +1,716 @@ +# Copyright (C) 2000-2002 Carnegie Mellon University +# +# Maintainer: Roman Danyliw , +# +# Original Author(s): Jed Pickel (2000-2001) +# Roman Danyliw +# Todd Schrubb +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +use snort; + +# Drop old tables if they exist + +DROP TABLE IF EXISTS schema; +DROP TABLE IF EXISTS event; +DROP TABLE IF EXISTS fpevent; +DROP TABLE IF EXISTS services; +DROP TABLE IF EXISTS signature; +DROP TABLE IF EXISTS sig_reference; +DROP TABLE IF EXISTS reference; +DROP TABLE IF EXISTS reference_system; +DROP TABLE IF EXISTS sig_class; +DROP TABLE IF EXISTS sensor; +DROP TABLE IF EXISTS iphdr; +DROP TABLE IF EXISTS tcphdr; +DROP TABLE IF EXISTS udphdr; +DROP TABLE IF EXISTS icmphdr; +DROP TABLE IF EXISTS opt; +DROP TABLE IF EXISTS data; +DROP TABLE IF EXISTS encoding; +DROP TABLE IF EXISTS detail; + +# Create new tables; + +CREATE TABLE schema ( vseq INT UNSIGNED NOT NULL, + ctime DATETIME NOT NULL, + PRIMARY KEY (vseq)); +INSERT INTO schema (vseq, ctime) VALUES ('106', now()); + +CREATE TABLE event ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + signature INT UNSIGNED NOT NULL, + timestamp DATETIME NOT NULL, + PRIMARY KEY (sid,cid), + INDEX sig (signature), + INDEX time (timestamp)); + +# Here's the new fingerprint event table we need to add + + +CREATE TABLE fpevent (ip_src INT UNSIGNED NOT NULL, + port_src SMALLINT UNSIGNED NOT NULL, + protocol VARCHAR(10) NOT NULL, + signature INT UNSIGNED NOT NULL, + osfp_flag TINYINT UNSIGNED NOT NULL, + sig_priority INT UNSIGNED NOT NULL, + sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + firstseen DATETIME NOT NULL, + lastseen DATETIME NOT NULL, + hopcount INT NOT NULL, + PRIMARY KEY (sid,cid), + INDEX ip (ip_src, osfp_flag, port_src), + INDEX time (lastseen,firstseen)); + + +CREATE TABLE services (name VARCHAR(128) NOT NULL, + port INT NOT NULL, + protocol VARCHAR(10) NOT NULL, + PRIMARY KEY (port,protocol), + INDEX port (port,protocol)); + +CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + sig_name VARCHAR(255) NOT NULL, + sig_class_id INT UNSIGNED NOT NULL, + sig_priority INT UNSIGNED, + sig_rev INT UNSIGNED, + sig_sid INT UNSIGNED, + PRIMARY KEY (sig_id), + INDEX sign_idx (sig_name(20)), + INDEX sig_class_id_idx (sig_class_id)); + +CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL, + ref_seq INT UNSIGNED NOT NULL, + ref_id INT UNSIGNED NOT NULL, + PRIMARY KEY(sig_id, ref_seq)); + +CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + ref_system_id INT UNSIGNED NOT NULL, + ref_tag TEXT NOT NULL, + PRIMARY KEY (ref_id)); + +CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + ref_system_name VARCHAR(20), + PRIMARY KEY (ref_system_id)); + +CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + sig_class_name VARCHAR(60) NOT NULL, + PRIMARY KEY (sig_class_id), + INDEX (sig_class_id), + INDEX (sig_class_name)); + +# store info about the sensor supplying data +CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT, + hostname TEXT, + interface TEXT, + filter TEXT, + detail TINYINT, + encoding TINYINT, + last_cid INT UNSIGNED NOT NULL, + PRIMARY KEY (sid)); + +# All of the fields of an ip header +CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + ip_src INT UNSIGNED NOT NULL, + ip_dst INT UNSIGNED NOT NULL, + ip_ver TINYINT UNSIGNED, + ip_hlen TINYINT UNSIGNED, + ip_tos TINYINT UNSIGNED, + ip_len SMALLINT UNSIGNED, + ip_id SMALLINT UNSIGNED, + ip_flags TINYINT UNSIGNED, + ip_off SMALLINT UNSIGNED, + ip_ttl TINYINT UNSIGNED, + ip_proto TINYINT UNSIGNED NOT NULL, + ip_csum SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX ip_src (ip_src), + INDEX ip_dst (ip_dst)); + +# All of the fields of a tcp header +CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + tcp_sport SMALLINT UNSIGNED NOT NULL, + tcp_dport SMALLINT UNSIGNED NOT NULL, + tcp_seq INT UNSIGNED, + tcp_ack INT UNSIGNED, + tcp_off TINYINT UNSIGNED, + tcp_res TINYINT UNSIGNED, + tcp_flags TINYINT UNSIGNED NOT NULL, + tcp_win SMALLINT UNSIGNED, + tcp_csum SMALLINT UNSIGNED, + tcp_urp SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX tcp_sport (tcp_sport), + INDEX tcp_dport (tcp_dport), + INDEX tcp_flags (tcp_flags)); + +# All of the fields of a udp header +CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + udp_sport SMALLINT UNSIGNED NOT NULL, + udp_dport SMALLINT UNSIGNED NOT NULL, + udp_len SMALLINT UNSIGNED, + udp_csum SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX udp_sport (udp_sport), + INDEX udp_dport (udp_dport)); + + +# All of the fields of an icmp header +CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + icmp_type TINYINT UNSIGNED NOT NULL, + icmp_code TINYINT UNSIGNED NOT NULL, + icmp_csum SMALLINT UNSIGNED, + icmp_id SMALLINT UNSIGNED, + icmp_seq SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX icmp_type (icmp_type)); + +# Protocol options +CREATE TABLE opt ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + optid INT UNSIGNED NOT NULL, + opt_proto TINYINT UNSIGNED NOT NULL, + opt_code TINYINT UNSIGNED NOT NULL, + opt_len SMALLINT, + opt_data TEXT, + PRIMARY KEY (sid,cid,optid)); + +# Packet payload +CREATE TABLE data ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + data_payload TEXT, + PRIMARY KEY (sid,cid)); + +# encoding is a lookup table for storing encoding types +CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL, + encoding_text TEXT NOT NULL, + PRIMARY KEY (encoding_type)); +INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex'); +INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64'); +INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii'); + +# detail is a lookup table for storing different detail levels +CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL, + detail_text TEXT NOT NULL, + PRIMARY KEY (detail_type)); +INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast'); +INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full'); + +# Set permissions + +grant update,insert,delete on fpevent to snort; +grant update,insert,delete on iphdr to snort; +grant update,insert,delete on tcphdr to snort; +grant update,insert,delete on udphdr to snort; +grant update,insert,delete on icmphdr to snort; +grant update,insert,delete on opt to snort; +grant update,insert,delete on data to snort; + +grant update,insert on signature to snort; +grant update,insert on sig_reference to snort; +grant update,insert on reference to snort; +grant update,insert on reference_system to snort; +grant update,insert on sig_class to snort; +grant update,insert on sensor to snort; +grant update,insert on encoding to snort; +grant update,insert on detail to snort; +grant update,insert on services to snort; + +# be sure to also use the snortdb-extra tables if you want +# mappings for tcp flags, protocols, and ports +replace services ( name, port, protocol ) values ( 'osfp', 0, 'tcp' ); +replace services ( name, port, protocol ) values ( 'osfp', 0, 'udp' ); +replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'udp' ); +replace services ( name, port, protocol ) values ( 'rje', 5, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rje', 5, 'udp' ); +replace services ( name, port, protocol ) values ( 'echo', 7, 'tcp' ); +replace services ( name, port, protocol ) values ( 'echo', 7, 'udp' ); +replace services ( name, port, protocol ) values ( 'discard', 9, 'tcp' ); +replace services ( name, port, protocol ) values ( 'discard', 9, 'udp' ); +replace services ( name, port, protocol ) values ( 'systat', 11, 'tcp' ); +replace services ( name, port, protocol ) values ( 'systat', 11, 'udp' ); +replace services ( name, port, protocol ) values ( 'daytime', 13, 'tcp' ); +replace services ( name, port, protocol ) values ( 'daytime', 13, 'udp' ); +replace services ( name, port, protocol ) values ( 'qotd', 17, 'tcp' ); +replace services ( name, port, protocol ) values ( 'qotd', 17, 'udp' ); +replace services ( name, port, protocol ) values ( 'msp', 18, 'tcp' ); +replace services ( name, port, protocol ) values ( 'msp', 18, 'udp' ); +replace services ( name, port, protocol ) values ( 'chargen', 19, 'tcp' ); +replace services ( name, port, protocol ) values ( 'chargen', 19, 'udp' ); +replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'udp' ); +replace services ( name, port, protocol ) values ( 'ftp', 21, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ftp', 21, 'udp' ); +replace services ( name, port, protocol ) values ( 'ssh', 22, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ssh', 22, 'udp' ); +replace services ( name, port, protocol ) values ( 'telnet', 23, 'tcp' ); +replace services ( name, port, protocol ) values ( 'telnet', 23, 'udp' ); +replace services ( name, port, protocol ) values ( 'smtp', 25, 'tcp' ); +replace services ( name, port, protocol ) values ( 'smtp', 25, 'udp' ); +replace services ( name, port, protocol ) values ( 'time', 37, 'tcp' ); +replace services ( name, port, protocol ) values ( 'time', 37, 'udp' ); +replace services ( name, port, protocol ) values ( 'rlp', 39, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rlp', 39, 'udp' ); +replace services ( name, port, protocol ) values ( 'nameserver', 42, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nameserver', 42, 'udp' ); +replace services ( name, port, protocol ) values ( 'nicname', 43, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nicname', 43, 'udp' ); +replace services ( name, port, protocol ) values ( 'tacacs', 49, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tacacs', 49, 'udp' ); +replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'tcp' ); +replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'udp' ); +replace services ( name, port, protocol ) values ( 'domain', 53, 'tcp' ); +replace services ( name, port, protocol ) values ( 'domain', 53, 'udp' ); +replace services ( name, port, protocol ) values ( 'whois++', 63, 'tcp' ); +replace services ( name, port, protocol ) values ( 'whois++', 63, 'udp' ); +replace services ( name, port, protocol ) values ( 'bootps', 67, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bootps', 67, 'udp' ); +replace services ( name, port, protocol ) values ( 'bootpc', 68, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bootpc', 68, 'udp' ); +replace services ( name, port, protocol ) values ( 'tftp', 69, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tftp', 69, 'udp' ); +replace services ( name, port, protocol ) values ( 'gopher', 70, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gopher', 70, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'udp' ); +replace services ( name, port, protocol ) values ( 'finger', 79, 'tcp' ); +replace services ( name, port, protocol ) values ( 'finger', 79, 'udp' ); +replace services ( name, port, protocol ) values ( 'http', 80, 'tcp' ); +replace services ( name, port, protocol ) values ( 'http', 80, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos', 88, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kerberos', 88, 'udp' ); +replace services ( name, port, protocol ) values ( 'supdup', 95, 'tcp' ); +replace services ( name, port, protocol ) values ( 'supdup', 95, 'udp' ); +replace services ( name, port, protocol ) values ( 'hostname', 101, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hostname', 101, 'udp' ); +replace services ( name, port, protocol ) values ( 'iso-tsap', 102, 'tcp' ); +replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'tcp' ); +replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'udp' ); +replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'udp' ); +replace services ( name, port, protocol ) values ( 'pop2', 109, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pop2', 109, 'udp' ); +replace services ( name, port, protocol ) values ( 'pop3', 110, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pop3', 110, 'udp' ); +replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'udp' ); +replace services ( name, port, protocol ) values ( 'auth', 113, 'tcp' ); +replace services ( name, port, protocol ) values ( 'auth', 113, 'udp' ); +replace services ( name, port, protocol ) values ( 'sftp', 115, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sftp', 115, 'udp' ); +replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'tcp' ); +replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'udp' ); +replace services ( name, port, protocol ) values ( 'nntp', 119, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nntp', 119, 'udp' ); +replace services ( name, port, protocol ) values ( 'ntp', 123, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ntp', 123, 'udp' ); +replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'udp' ); +replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'udp' ); +replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'udp' ); +replace services ( name, port, protocol ) values ( 'imap', 143, 'tcp' ); +replace services ( name, port, protocol ) values ( 'imap', 143, 'udp' ); +replace services ( name, port, protocol ) values ( 'snmp', 161, 'tcp' ); +replace services ( name, port, protocol ) values ( 'snmp', 161, 'udp' ); +replace services ( name, port, protocol ) values ( 'snmptrap', 162, 'udp' ); +replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'udp' ); +replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'udp' ); +replace services ( name, port, protocol ) values ( 'mailq', 174, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mailq', 174, 'udp' ); +replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'tcp' ); +replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'udp' ); +replace services ( name, port, protocol ) values ( 'nextstep', 178, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nextstep', 178, 'udp' ); +replace services ( name, port, protocol ) values ( 'bgp', 179, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bgp', 179, 'udp' ); +replace services ( name, port, protocol ) values ( 'prospero', 191, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prospero', 191, 'udp' ); +replace services ( name, port, protocol ) values ( 'irc', 194, 'tcp' ); +replace services ( name, port, protocol ) values ( 'irc', 194, 'udp' ); +replace services ( name, port, protocol ) values ( 'smux', 199, 'tcp' ); +replace services ( name, port, protocol ) values ( 'smux', 199, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-echo', 204, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-echo', 204, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-zis', 206, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-zis', 206, 'udp' ); +replace services ( name, port, protocol ) values ( 'qmtp', 209, 'tcp' ); +replace services ( name, port, protocol ) values ( 'qmtp', 209, 'udp' ); +replace services ( name, port, protocol ) values ( 'z39.50', 210, 'tcp' ); +replace services ( name, port, protocol ) values ( 'z39.50', 210, 'udp' ); +replace services ( name, port, protocol ) values ( 'ipx', 213, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ipx', 213, 'udp' ); +replace services ( name, port, protocol ) values ( 'imap3', 220, 'tcp' ); +replace services ( name, port, protocol ) values ( 'imap3', 220, 'udp' ); +replace services ( name, port, protocol ) values ( 'link', 245, 'tcp' ); +replace services ( name, port, protocol ) values ( 'link', 245, 'ucp' ); +replace services ( name, port, protocol ) values ( 'fatserv', 347, 'tcp' ); +replace services ( name, port, protocol ) values ( 'fatserv', 347, 'udp' ); +replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'udp' ); +replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'udp' ); +replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'tcp' ); +replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'udp' ); +replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'udp' ); +replace services ( name, port, protocol ) values ( 'ldap', 389, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ldap', 389, 'udp' ); +replace services ( name, port, protocol ) values ( 'svrloc', 427, 'tcp' ); +replace services ( name, port, protocol ) values ( 'svrloc', 427, 'udp' ); +replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'udp' ); +replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'udp' ); +replace services ( name, port, protocol ) values ( 'https', 443, 'tcp' ); +replace services ( name, port, protocol ) values ( 'https', 443, 'udp' ); +replace services ( name, port, protocol ) values ( 'snpp', 444, 'tcp' ); +replace services ( name, port, protocol ) values ( 'snpp', 444, 'udp' ); +replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'tcp' ); +replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'udp' ); +replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'udp' ); +replace services ( name, port, protocol ) values ( 'photuris', 468, 'tcp' ); +replace services ( name, port, protocol ) values ( 'photuris', 468, 'udp' ); +replace services ( name, port, protocol ) values ( 'saft', 487, 'tcp' ); +replace services ( name, port, protocol ) values ( 'saft', 487, 'udp' ); +replace services ( name, port, protocol ) values ( 'gss-http', 488, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gss-http', 488, 'udp' ); +replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'udp' ); +replace services ( name, port, protocol ) values ( 'isakmp', 500, 'tcp' ); +replace services ( name, port, protocol ) values ( 'isakmp', 500, 'udp' ); +replace services ( name, port, protocol ) values ( 'gdomap', 538, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gdomap', 538, 'udp' ); +replace services ( name, port, protocol ) values ( 'iiop', 535, 'tcp' ); +replace services ( name, port, protocol ) values ( 'iiop', 535, 'udp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'tcp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'udp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'tcp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'udp' ); +replace services ( name, port, protocol ) values ( 'rtsp', 554, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rtsp', 554, 'udp' ); +replace services ( name, port, protocol ) values ( 'nntps', 563, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nntps', 563, 'udp' ); +replace services ( name, port, protocol ) values ( 'whoami', 565, 'tcp' ); +replace services ( name, port, protocol ) values ( 'whoami', 565, 'udp' ); +replace services ( name, port, protocol ) values ( 'submission', 587, 'tcp' ); +replace services ( name, port, protocol ) values ( 'submission', 587, 'udp' ); +replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'tcp' ); +replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'udp' ); +replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'tcp' ); +replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'udp' ); +replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'udp' ); +replace services ( name, port, protocol ) values ( 'ipp', 631, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ipp', 631, 'ucp' ); +replace services ( name, port, protocol ) values ( 'ldaps', 636, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ldaps', 636, 'udp' ); +replace services ( name, port, protocol ) values ( 'acap', 674, 'tcp' ); +replace services ( name, port, protocol ) values ( 'acap', 674, 'udp' ); +replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos-adm', 749, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'tcp' ); +replace services ( name, port, protocol ) values ( 'webster', 765, 'tcp' ); +replace services ( name, port, protocol ) values ( 'webster', 765, 'udp' ); +replace services ( name, port, protocol ) values ( 'phonebook', 767, 'tcp' ); +replace services ( name, port, protocol ) values ( 'phonebook', 767, 'udp' ); +replace services ( name, port, protocol ) values ( 'rsync', 873, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rsync', 873, 'udp' ); +replace services ( name, port, protocol ) values ( 'telnets', 992, 'tcp' ); +replace services ( name, port, protocol ) values ( 'telnets', 992, 'udp' ); +replace services ( name, port, protocol ) values ( 'imaps', 993, 'tcp' ); +replace services ( name, port, protocol ) values ( 'imaps', 993, 'udp' ); +replace services ( name, port, protocol ) values ( 'ircs', 994, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ircs', 994, 'udp' ); +replace services ( name, port, protocol ) values ( 'pop3s', 995, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pop3s', 995, 'udp' ); +replace services ( name, port, protocol ) values ( 'exec', 512, 'tcp' ); +replace services ( name, port, protocol ) values ( 'biff', 512, 'udp' ); +replace services ( name, port, protocol ) values ( 'login', 513, 'tcp' ); +replace services ( name, port, protocol ) values ( 'who', 513, 'udp' ); +replace services ( name, port, protocol ) values ( 'shell', 514, 'tcp' ); +replace services ( name, port, protocol ) values ( 'syslog', 514, 'udp' ); +replace services ( name, port, protocol ) values ( 'printer', 515, 'tcp' ); +replace services ( name, port, protocol ) values ( 'printer', 515, 'udp' ); +replace services ( name, port, protocol ) values ( 'talk', 517, 'udp' ); +replace services ( name, port, protocol ) values ( 'ntalk', 518, 'udp' ); +replace services ( name, port, protocol ) values ( 'utime', 519, 'tcp' ); +replace services ( name, port, protocol ) values ( 'utime', 519, 'udp' ); +replace services ( name, port, protocol ) values ( 'efs', 520, 'tcp' ); +replace services ( name, port, protocol ) values ( 'router', 520, 'udp' ); +replace services ( name, port, protocol ) values ( 'ripng', 521, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ripng', 521, 'udp' ); +replace services ( name, port, protocol ) values ( 'timed', 525, 'tcp' ); +replace services ( name, port, protocol ) values ( 'timed', 525, 'udp' ); +replace services ( name, port, protocol ) values ( 'tempo', 526, 'tcp' ); +replace services ( name, port, protocol ) values ( 'courier', 530, 'tcp' ); +replace services ( name, port, protocol ) values ( 'conference', 531, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netnews', 532, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netwall', 533, 'udp' ); +replace services ( name, port, protocol ) values ( 'uucp', 540, 'tcp' ); +replace services ( name, port, protocol ) values ( 'klogin', 543, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kshell', 544, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'udp' ); +replace services ( name, port, protocol ) values ( 'remotefs', 556, 'tcp' ); +replace services ( name, port, protocol ) values ( 'socks', 1080, 'tcp' ); +replace services ( name, port, protocol ) values ( 'socks', 1080, 'udp' ); +replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'udp' ); +replace services ( name, port, protocol ) values ( 'lotus-notes', 1352, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'udp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'udp' ); +replace services ( name, port, protocol ) values ( 'ica', 1494, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ica', 1494, 'udp' ); +replace services ( name, port, protocol ) values ( 'wins', 1512, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wins', 1512, 'udp' ); +replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'udp' ); +replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'udp' ); +replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'tcp' ); +replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'udp' ); +replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'udp' ); +replace services ( name, port, protocol ) values ( 'kermit', 1649, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kermit', 1649, 'udp' ); +replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'tcp' ); +replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'udp' ); +replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'udp' ); +replace services ( name, port, protocol ) values ( 'hello', 1789, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hello', 1789, 'udp' ); +replace services ( name, port, protocol ) values ( 'radius', 1812, 'tcp' ); +replace services ( name, port, protocol ) values ( 'radius', 1812, 'udp' ); +replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'tcp' ); +replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'udp' ); +replace services ( name, port, protocol ) values ( 'mtp', 1911, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mtp', 1911, 'udp' ); +replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'udp' ); +replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'tcp' ); +replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'udp' ); +replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'udp' ); +replace services ( name, port, protocol ) values ( 'nfs', 2049, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nfs', 2049, 'udp' ); +replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'tcp' ); +replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'udp' ); +replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'tcp' ); +replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'udp' ); +replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'tcp' ); +replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'udp' ); +replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'udp' ); +replace services ( name, port, protocol ) values ( 'venus', 2430, 'tcp' ); +replace services ( name, port, protocol ) values ( 'venus', 2430, 'udp' ); +replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'tcp' ); +replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'udp' ); +replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'tcp' ); +replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'udp' ); +replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'tcp' ); +replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'udp' ); +replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'udp' ); +replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'tcp' ); +replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'udp' ); +replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'tcp' ); +replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'udp' ); +replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'tcp' ); +replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'udp' ); +replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'udp' ); +replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'udp' ); +replace services ( name, port, protocol ) values ( 'netmon', 2606, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netmon', 2606, 'udp' ); +replace services ( name, port, protocol ) values ( 'corbaloc', 2809, 'tcp' ); +replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'tcp' ); +replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'udp' ); +replace services ( name, port, protocol ) values ( 'mysql', 3306, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mysql', 3306, 'udp' ); +replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'tcp' ); +replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'udp' ); +replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'udp' ); +replace services ( name, port, protocol ) values ( 'krb524', 4444, 'tcp' ); +replace services ( name, port, protocol ) values ( 'krb524', 4444, 'udp' ); +replace services ( name, port, protocol ) values ( 'rfe', 5002, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rfe', 5002, 'udp' ); +replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'udp' ); +replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'udp' ); +replace services ( name, port, protocol ) values ( 'x11', 6000, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'udp' ); +replace services ( name, port, protocol ) values ( 'sd', 9876, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sd', 9876, 'udp' ); +replace services ( name, port, protocol ) values ( 'amanda', 10080, 'tcp' ); +replace services ( name, port, protocol ) values ( 'amanda', 10080, 'udp' ); +replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'udp' ); +replace services ( name, port, protocol ) values ( 'bprd', 13720, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bprd', 13720, 'udp' ); +replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'udp' ); +replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'udp' ); +replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'tcp' ); +replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'udp' ); +replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'udp' ); +replace services ( name, port, protocol ) values ( 'vopied', 13783, 'tcp' ); +replace services ( name, port, protocol ) values ( 'vopied', 13783, 'udp' ); +replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'ucp' ); +replace services ( name, port, protocol ) values ( 'quake', 26000, 'tcp' ); +replace services ( name, port, protocol ) values ( 'quake', 26000, 'udp' ); +replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'udp' ); +replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'tcp' ); +replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'udp' ); +replace services ( name, port, protocol ) values ( 'rtmp', 1, 'ddp' ); +replace services ( name, port, protocol ) values ( 'nbp', 2, 'ddp' ); +replace services ( name, port, protocol ) values ( 'echo', 4, 'ddp' ); +replace services ( name, port, protocol ) values ( 'zip', 6, 'ddp' ); +replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'tcp' ); +replace services ( name, port, protocol ) values ( 'passwd_server', 752, 'udp' ); +replace services ( name, port, protocol ) values ( 'krbupdate', 760, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kpop', 1109, 'tcp' ); +replace services ( name, port, protocol ) values ( 'knetd', 2053, 'tcp' ); +replace services ( name, port, protocol ) values ( 'krb5_prop', 754, 'tcp' ); +replace services ( name, port, protocol ) values ( 'eklogin', 2105, 'tcp' ); +replace services ( name, port, protocol ) values ( 'supfilesrv', 871, 'tcp' ); +replace services ( name, port, protocol ) values ( 'supfiledbg', 1127, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netstat', 15, 'tcp' ); +replace services ( name, port, protocol ) values ( 'linuxconf', 98, 'tcp' ); +replace services ( name, port, protocol ) values ( 'poppassd', 106, 'tcp' ); +replace services ( name, port, protocol ) values ( 'poppassd', 106, 'udp' ); +replace services ( name, port, protocol ) values ( 'smtps', 465, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gii', 616, 'tcp' ); +replace services ( name, port, protocol ) values ( 'omirr', 808, 'tcp' ); +replace services ( name, port, protocol ) values ( 'omirr', 808, 'udp' ); +replace services ( name, port, protocol ) values ( 'swat', 901, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rndc', 953, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rndc', 953, 'udp' ); +replace services ( name, port, protocol ) values ( 'skkserv', 1178, 'tcp' ); +replace services ( name, port, protocol ) values ( 'xtel', 1313, 'tcp' ); +replace services ( name, port, protocol ) values ( 'support', 1529, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cfinger', 2003, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'udp' ); +replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'udp' ); +replace services ( name, port, protocol ) values ( 'squid', 3128, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'udp' ); +replace services ( name, port, protocol ) values ( 'postgres', 5432, 'tcp' ); +replace services ( name, port, protocol ) values ( 'postgres', 5432, 'udp' ); +replace services ( name, port, protocol ) values ( 'fax', 4557, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hylafax', 4559, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'udp' ); +replace services ( name, port, protocol ) values ( 'noclog', 5354, 'tcp' ); +replace services ( name, port, protocol ) values ( 'noclog', 5354, 'udp' ); +replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'udp' ); +replace services ( name, port, protocol ) values ( 'canna', 5680, 'tcp' ); +replace services ( name, port, protocol ) values ( 'x11-ssh-offset', 6010, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ircd', 6667, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ircd', 6667, 'udp' ); +replace services ( name, port, protocol ) values ( 'xfs', 7100, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tircproxy', 7666, 'tcp' ); +replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'tcp' ); +replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'udp' ); +replace services ( name, port, protocol ) values ( 'webcache', 8080, 'tcp' ); +replace services ( name, port, protocol ) values ( 'webcache', 8080, 'udp' ); +replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'udp' ); +replace services ( name, port, protocol ) values ( 'jetdirect', 9100, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mandelspawn', 9359, 'udp' ); +replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'udp' ); +replace services ( name, port, protocol ) values ( 'amandaidx', 10082, 'tcp' ); +replace services ( name, port, protocol ) values ( 'amidxtape', 10083, 'tcp' ); +replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'tcp' ); +replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'udp' ); +replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'tcp' ); +replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'udp' ); +replace services ( name, port, protocol ) values ( 'wnn4_Kr', 22305, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn4_Cn', 22289, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn4_Tw', 22321, 'tcp' ); +replace services ( name, port, protocol ) values ( 'binkp', 24554, 'tcp' ); +replace services ( name, port, protocol ) values ( 'binkp', 24554, 'udp' ); +replace services ( name, port, protocol ) values ( 'asp', 27374, 'tcp' ); +replace services ( name, port, protocol ) values ( 'asp', 27374, 'udp' ); +replace services ( name, port, protocol ) values ( 'tfido', 60177, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tfido', 60177, 'udp' ); +replace services ( name, port, protocol ) values ( 'fido', 60179, 'tcp' ); +replace services ( name, port, protocol ) values ( 'fido', 60179, 'udp' ); diff -Naur snort-2.3.0RC1/src/decode.c snort-2.3.0RC1fp/src/decode.c --- snort-2.3.0RC1/src/decode.c Tue Oct 5 12:55:18 2004 +++ snort-2.3.0RC1fp/src/decode.c Mon Jan 24 13:46:43 2005 @@ -1842,6 +1842,9 @@ /* lay the IP struct over the raw data */ p->iph = (IPHdr *) pkt; + /* SDR ADDED NEXT LINE */ + p->ip_hop_count = IP_HOP_COUNT_UNDEFINED; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); /* do a little validation */ @@ -2096,6 +2099,9 @@ /* lay the IP struct over the raw data */ p->orig_iph = (IPHdr *) pkt; + + /* SDR ADDED NEXT LINE */ + p->ip_hop_count = IP_HOP_COUNT_UNDEFINED; DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeIPOnly: ip header starts at: %p, " "length is %lu\n", p->orig_iph, (unsigned long) len);); diff -Naur snort-2.3.0RC1/src/decode.h snort-2.3.0RC1fp/src/decode.h --- snort-2.3.0RC1/src/decode.h Mon Sep 13 11:44:49 2004 +++ snort-2.3.0RC1fp/src/decode.h Mon Jan 24 13:46:43 2005 @@ -188,6 +188,8 @@ #define IP_MAXPACKET 65535 /* maximum packet size */ #endif /* IP_MAXPACKET */ +#define IP_HOP_COUNT_UNDEFINED -1 /* SDR: Added for fingerprinting */ + #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 @@ -1081,6 +1083,7 @@ IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH family */ u_int32_t ip_options_len; u_int8_t *ip_options_data; + int ip_hop_count; /* SDR ADDED: IP hop count */ TCPHdr *tcph, *orig_tcph; u_int32_t tcp_options_len; diff -Naur snort-2.3.0RC1/src/detection-plugins/Makefile.am snort-2.3.0RC1fp/src/detection-plugins/Makefile.am --- snort-2.3.0RC1/src/detection-plugins/Makefile.am Wed Jun 16 12:49:24 2004 +++ snort-2.3.0RC1fp/src/detection-plugins/Makefile.am Mon Jan 24 13:46:43 2005 @@ -16,6 +16,8 @@ sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \ sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h \ sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h \ -sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h +sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \ +sp_ip_length_check.c sp_ip_length_check.h sp_tcp_option_check.c \ +sp_tcp_option_check.h sp_tcp_quirks_check.s sp_tcp_quirks_check.h INCLUDES = @INCLUDES@ diff -Naur snort-2.3.0RC1/src/detection-plugins/Makefile.in snort-2.3.0RC1fp/src/detection-plugins/Makefile.in --- snort-2.3.0RC1/src/detection-plugins/Makefile.in Thu Nov 18 10:21:24 2004 +++ snort-2.3.0RC1fp/src/detection-plugins/Makefile.in Mon Jan 24 13:46:43 2005 @@ -97,7 +97,9 @@ sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \ sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h \ sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h \ -sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h +sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \ +sp_ip_length_check.c sp_ip_length_check.h sp_tcp_option_check.c \ +sp_tcp_option_check.h sp_tcp_quirks_check.s sp_tcp_quirks_check.h subdir = src/detection-plugins mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs @@ -120,7 +122,8 @@ sp_tcp_win_check.$(OBJEXT) sp_ttl_check.$(OBJEXT) \ sp_clientserver.$(OBJEXT) sp_byte_check.$(OBJEXT) \ sp_byte_jump.$(OBJEXT) sp_pcre.$(OBJEXT) sp_isdataat.$(OBJEXT) \ - sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT) + sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT) sp_ip_length_check.$(OBJEXT) \ + sp_tcp_option_check.$(OBJEXT) sp_tcp_quirks_check.$(OBJEXT) libspd_a_OBJECTS = $(am_libspd_a_OBJECTS) DEFS = @DEFS@ @@ -135,6 +138,8 @@ CCLD = $(CC) LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ CFLAGS = @CFLAGS@ +CCASCOMPILE = $(CCAS) $(AM_CCASFLAGS) $(CCASFLAGS) +CCASFLAGS = @CCASFLAGS@ DIST_SOURCES = $(libspd_a_SOURCES) DIST_COMMON = Makefile.am Makefile.in SOURCES = $(libspd_a_SOURCES) @@ -142,7 +147,7 @@ all: all-am .SUFFIXES: -.SUFFIXES: .c .o .obj +.SUFFIXES: .c .o .obj .s $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) cd $(top_srcdir) && \ $(AUTOMAKE) --foreign src/detection-plugins/Makefile @@ -169,6 +174,12 @@ .c.obj: $(COMPILE) -c `cygpath -w $<` + +.s.o: + $(CCASCOMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< + +.s.obj: + $(CCASCOMPILE) -c `cygpath -w $<` uninstall-info-am: ETAGS = etags diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.c Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.c Mon Jan 24 13:46:43 2005 @@ -0,0 +1,299 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +/* SDR ADDED FILE */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "debug.h" +#include "plugin_enum.h" +#include "util.h" + +typedef struct _IpLengthData +{ + u_int16_t ip_length; + u_int8_t not_flag; + +} IpLengthData; + +void IpLengthCheckInit(char *, OptTreeNode *, int); +void ParseIpLength(char *, OptTreeNode *); +int IpLengthCheckEq(Packet *, struct _OptTreeNode *, OptFpList *); +int IpLengthCheckLT(Packet *, struct _OptTreeNode *, OptFpList *); +int IpLengthCheckGT(Packet *, struct _OptTreeNode *, OptFpList *); + + +/**************************************************************************** + * + * Function: SetupIpLengthCheck() + * + * Purpose: Associate the length keyword with IpLengthCheckInit + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupIpLengthCheck() +{ + /* map the keyword to an initialization/processing function */ + RegisterPlugin("length", IpLengthCheckInit); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: IpLengthCheck Initialized\n");); +} + + +/**************************************************************************** + * + * Function: IpLengthCheckInit(char *, OptTreeNode *) + * + * Purpose: Setup the length data struct and link the function into option + * function pointer list + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * + * Returns: void function + * + ****************************************************************************/ +void IpLengthCheckInit(char *data, OptTreeNode *otn, int protocol) +{ + /* multiple declaration check */ + if(otn->ds_list[PLUGIN_IP_LENGTH_CHECK]) + { + FatalError("%s(%d): Multiple IP length options in rule\n", file_name, + file_line); + } + + /* allocate the data structure and attach it to the + rule's data struct list */ + otn->ds_list[PLUGIN_IP_LENGTH_CHECK] = (IpLengthData *) + SnortAlloc(sizeof(IpLengthData)); + + /* this is where the keyword arguments are processed and placed into the + rule option's data structure */ + ParseIpLength(data, otn); + +} + + + +/**************************************************************************** + * + * Function: ParseIpLength(char *, OptTreeNode *) + * + * Purpose: Convert the length option argument to data and plug it into the + * data structure + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void ParseIpLength(char *data, OptTreeNode *otn) +{ + IpLengthData *ds_ptr; /* data struct pointer */ + + /* set the ds pointer to make it easier to reference the option's + particular data struct */ + ds_ptr = otn->ds_list[PLUGIN_IP_LENGTH_CHECK]; + + /* get rid of any whitespace */ + while(isspace((int)*data)) + { + data++; + } + + /* process operator(s) */ + if(data[0] == '!') + { + ds_ptr->not_flag = 1; + } + + /* Locate the operator, and set appropriate handling function */ + + switch (*data) { + case '=': + AddOptFuncToList ( IpLengthCheckEq, otn ); + data++; + break; + case '>': + AddOptFuncToList ( IpLengthCheckGT, otn ); + data++; + break; + case '<': + AddOptFuncToList ( IpLengthCheckLT, otn ); + data++; + break; + default: + /* default to the '=' operator, but don't advance pointer */ + /* in case that 'data' is legal digit */ + AddOptFuncToList ( IpLengthCheckEq, otn ); + break; + } + + /* get rid of any whitespace */ + while(isspace((int)*data)) + { + data++; + } + + + if(index(data, (int) 'x') == NULL && index(data, (int)'X') == NULL) + { + ds_ptr->ip_length = atoi(data); + } + else + { + if(index(data,(int)'x')) + { + ds_ptr->ip_length = (u_char) strtol((index(data, (int)'x')+1), NULL, 16); + } + else + { + ds_ptr->ip_length = (u_char) strtol((index(data, (int)'X')+1), NULL, 16); + } + } + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"ip length set to %d\n", ds_ptr->ip_length);); +} + + +/**************************************************************************** + * + * Function: IpLengthCheckEq(char *, OptTreeNode *) + * + * Purpose: Test the ip header's length field to see if its value is equal to the + * value in the rule. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int IpLengthCheckEq(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(!p->iph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + if((((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length == + htons(p->iph->ip_len)) ^ (((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->not_flag)) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } + else + { + /* you can put debug comments here or not */ + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); + } + + /* if the test isn't successful, return 0 */ + return 0; +} + +/**************************************************************************** + * + * Function: IpLengthCheckLT(char *, OptTreeNode *) + * + * Purpose: Test the ip header's length field to see if its value is less than the + * value in the rule. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int IpLengthCheckLT(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(!p->iph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + if( ntohs(p->iph->ip_len) < + ((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length ) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } + else + { + /* you can put debug comments here or not */ + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); + } + + /* if the test isn't successful, return 0 */ + return 0; +} + +/**************************************************************************** + * + * Function: IpLengthCheckGT(char *, OptTreeNode *) + * + * Purpose: Test the ip header's length field to see if its value is greater than the + * value in the rule. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int IpLengthCheckGT(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(!p->iph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + if( ntohs(p->iph->ip_len) > + ((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length ) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } + else + { + /* you can put debug comments here or not */ + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); + } + + /* if the test isn't successful, return 0 */ + return 0; +} diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.h snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.h --- snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.h Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.h Mon Jan 24 13:46:43 2005 @@ -0,0 +1,25 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +#ifndef __SP_IP_LENGTH_CHECK_H__ +#define __SP_IP_LENGTH_CHECK_H__ + +void SetupIpLengthCheck(); + +#endif /* __SP_IP_LENGTH_CHECK_H__ */ diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_ack_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_ack_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_tcp_ack_check.c Mon Oct 20 09:03:32 2003 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_ack_check.c Mon Jan 24 13:46:43 2005 @@ -38,6 +38,8 @@ typedef struct _TcpAckCheckData { u_long tcp_ack; + u_int8_t not_flag; /* ADDED SDR */ + } TcpAckCheckData; void TcpAckCheckInit(char *, OptTreeNode *, int); @@ -129,6 +131,20 @@ /* set the ds pointer to make it easier to reference the option's particular data struct */ ds_ptr = otn->ds_list[PLUGIN_TCP_ACK_CHECK]; + /* BEGIN ADD SDR */ + ds_ptr->not_flag = 0; + + while(isspace((int)*data)) + { + data++; + } + + if(data[0] == '!') + { + ds_ptr->not_flag = 1; + data++; + } + /* END ADD SDR */ ds_ptr->tcp_ack = strtoul(data, ep, 0); ds_ptr->tcp_ack = htonl(ds_ptr->tcp_ack); @@ -155,7 +171,9 @@ if(!p->tcph) return 0; /* if error appeared when tcp header was processed, * test fails automagically */ - if(((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_ack == p->tcph->th_ack) + /* SDR REPLACED FOLLOWING LINE */ + if((((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_ack == p->tcph->th_ack) ^ + (((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->not_flag)) { /* call the next function in the function list recursively */ return fp_list->next->OptTestFunc(p, otn, fp_list->next); diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_option_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_option_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_tcp_option_check.c Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_option_check.c Mon Jan 24 13:46:43 2005 @@ -0,0 +1,312 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +/* SDR ADDED FILE */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include + +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "debug.h" +#include "util.h" +#include "plugin_enum.h" +#include "mstring.h" + +/* _Option data type doesn't really work for us here, so we will create our own */ + +typedef struct _TcpOptionData +{ + u_int8_t code[TCP_OPTLENMAX]; + u_char operator[TCP_OPTLENMAX]; + u_int16_t value[TCP_OPTLENMAX]; + u_int16_t tcp_option_count; +} TcpOptionData; + +void TcpOptionInit(char *, OptTreeNode *, int); +void ParseTcpOptionData(char *, OptTreeNode *); +int CheckTcpOptions(Packet *, struct _OptTreeNode *, OptFpList *); + +/**************************************************************************** + * + * Function: SetupTcpOptionCheck() + * + * Purpose: Associate the 'tcpopts' keyword with TcpOptionInit + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupTcpOptionCheck() +{ + /* map the keyword to an initialization/processing function */ + RegisterPlugin("tcpopts", TcpOptionInit); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: TcpOptionCheck Initialized\n");); +} + + +/**************************************************************************** + * + * Function: TcpOptionInit(char *, OptTreeNode *) + * + * Purpose: Setup the TcpOptionData struct and link the function into option + * function pointer list + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * + * Returns: void function + * + ****************************************************************************/ +void TcpOptionInit(char *data, OptTreeNode *otn, int protocol) +{ + /* multiple declaration check */ + if(otn->ds_list[PLUGIN_TCP_OPTION_CHECK]) + { + FatalError("%s(%d): Multiple tcpopts options in rule\n", file_name, + file_line); + } + + /* allocate the data structure and attach it to the + rule's data struct list */ + otn->ds_list[PLUGIN_TCP_OPTION_CHECK] = (TcpOptionData *) + SnortAlloc(sizeof(TcpOptionData)); + + /* this is where the keyword arguments are processed and placed into the + rule option's data structure */ + ParseTcpOptionData(data, otn); + + /* finally, attach the option's detection function to the rule's + detect function pointer list */ + AddOptFuncToList(CheckTcpOptions, otn); +} + +/**************************************************************************** + * + * Function: ParseTcpOptionData(char *, OptTreeNode *) + * + * Purpose: Convert the tcpopts argument to data and plug it into the + * data structure + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void ParseTcpOptionData(char *data, OptTreeNode *otn) +{ + TcpOptionData *ds_ptr; /* data struct pointer */ + char **toks; /* tokens found in option data */ + int num_toks; /* number of tokens found in option data */ + int i; + char *p; + + + /* set the ds pointer to make it easier to reference the option's + particular data struct */ + ds_ptr = otn->ds_list[PLUGIN_TCP_OPTION_CHECK]; + + /* initialize variables in structure */ + for ( i = 0; i < TCP_OPTLENMAX; i ++ ) { + ds_ptr->code[i] = ds_ptr->value[i] = 0; + ds_ptr->operator[i] = '\0'; + } + ds_ptr->tcp_option_count = 0; + + if(data == NULL) + { + FatalError("TCP Option keyword missing argument!\n", file_name, file_line); + } + + /* Parse the data options into something useful */ + toks = mSplit ( data, ",", TCP_OPTLENMAX, &num_toks, '\\' ); + + for ( i = 0; i < num_toks; i++ ) { + if ( strstr ( toks[i], "nop" ) ) { + ds_ptr->code[i] = TCPOPT_NOP; + ds_ptr->tcp_option_count++; + free ( toks[i] ); /* done parsing this token, free up memory */ + continue; + } + if ( strstr ( toks[i], "eol" ) ) { + ds_ptr->code[i] = TCPOPT_EOL; + ds_ptr->tcp_option_count++; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "sack" ) ) { + ds_ptr->code[i] = TCPOPT_SACKOK; + ds_ptr->tcp_option_count++; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "eol" ) ) { + ds_ptr->code[i] = TCPOPT_EOL; + ds_ptr->tcp_option_count++; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "ws" ) ) { + ds_ptr->code[i] = TCPOPT_WSCALE; + ds_ptr->tcp_option_count++; + if ( ( p = strchr ( toks[i], '%' ) ) ) { + ds_ptr->operator[i] = '%'; + ds_ptr->value[i] = atoi ( p+1 ); + } + if ( ( p = strchr ( toks[i], '=' ) ) ) { + ds_ptr->operator[i] = '='; + ds_ptr->value[i] = atoi ( p+1 ); + } + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "mss" ) ) { + ds_ptr->code[i] = TCPOPT_MAXSEG; + ds_ptr->tcp_option_count++; + if ( ( p = strchr ( toks[i], '%' ) ) ) { + ds_ptr->operator[i] = '%'; + ds_ptr->value[i] = atoi ( p+1 ); + } + if ( ( p = strchr ( toks[i], '=' ) ) ) { + ds_ptr->operator[i] = '='; + ds_ptr->value[i] = atoi ( p+1 ); + } + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "time" ) ) { + ds_ptr->code[i] = TCPOPT_TIMESTAMP; + ds_ptr->tcp_option_count++; + if ( ( p = strchr ( toks[i], '=' ) ) ) { + if ( *(p-1) == '!' ) + ds_ptr->operator[i] = '!'; + else + ds_ptr->operator[i] = '='; + ds_ptr->value[i] = atoi ( p+1 ); + } + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "number" ) && ( p = strchr ( toks[i], '=' ) ) ) { + ds_ptr->code[i] = atoi ( p+1 ); + ds_ptr->tcp_option_count++; + free ( toks[i] ); + continue; + } + + /* if we made it here, we can't parse the option! */ + FatalError("%s(%d) => Unknown TCP option argument: %s!\n", + file_name, file_line, data); + } + + return; + +} + + +/**************************************************************************** + * + * Function: CheckTcpOptions(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) + * + * Purpose: Test the ip header's length field to see if its value is equal to the + * value in the rule. + * + * Arguments: p => pointer to current packet being processed + * otn => pointer to the current rule's OTN + fp_list => pointer to linked list of functions to test + * + * Returns: (0) on failure (options and values do not match the rule's) + * (non-zero) on success + * + ****************************************************************************/ +int CheckTcpOptions(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + TcpOptionData *ds_ptr; /* data struct pointer */ + u_int8_t i; + u_int16_t optionValue; + char *optionValueStr; + + if(!p->iph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + /* set the ds pointer to make it easier to reference the option's + particular data struct */ + ds_ptr = otn->ds_list[PLUGIN_TCP_OPTION_CHECK]; + + /* First, check to see if the option count is the same or + * no options to check */ + if ( ( ds_ptr->tcp_option_count != p->tcp_option_count ) + || ! p->tcp_option_count ) + return 0; + + /* Now, compare option by option, including operators if present */ + for ( i = 0; i < ds_ptr->tcp_option_count; i++ ) { + + /* verify same code number */ + if ( ds_ptr->code[i] != p->tcp_options[i].code ) + return 0; + + switch ( ds_ptr->code[i] ) { + + case TCPOPT_WSCALE: + case TCPOPT_MAXSEG: + case TCPOPT_TIMESTAMP: + optionValueStr = TCPOptionValue ( &p->tcp_options[i] ); + optionValue = atoi ( optionValueStr ); + free ( optionValueStr ); + + switch ( ds_ptr->operator[i] ) { + case '=': + if ( optionValue != ds_ptr->value[i] ) return 0; + break; + case '%': + if ( (ulong) optionValue % (ulong) ds_ptr->value[i] ) return 0; + break; + case '!': + if ( optionValue == ds_ptr->value[i] ) return 0; + break; + default: + /* if there's no operator, then still okay */ + break; + } /* end switch */ + + default: + /* all other operators have no argument */ + break; + + } /* end switch */ + + } /* end for */ + + /* we have a match, keep processing this rule! */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + +} diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_option_check.h snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_option_check.h --- snort-2.3.0RC1/src/detection-plugins/sp_tcp_option_check.h Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_option_check.h Mon Jan 24 13:46:43 2005 @@ -0,0 +1,25 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +#ifndef __SP_TCPOPTION_CHECK_H__ +#define __SP_TCPOPTION_CHECK_H__ + +void SetupTcpOptionCheck(); + +#endif /* __SP_IPOPTION_CHECK_H__ */ diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_quirks_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_quirks_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_tcp_quirks_check.c Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_quirks_check.c Mon Jan 24 13:46:43 2005 @@ -0,0 +1,294 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +/* SDR ADDED FILE */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include + +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "debug.h" +#include "util.h" +#include "plugin_enum.h" +#include "mstring.h" + +#define OPS_PAST_EOL 0x01 /* TCP Options Past EOL */ +#define NONZERO_URG 0x02 /* Non-Zero Urgent Pointer */ +#define EXTRA_DATA 0x04 /* Extra data found in TCP Packet */ +#define BROKEN_OPTION 0x08 /* Broken Option */ +#define SEQ_EQ_ACK 0x10 /* SEQ # = ACK # */ +#define TEXT_IN_RST 0x20 /* Text found in RST packet */ +#define NONZERO_RESV 0x40 /* Non-Zero reserved bits/flags */ +#define ODD_FLAGS 0x80 /* Unusual flags set (PUSH, URG) */ + +#define MAX_QUIRKS_OPS 8 /* Maximum Quirk operands */ + +typedef struct _TcpQuirksData +{ + u_int8_t flags; +} TcpQuirksData; + +void TcpQuirksInit(char *, OptTreeNode *, int); +void ParseTcpQuirksData(char *, OptTreeNode *); +int CheckTcpQuirks(Packet *, struct _OptTreeNode *, OptFpList *); + +/**************************************************************************** + * + * Function: SetupTemplate() + * + * Purpose: Generic detection engine plugin template. Registers the + * configuration function and links it to a rule keyword. + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupTcpQuirksCheck() +{ + /* map the keyword to an initialization/processing function */ + RegisterPlugin("quirks", TcpQuirksInit); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: TcpQuirksCheck Initialized\n");); + +} + +/**************************************************************************** + * + * Function: TemplateInit(char *, OptTreeNode *) + * + * Purpose: Generic rule configuration function. Handles parsing the rule + * information and attaching the associated detection function to + * the OTN. + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * + * Returns: void function + * + ****************************************************************************/ +void TcpQuirksInit(char *data, OptTreeNode *otn, int protocol) +{ + /* multiple declaration check */ + if(otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK]) + { + FatalError("%s(%d): Multiple quirks options in rule\n", file_name, + file_line); + } + + /* allocate the data structure and attach it to the + rule's data struct list */ + otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK] = (TcpQuirksData *) + SnortAlloc(sizeof(TcpQuirksData)); + + /* this is where the keyword arguments are processed and placed into the + rule option's data structure */ + ParseTcpQuirksData(data, otn); + + /* finally, attach the option's detection function to the rule's + detect function pointer list */ + AddOptFuncToList(CheckTcpQuirks, otn); +} + +/**************************************************************************** + * + * Function: TemplateRuleParseFunction(char *, OptTreeNode *) + * + * Purpose: This is the function that is used to process the option keyword's + * arguments and attach them to the rule's data structures. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void ParseTcpQuirksData(char *data, OptTreeNode *otn) +{ + TcpQuirksData *ds_ptr; /* data struct pointer */ + char **toks; /* tokens found in Quirks data */ + int num_toks; /* number of tokens found in Quirks data */ + int i; + + /* set the ds pointer to make it easier to reference the Quirks's + particular data struct */ + ds_ptr = otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK]; + + /* initialize variables in structure */ + ds_ptr->flags = 0; + + if(data == NULL) + { + FatalError("quirks keyword missing argument!\n", file_name, file_line); + } + + /* Parse the data options into something useful */ + toks = mSplit ( data, ",", MAX_QUIRKS_OPS, &num_toks, '\\' ); + + for ( i = 0; i < num_toks; i++ ) { + if ( strstr ( toks[i], "opeol" ) ) { + ds_ptr->flags |= OPS_PAST_EOL; + free ( toks[i] ); /* done parsing this token, free up memory */ + continue; + } + if ( strstr ( toks[i], "nzup" ) ) { + ds_ptr->flags |= NONZERO_URG; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "extra" ) ) { + ds_ptr->flags |= EXTRA_DATA; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "broken" ) ) { + ds_ptr->flags |= BROKEN_OPTION; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "seqack" ) ) { + ds_ptr->flags |= SEQ_EQ_ACK; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "rsttext" ) ) { + ds_ptr->flags |= TEXT_IN_RST; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "nzuf" ) ) { + ds_ptr->flags |= NONZERO_RESV; + free ( toks[i] ); + continue; + } + if ( strstr ( toks[i], "oddflags" ) ) { + ds_ptr->flags |= ODD_FLAGS; + free ( toks[i] ); + continue; + } + + /* if we made it here, we can't parse the option! */ + FatalError("%s(%d) => Unknown TCP quirks argument: %s!\n", + file_name, file_line, data); + } + + return; + +} + +/**************************************************************************** + * + * Function: TemplateDetectorFunction(char *, OptTreeNode *) + * + * Purpose: Use this function to perform the particular detection routine + * that this rule keyword is supposed to encompass. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int CheckTcpQuirks(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + TcpQuirksData *ds_ptr; /* data struct pointer */ + u_int8_t i,j; + + if(!p->iph || !p->tcph ) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + /* set the ds pointer to make it easier to reference the option's + particular data struct */ + ds_ptr = otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK]; + + /* Loop through the quirks (in binary); test individually */ + /* 64 = 2 raised to the MAX_QUIRKS_OP power */ + for ( i = 1; i < 64; i *= 2 ) + + if ( i & ds_ptr->flags ) + + switch ( i ) { + + case OPS_PAST_EOL: + for ( j = 0; j < p->tcp_option_count; j++ ) + if ( p->tcp_options[j].code == TCPOPT_EOL ) break; + if ( j == p->tcp_option_count ) + return 0; + break; + + case NONZERO_URG: + if ( ! p->tcph->th_urp ) + return 0; + break; + + case EXTRA_DATA: + if ( p->caplen < ( p->iph->ip_len + p->ip_options_len + 20 ) ) + return 0; + break; + + case BROKEN_OPTION: + /* this is an odd case, since we have to check all possible OPTs */ + for ( j = 0; j < p->tcp_option_count; j++ ) + if ( p->tcp_options[j].code == TCPOPT_MAXSEG || + p->tcp_options[j].code == TCPOPT_WSCALE || + p->tcp_options[j].code == TCPOPT_TIMESTAMP ) + if ( ! p->tcp_options[j].data ) + break; + return 0; + break; /* dead code, but keeps the compiler happy */ + + case SEQ_EQ_ACK: + if ( p->tcph->th_seq != p->tcph->th_ack ) + return 0; + break; + + case TEXT_IN_RST: + if ( ! ( ( p->tcph->th_flags & R_RST ) && p->dsize ) ) + return 0; + break; + + case NONZERO_RESV: + if ( ! ( p->tcph->th_flags & (R_RES1|R_RES2) ) ) + return 0; + break; + + case ODD_FLAGS: + if ( ! ( p->tcph->th_flags & (R_PSH|R_URG) ) ) + return 0; + break; + + default: + break; + + } + + /* we have a match, keep processing this rule! */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + +} diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_quirks_check.h snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_quirks_check.h --- snort-2.3.0RC1/src/detection-plugins/sp_tcp_quirks_check.h Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_quirks_check.h Mon Jan 24 13:46:43 2005 @@ -0,0 +1,25 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id: sp_ipoption_check.h,v 1.6 2002/05/13 20:14:06 chrisgreen Exp $ */ +#ifndef __SP_TCPQUIRKS_CHECK_H__ +#define __SP_TCPQUIRKS_CHECK_H__ + +void SetupTcpQuirksCheck(); + +#endif /* __SP_IPOPTION_CHECK_H__ */ diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_win_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_win_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_tcp_win_check.c Mon Oct 20 09:03:33 2003 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_win_check.c Mon Jan 24 13:46:43 2005 @@ -49,6 +49,12 @@ void TcpWinCheckInit(char *, OptTreeNode *, int); void ParseTcpWin(char *, OptTreeNode *); int TcpWinCheckEq(Packet *, struct _OptTreeNode *, OptFpList *); +/* SDR BEGIN ADD */ +int TcpWinCheckMod(Packet *, struct _OptTreeNode *, OptFpList *); +int TcpWinCheckModMSS(Packet *, struct _OptTreeNode *, OptFpList *); +int TcpWinCheckModMTU(Packet *, struct _OptTreeNode *, OptFpList *); +/* SDR END ADD */ + @@ -110,7 +116,8 @@ /* finally, attach the option's detection function to the rule's detect function pointer list */ - AddOptFuncToList(TcpWinCheckEq, otn); + /* SDR: Next line commented out. Functionality moved to ParseTcpWin */ + /* AddOptFuncToList(TcpWinCheckEq, otn); */ } @@ -136,6 +143,7 @@ /* set the ds pointer to make it easier to reference the option's particular data struct */ ds_ptr = otn->ds_list[PLUGIN_TCP_WIN_CHECK]; + ds_ptr->tcp_win = 0; /* ADDED LINE SDR */ /* get rid of any whitespace */ while(isspace((int)*data)) @@ -146,8 +154,43 @@ if(data[0] == '!') { ds_ptr->not_flag = 1; + data++; /* SDR ADDED LINE */ } + /* SDR BEGIN ADD */ + /* Locate the operator, and set appropriate handling function */ + switch (*data) + { + case '=': + AddOptFuncToList ( TcpWinCheckEq, otn ); + data++; + break; + case '%': + AddOptFuncToList ( TcpWinCheckMod, otn ); + data++; + break; + case 'S': + AddOptFuncToList ( TcpWinCheckModMSS, otn ); + data++; + break; + case 'T': + AddOptFuncToList ( TcpWinCheckModMTU, otn ); + data++; + break; + default: + /* default to the '=' operator, but don't advance pointer */ + /* in case that 'data' is legal digit */ + AddOptFuncToList ( TcpWinCheckEq, otn ); + break; + } + + /* get rid of any whitespace */ + while(isspace((int)*data)) + { + data++; + } + /* SDR END ADD */ + if(index(data, (int) 'x') == NULL && index(data, (int)'X') == NULL) { win_size = atoi(data); @@ -209,3 +252,139 @@ /* if the test isn't successful, return 0 */ return 0; } + +/* SDR BEGIN ADD */ +/**************************************************************************** + * + * Function: TcpWinCheckMod(char *, OptTreeNode *) + * + * Purpose: Test the TCP header's window to see if its value is modulus to the + * value in the rule (p0f '%' operator) + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int TcpWinCheckMod(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(!p->tcph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + if( ntohs(p->tcph->th_win) % ((TcpWinData *)otn->ds_list[PLUGIN_TCP_WIN_CHECK])->tcp_win ) + return ( 0 ); + + /* Success! */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + +} + +/**************************************************************************** + * + * Function: TcpWinCheckModMSS(char *, OptTreeNode *) + * + * Purpose: Test the TCP header's window to see if its value is modulus of the + * maximum segment size (MSS) value in the rule (p0f 'S' operator) + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int TcpWinCheckModMSS(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + u_int16_t mssPacket, winPacket, winRule; + char *mssValueStr; + u_int8_t i; + + if(!p->tcph ) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + for ( i = 0; i < p->tcp_option_count; i++ ) + if ( p->tcp_options[i].code == TCPOPT_MAXSEG ) break; + + if ( i == p->tcp_option_count ) + return ( 0 ); + + mssValueStr = TCPOptionValue ( &p->tcp_options[i] ); + mssPacket = atoi ( mssValueStr ); + free ( mssValueStr ); + winPacket = ntohs (p->tcph->th_win); + + winRule = ((TcpWinData *)otn->ds_list[PLUGIN_TCP_WIN_CHECK])->tcp_win; + + if ( mssPacket && ! ( winPacket % mssPacket ) ) { + if ( winPacket / mssPacket != winRule ) + return 0; + } + else if ( ! ( winPacket % 1460 ) ) { + if ( ( winPacket / 1460 ) != winRule ) + return 0; + } + else + return 0; + + /* match */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + +} + +/**************************************************************************** + * + * Function: TcpWinCheckModMTU(char *, OptTreeNode *) + * + * Purpose: Test the TCP header's window to see if its value is modulus of the + * maximum transmission unit (MTU=MSS+40) value in the rule (p0f 'T' operator) + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int TcpWinCheckModMTU(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + u_int16_t mssPacket, winPacket, winRule; + char *mssValueStr; + u_int8_t i; + + if(!p->tcph ) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + for ( i = 0; i < p->tcp_option_count; i++ ) + if ( p->tcp_options[i].code == TCPOPT_MAXSEG ) break; + + if ( i == p->tcp_option_count ) + return ( 0 ); + + mssValueStr = TCPOptionValue ( &p->tcp_options[i] ); + mssPacket = atoi ( mssValueStr ); + free ( mssValueStr ); + winPacket = ntohs ( p->tcph->th_win ); + + winRule = ((TcpWinData *)otn->ds_list[PLUGIN_TCP_WIN_CHECK])->tcp_win; + + if ( mssPacket && ! ( winPacket % (mssPacket+40) ) ) { + if ( winPacket / (mssPacket+40) != winRule ) + return 0; + } + else if ( ! ( winPacket % 1500 ) ) { + if ( ( winPacket / 1500 ) != winRule ) + return 0; + } + else + return 0; + + /* match */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + +} +/* SDR END ADD */ diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_ttl_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_ttl_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_ttl_check.c Mon Oct 20 09:03:33 2003 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_ttl_check.c Mon Jan 24 13:46:43 2005 @@ -47,6 +47,11 @@ int CheckTtlGT(Packet *, struct _OptTreeNode *, OptFpList *); int CheckTtlLT(Packet *, struct _OptTreeNode *, OptFpList *); int CheckTtlRG(Packet *, struct _OptTreeNode *, OptFpList *); +/* SDR BEGIN ADD */ +int CheckTtlLTEQ(Packet *, struct _OptTreeNode *, OptFpList *); +int CheckTtlGTEQ(Packet *, struct _OptTreeNode *, OptFpList *); +int CalculateHopCount ( OptTreeNode *otn, Packet *p ); +/* SDR END ADD */ @@ -123,6 +128,7 @@ { TtlCheckData *ds_ptr; /* data struct pointer */ char ttlrel; + int eqflag = 0; /* SDR ADDED LINE */ /* set the ds pointer to make it easier to reference the option's particular data struct */ @@ -137,6 +143,14 @@ ds_ptr->h_ttl = -1; /* leading dash flag */ case '>': case '<': + /* SDR BEGIN ADD */ + if ( (data+1) && *(data+1) == '=' ) + { + eqflag = 1; + data += 2; + break; + } + /* SDR END ADD */ case '=': data++; break; @@ -157,12 +171,20 @@ ttlrel = '-'; } switch (ttlrel) { + /* SDR BEGIN MODIFY */ case '>': - AddOptFuncToList(CheckTtlGT, otn); + if ( eqflag ) + AddOptFuncToList(CheckTtlGTEQ, otn ); + else + AddOptFuncToList(CheckTtlGT, otn); break; - case '<': - AddOptFuncToList(CheckTtlLT, otn); + case '<': + if ( eqflag ) + AddOptFuncToList(CheckTtlLTEQ, otn ); + else + AddOptFuncToList(CheckTtlLT, otn); break; + /* SDR END MODIFY */ case '=': AddOptFuncToList(CheckTtlEq, otn); break; @@ -304,10 +326,6 @@ return 0; } - - - - /**************************************************************************** * * Function: CheckTtlRG(char *, OptTreeNode *) @@ -346,3 +364,121 @@ /* if the test isn't successful, return 0 */ return 0; } + +/* SDR BEGIN ADD */ +/**************************************************************************** + * + * Function: CheckTtlLTEQ(char *, OptTreeNode *) + * + * Purpose: Test the packet's payload size against the rule payload size + * value. This test determines if the packet payload size is + * less than or equal to the rule ttl (p0f) + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: 0 on failure, return value of next list function on success + * + ****************************************************************************/ +int CheckTtlLTEQ(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(p->iph && + (p->iph->ip_ttl <= ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl)) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } +#ifdef DEBUG + else + { + /* you can put debug comments here or not */ + DebugMessage(DEBUG_PLUGIN, "CheckTtlLTEQ: Not Less/equal than %d\n", + ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl); + } +#endif + + /* if the test isn't successful, return 0 */ + return 0; +} + +/**************************************************************************** + * + * Function: CheckTtlGTEQ(char *, OptTreeNode *) + * + * Purpose: Test the packet's payload size against the rule payload size + * value. This test determines if the packet payload size is + * greater than or equal to the rule ttl (p0f) + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: 0 on failure, return value of next list function on success + * + ****************************************************************************/ +int CheckTtlGTEQ(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(p->iph && + (p->iph->ip_ttl >= ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl)) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } +#ifdef DEBUG + else + { + /* you can put debug comments here or not */ + DebugMessage(DEBUG_PLUGIN, "CheckTtlGTEQ: Not greater/equal than %d\n", + ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl); + } +#endif + + /* if the test isn't successful, return 0 */ + return 0; +} + +/**************************************************************************** + * + * Function: CalculateHopCount(OptTreeNode *, Packet *) + * + * Purpose: Calculate the distance (hop count) of the packet. + * Used to aid fingerprinting (p0f), has no use for IDS mode (?) + * NOTE: This function is called once after a rule match is made + * in fpdetect.c (it's prototyped as an extern) + * + * Result is stored in p->ip_hop_count. + * + * Returns: hop count, or IP_HOP_COUNT_UNDEFINED if hop count can not be + * calculated + * + ***************************************************************************/ +int CalculateHopCount ( OptTreeNode *otn, Packet *p ) { + + /* Best case, the rule has a TTL value that we can use to calculate the hop count */ + /* We make the assumption here that the matching rule is a fingerprint rule */ + if ( otn->ds_list[PLUGIN_TTL_CHECK] && p->iph ) { + + p->ip_hop_count = ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl - + p->iph->ip_ttl; + + } + /* otherwise, use some standard default TTL values */ + else if ( p->iph ) { + + p->ip_hop_count = + ( p->iph->ip_ttl <= 32 ) ? 32 - p->iph->ip_ttl : + ( p->iph->ip_ttl <= 64 ) ? 64 - p->iph->ip_ttl : + ( p->iph->ip_ttl <= 128 ) ? 128 - p->iph->ip_ttl : 255 - p->iph->ip_ttl; + } + /* of course, if it's not an IP packet, we can't do anything */ + else { + + p->ip_hop_count = IP_HOP_COUNT_UNDEFINED; + + } + + return ( p->ip_hop_count ); + +} +/* SDR END ADD */ + + diff -Naur snort-2.3.0RC1/src/fpdetect.c snort-2.3.0RC1fp/src/fpdetect.c --- snort-2.3.0RC1/src/fpdetect.c Tue Sep 21 08:47:00 2004 +++ snort-2.3.0RC1fp/src/fpdetect.c Mon Jan 24 13:46:43 2005 @@ -143,7 +143,8 @@ //static INLINE int fpLogEvent(RuleTreeNode *rtn, OptTreeNode *otn, Packet *p); extern u_int8_t *doe_ptr; - +/* SDR ADDED NEXT LINE */ +extern int CalculateHopCount ( OptTreeNode *otn, Packet *p ); static OTNX_MATCH_DATA omd; /* initialize the global OTNX_MATCH_DATA variable */ @@ -819,6 +820,9 @@ if(otnx && otnx->otn) { + /* SDR ADDED NEXT LINE */ + CalculateHopCount ( otnx->otn, p ); + /* ** QueueEvent */ diff -Naur snort-2.3.0RC1/src/output-plugins/spo_database.c snort-2.3.0RC1fp/src/output-plugins/spo_database.c --- snort-2.3.0RC1/src/output-plugins/spo_database.c Mon Sep 13 11:44:49 2004 +++ snort-2.3.0RC1fp/src/output-plugins/spo_database.c Mon Jan 24 13:46:44 2005 @@ -53,6 +53,8 @@ #include #include #include +/* SDR ADDED NEXT LINE */ +#include #include "event.h" #include "decode.h" @@ -237,6 +239,8 @@ void Connect(DatabaseData *); void DatabasePrintUsage(); void FreeSharedDataList(); +/* SDR ADDED NEXT LINE */ +int SelectMultiple ( char *, DatabaseData *, char *, ... ); /******** Global Variables ********************************************/ @@ -246,6 +250,9 @@ static SharedDatabaseDataNode *sharedDataList = NULL; static int instances = 0; +/* SDR ADDED NEXT LINE */ +int OSFingerPrint, ServiceFingerPrint; + /******** Database Specific Extras ************************************/ /* The following is for supporting Microsoft SQL Server */ @@ -317,7 +324,28 @@ SharedDatabaseDataNode *current = NULL; char * escapedSensorName = NULL; char * escapedInterfaceName = NULL; - + /* SDR BEGIN ADD */ + ClassType *fpClass; + int fp_event_cid; + + /* set our fingerprint class ids for quick comparison in future */ + fpClass = ClassTypeLookupByType ( "os-fingerprint" ); + if ( fpClass ) + OSFingerPrint = fpClass->id; + else + ErrorMessage("database: Could not find 'os-fingerprint' classification. " + "Check classification.config.\nAlso, be sure that classification.config " + "is read before the database output plugin in snort.conf\n" ); + + fpClass = ClassTypeLookupByType ( "service-fingerprint" ); + if ( fpClass ) + ServiceFingerPrint = fpClass->id; + else + ErrorMessage("database: Could not find 'service-fingerprint' classification. " + "Check classification.config.\nAlso, be sure that classification.config " + "is read before the database output plugin in snort.conf\n" ); + /* SDR END ADD */ + /* parse the argument list from the rules file */ data = ParseDatabaseArgs(args); @@ -548,6 +576,14 @@ data->shared->sid); event_cid = Select(select_max_sensor_id, data); + /* SDR BEGIN ADD */ + snprintf(select_max_sensor_id, MAX_QUERY_LENGTH, + "SELECT MAX(cid) FROM fpevent WHERE sid = '%u'", data->shared->sid); + fp_event_cid = Select(select_max_sensor_id,data); + + event_cid = ( fp_event_cid > event_cid ) ? fp_event_cid : event_cid; + /* SDR END ADD */ + if ( event_cid > sensor_cid ) { UpdateLastCid(data, data->shared->sid, event_cid); @@ -942,6 +978,11 @@ unsigned int ref_id, class_id=0; ClassType *class_ptr; ReferenceNode *refNode; + /* SDR BEGIN ADD */ + unsigned int tmp_sid, tmp_cid, fp_sid, fp_cid, fp_sig_priority, osfp_flag, port_src; + int smresult; + char fp_time[SMALLBUFFER]; + /* SDR END ADD */ query = NewQueryNode(NULL, 0); root = query; @@ -1335,7 +1376,74 @@ } free(sig_name); sig_name = NULL; - + + /* SDR BEGIN ADD */ + + /* Code to handle Fingerprint types */ + tmp_sid = data->shared->sid; + tmp_cid = data->shared->cid; + + /* Check for a fingerprint event type */ + /* A 'switch' won't work here becase OSFingerprint & ServiceFingerPrint aren't static int */ + if ( event->classification == OSFingerPrint || + event->classification == ServiceFingerPrint ) + { + /* it's just too dangerous to rely on the source port as the osfp flag... */ + osfp_flag = ( event->classification == OSFingerPrint ) ? 1 : 0; + port_src = ( event->classification == OSFingerPrint ) ? 0 : + (p->tcph) ? ntohs(p->tcph->th_sport) : + (p->udph) ? ntohs(p->udph->uh_sport) : 0 ; + + select0 = (char *) malloc (MAX_QUERY_LENGTH+1); + snprintf(select0, MAX_QUERY_LENGTH, + "SELECT sid, cid, sig_priority, firstseen FROM fpevent " + "WHERE ip_src = '%lu' AND port_src = '%u' AND osfp_flag = '%u'", + (u_long)ntohl(p->iph->ip_src.s_addr), port_src, osfp_flag ); + smresult = SelectMultiple ( select0, data, "%u,%u,%u,%s", + &fp_sid, &fp_cid, &fp_sig_priority, fp_time ); + free ( select0 ); + + /* only replace the fpevent entry if we have better data */ + if ( smresult == 4 ) + { + if ( event->priority <= fp_sig_priority ) + { + data->shared->sid = fp_sid; + data->shared->cid = fp_cid; + } + /* ignore logging this packet */ + else + { + free (timestamp_string); + FreeQueryNode (root); +#ifdef ENABLE_DB_TRANSACTIONS + CommitTransaction(data); +#endif + /* A Unixodbc bugfix */ +#ifdef ENABLE_ODBC + if(data->shared->cid == 600) + { + data->shared->cid = 601; + } +#endif + return; + } + } /* if smresult is not 4 then we have new entry */ + + snprintf(query->val, MAX_QUERY_LENGTH, + "REPLACE fpevent ( ip_src, port_src, protocol, signature, osfp_flag, sig_priority, " + "sid, cid, firstseen, lastseen, hopcount ) " + "VALUES ( '%lu', '%u', '%s', '%u', '%u', '%u', '%u', '%u', '%s', '%s', '%d' )", + (u_long)ntohl(p->iph->ip_src.s_addr), port_src, + (p->tcph) ? "TCP" : "UDP", + sig_id, osfp_flag, event->priority, + data->shared->sid, data->shared->cid, + ( smresult == 4 ) ? fp_time : timestamp_string, + timestamp_string, p->ip_hop_count ); + } + else + { + /* SDR END ADD */ if ( (data->shared->dbtype_id == DB_ORACLE) && (data->DBschema_version >= 105) ) { @@ -1361,6 +1469,9 @@ "VALUES ('%u', '%u', '%u', '%s')", data->shared->sid, data->shared->cid, sig_id, timestamp_string); } + /* BEGIN SDR */ + } + /* END SDR */ free(timestamp_string); timestamp_string = NULL; @@ -1381,7 +1492,7 @@ if(p->ext) { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) " "VALUES ('%u','%u','%u','%u','%u','%u','%u')", data->shared->sid, @@ -1395,7 +1506,7 @@ else { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) " "VALUES ('%u','%u','%u','%u','%u')", data->shared->sid, @@ -1408,7 +1519,7 @@ else { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES ('%u','%u','%u','%u')", data->shared->sid, @@ -1424,7 +1535,7 @@ if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "tcphdr (sid, cid, tcp_sport, tcp_dport, " " tcp_seq, tcp_ack, tcp_off, tcp_res, " " tcp_flags, tcp_win, tcp_csum, tcp_urp) " @@ -1445,7 +1556,7 @@ else { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) " "VALUES ('%u','%u','%u','%u','%u')", data->shared->sid, @@ -1471,7 +1582,7 @@ packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len); } snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES ('%u','%u','%u','%u','%u','%u','%s')", data->shared->sid, @@ -1492,7 +1603,7 @@ if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) " "VALUES ('%u', '%u', '%u', '%u', '%u', '%u')", data->shared->sid, @@ -1505,7 +1616,7 @@ else { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "udphdr (sid, cid, udp_sport, udp_dport) " "VALUES ('%u', '%u', '%u', '%u')", data->shared->sid, @@ -1524,7 +1635,7 @@ if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, " " ip_tos, ip_len, ip_id, ip_flags, ip_off," " ip_ttl, ip_proto, ip_csum) " @@ -1548,7 +1659,7 @@ { snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "iphdr (sid, cid, ip_src, ip_dst, ip_proto) " "VALUES ('%u','%u','%lu','%lu','%u')", data->shared->sid, @@ -1576,7 +1687,7 @@ } snprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES ('%u','%u','%u','%u','%u','%u','%s')", data->shared->sid, @@ -1617,7 +1728,7 @@ packet_data = snort_escape_string(packet_data_not_escaped, data); snprintf(query->val, (p->dsize * 2) + MAX_QUERY_LENGTH - 3, - "INSERT INTO " + "REPLACE " /* SDR MODIFIED */ "data (sid,cid,data_payload) " "VALUES ('%u','%u','%s", data->shared->sid, @@ -1653,7 +1764,19 @@ root = NULL; /* Increment the cid*/ - data->shared->cid++; + /* SDR BEGIN MODIFY */ + if ( data->shared->cid != fp_cid ) + { + data->shared->cid++; + data->shared->sid = tmp_sid; + } + else + { + data->shared->cid = tmp_cid; + data->shared->sid = tmp_sid; + } + /* SDR END MODIFY */ + #ifdef ENABLE_DB_TRANSACTIONS if ( ok_transaction ) @@ -2863,3 +2986,132 @@ return(0); } #endif + +/* SDR BEGIN ADD */ + +/******************************************************************************* + * + * Function: SelectMultiple(char * query, DatabaseData * data, char *format, ... ) + * + * Purpose: MySQL function for SQL selects that can return an arbitrary number of + * columns and data types. Similar to printf/scanf. + * + * Arguments: query - the sql statement to execute + * data - pointer to the current database data struct for this sql connection + * format - character array akin to printf/scanf with the number and types of + * columns to return + * %s - returns a character string. Corresponding argument must be + * pre-allocated to sufficient length. Otherwise bad things happen + * (just like printf/scanf!) + * %d,%u - returns a integer. Corresponding argument must be preallocated + * to sufficient size. + * Example: + * char String1[25]; + * int Number1, Number2; + * + * SelectMultiple ( SqlString, CurrentDB, "%s,%d,%u", String1, &Number1, &Number2 ); + * + * In this case, SelectMultiple will execute SqlString, based on CurrentDB, and + * attempt to parse three values and place them in String1, Number1 and Number2. + * + * Returns: Number of columns (values) successfully processed. (In the above example -- 3.) + * + ******************************************************************************/ +int SelectMultiple(char * query, DatabaseData * data, char *format, ... ) +{ + va_list argv; + int argc = 0, result = 0; + char *p; + +#ifdef ENABLE_POSTGRESQL +/* Not implemented */ +#endif + +#ifdef ENABLE_MYSQL + if(data->shared->dbtype_id == DB_MYSQL) + { + if(mysql_query(data->m_sock,query)) + { + result = 0; + } + else + { + if(!(data->m_result = mysql_use_result(data->m_sock))) + { + result = 0; + } + else + { + if((data->m_row = mysql_fetch_row(data->m_result))) + { + /* calculate number of expected arguments */ + p = format; + while ( p ) { + if ( *p == '%' ) argc++; + p++; + } + va_start ( argv, argc ); + + /* now convert them based on type */ + while ( *format ) { + while ( *format && *format != '%' ) format++; + if ( *format && *(format+1) && data->m_row[result] != NULL ) { + format++; + switch ( *format ) { + case 'u': + case 'd': + *(va_arg(argv, int *)) = atoi(data->m_row[result]); + result++; + break; + case 's': + strcpy ( va_arg(argv, char *), data->m_row[result] ); + result++; + break; + default: + /* unrecognized format character */ + break; + } /* end of switch */ + } /* end of if */ + } + va_end ( argv ); + } + } + mysql_free_result(data->m_result); + } + if(!result) + { + if(mysql_errno(data->m_sock)) + { + ErrorMessage("database: mysql_error: %s\n", mysql_error(data->m_sock)); + } + } + } +#endif + +#ifdef ENABLE_ODBC +/* Not implemented */ +#endif + +#ifdef ENABLE_ORACLE +/* Not implemented */ +#endif + +#ifdef ENABLE_MSSQL +/* Not implemented */ +#endif + +#ifdef DEBUG + if(result) + { + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) returned %u\n", query, result);); + } + else + { + DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) failed\n", query);); + } +#endif + + return result; +} + +/* SDR END ADD */ diff -Naur snort-2.3.0RC1/src/plugbase.c snort-2.3.0RC1fp/src/plugbase.c --- snort-2.3.0RC1/src/plugbase.c Tue Nov 2 15:07:18 2004 +++ snort-2.3.0RC1fp/src/plugbase.c Mon Jan 24 13:46:44 2005 @@ -90,6 +90,11 @@ #include "detection-plugins/sp_pcre.h" #include "detection-plugins/sp_flowbits.h" #include "detection-plugins/sp_asn1.h" +/* SDR BEGIN ADD */ +#include "detection-plugins/sp_tcp_option_check.h" +#include "detection-plugins/sp_tcp_quirks_check.h" +#include "detection-plugins/sp_ip_length_check.h" +/* SDR END ADD */ #ifdef ENABLE_RESPONSE #include "detection-plugins/sp_react.h" #include "detection-plugins/sp_respond.h" @@ -156,6 +161,11 @@ SetupPcre(); SetupFlowBits(); SetupAsn1(); + /* SDR BEGIN ADD */ + SetupTcpOptionCheck(); + SetupTcpQuirksCheck(); + SetupIpLengthCheck(); + /* SDR END ADD */ #ifdef ENABLE_RESPONSE SetupReact(); SetupRespond(); @@ -1502,3 +1512,117 @@ } return ptr; } + +/* SDR BEGIN ADD -- WAS STILL IN 2.0.4 */ +/**************************************************************************** + * + * Function: TCPOptionValue(Options *o) + * + * Purpose: To return a string representing the value of an TCP option + * + * Arguments: An Options struct. + * + * Returns: char * -- You must free this char * when you are done with it. + * + ***************************************************************************/ +char *TCPOptionValue(Options *o) +{ + char * rval; + char * rvalptr; + u_char tmp[5]; + int x; + + rval = (char *)malloc(SMALLBUFFER); + rvalptr = rval; + + switch(o->code) + { + case TCPOPT_MAXSEG: + bzero((char *)tmp, 5); + strncpy((char*)tmp, (char*)(o->data), 2); + snprintf(rval, SMALLBUFFER, "%u", EXTRACT_16BITS(tmp)); + break; + + case TCPOPT_EOL: + rval[0] = '\0'; + break; + + case TCPOPT_NOP: + rval[0] = '\0'; + break; + + case TCPOPT_WSCALE: + snprintf(rval, SMALLBUFFER, "%u", o->data[0]); + break; + + case TCPOPT_SACK: + bzero((char *)tmp, 5); + memcpy(tmp, o->data, 2); + snprintf(rval, SMALLBUFFER, "%u@", EXTRACT_16BITS(tmp)); + x = strlen(rval); + rvalptr += x; + bzero((char *)tmp, 5); + memcpy(tmp, (o->data)+2, 2); + snprintf(rvalptr, SMALLBUFFER - x, "%u", EXTRACT_16BITS(tmp)); + break; + + case TCPOPT_SACKOK: + rval[0] = '\0'; + break; + + case TCPOPT_ECHO: + bzero((char *)tmp, 5); + memcpy(tmp, o->data, 4); + snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp)); + break; + + case TCPOPT_ECHOREPLY: + bzero((char *)tmp, 5); + memcpy(tmp, o->data, 4); + snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp)); + break; + + case TCPOPT_TIMESTAMP: + bzero((char *)tmp, 5); + memcpy(tmp, o->data, 4); + snprintf(rval, SMALLBUFFER, "%u ", EXTRACT_32BITS(tmp)); + rvalptr += strlen(rval); + bzero((char *)tmp, 5); + memcpy(tmp, (o->data)+4, 4); + snprintf(rvalptr, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp)); + break; + + case TCPOPT_CC: + bzero((char *)tmp, 5); + memcpy(tmp, o->data, 4); + snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp)); + break; + + case TCPOPT_CCNEW: + bzero((char *)tmp, 5); + memcpy(tmp, o->data, 4); + snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp)); + break; + + case TCPOPT_CCECHO: + bzero((char *)tmp, 5); + memcpy(tmp, o->data, 4); + snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp)); + break; + + default: + rval[0] = '\0'; + if(o->len > 2) + { + for(x = 0; x < (int) (o->len-2); x+=2) + { + snprintf(tmp, 5, "%02X%02X ", o->data[x], o->data[x+1]); + if(strlen(rval) < SMALLBUFFER - 5); + strncat(rval, tmp, SMALLBUFFER - strlen(rval)); + } + } + break; + } + return rval; +} +/* SDR END ADD */ diff -Naur snort-2.3.0RC1/src/plugin_enum.h snort-2.3.0RC1fp/src/plugin_enum.h --- snort-2.3.0RC1/src/plugin_enum.h Mon Oct 20 09:03:22 2003 +++ snort-2.3.0RC1fp/src/plugin_enum.h Mon Jan 24 13:46:44 2005 @@ -34,4 +34,9 @@ PLUGIN_TTL_CHECK, PLUGIN_BYTE_TEST, PLUGIN_PCRE, +/* BEGIN ADD SDR */ + PLUGIN_IP_LENGTH_CHECK, + PLUGIN_TCP_OPTION_CHECK, + PLUGIN_TCP_QUIRKS_CHECK, +/* END ADD SDR */ }; diff -Naur snort-2.3.0RC1/src/util.c snort-2.3.0RC1fp/src/util.c --- snort-2.3.0RC1/src/util.c Thu Nov 18 10:13:42 2004 +++ snort-2.3.0RC1fp/src/util.c Mon Jan 24 13:52:57 2005 @@ -263,8 +263,10 @@ ****************************************************************************/ int DisplayBanner() { + + /* SDR ADDED (fp)... just so you know which version you are running */ fprintf(stderr, "\n" - " ,,_ -*> Snort! <*-\n" + " ,,_ -*> Snort!(fp) <*-\n" " o\" )~ Version %s (Build %s)\n" " '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html\n" " (C) Copyright 1998-2004 Sourcefire Inc, et al.\n"