diff -Naur snort-2.3.0RC1/doc/README.fp snort-2.3.0RC1fp/doc/README.fp --- snort-2.3.0RC1/doc/README.fp Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/doc/README.fp Mon Jan 24 13:46:43 2005 @@ -0,0 +1,173 @@ +Snort!(fp): Real-Time Passive Network Fingerprinting with Snort! + +------------ +Introduction +------------ + +Snort!(fp) extends the capability of the Snort! intrusion detection +open-source product to include OS and network daemon fingerprinting. + +Thus, with a properly configure Snort! environment (including the fp +extension), you would be able to determine, given an IDS alert: +(1) What operating system the (alert) source/destination system is running +(2) What network services/daemons the (alert) source/destination +system is running + +Example (1): +An IDS alert indicates a DCOM vulnerability (known to only affect +Windows System). Is the destination system running a Windows operating +system? Snort!(fp) will tell you! + +Example (2): +An IDS alert indicates a MS-SQL worm propogating on your network. Are the destination systems running MS-SQL? Snort!(fp) will tell you! + +Example (3): +What new systems have appeared on my network? What OSes are they +running? What services are they offering? Snort!(fp) will tell you! + +Example (4): +Are any of my old systems offering new network services that they +shouldn't be? Perhaps a backdoor of some kind? Snort!(fp) will tell you! + +------------ +Architecture +------------ + +Snort!(fp) is based on the following tools: + +IDS: Snort! (needs to be patched before building) +DB: MySQL (no modifications except to tables) +HTTPD: Apache (no modifications needed) +Interface: ACID (needs to be patched to support fingerprinting) +OS Fingerprinting: p0f (the 'p2s' utility converts to Snort!syntax) +Service Fingerprinting: native Snort! rules + +Both Snort!and ACID have been extended to support fingerprinting functions. The ACID database schema has also been modified to support fingerprinting. + +Snort! Modifications: + +The following Snort!syntax has been modified/added to support OS fingerprinting. With the addition of this syntax, p0f rules can be identically replicated in Snort! + +window:[%,S,T]value; Added modulus, "S" and "T" p0f window functions. +ttl:[<,>,=,<=,>=]value; Modified TTL to support <= and >= operators. +length:[>,<,=]value; Added tests for actual packet length (as compared to dsize). +tcpopts Added TCP options test. Multiple options separated by comma. +tcpopts:nop; NOP. +tcpopts:eol; EOL. +tcpopts:ws[=,%]value; Window Scale +tcpopts:mss[=,%]value; Maximum Segment Size +tcpopts:sack; Selective ACK +tcpopts:time[!,=]value; Timestamp +tcpopts:number=value; Generic TCP option number equals value. +quirks TCP Quirks checks (from p0f) +quirks:opeol; TCP options past EOL. +quirks:nzup; Non-zero urgent pointer. +quirks:nzuf; Non-zero unused (reserved) TCP flags +quirks:oddflags; Unususal TCP flags set. +quirks:extra; Extra TCP payload data. +quirks:broken; Broken TCP options. +quirks:seqack; Sequence number equals acknowledgement number. +quirks:rsttext; Text (payload data) found in RST packet. + +Additional modifications have been made in Snort! to support fingerprinting, especially within the database logging routines. These modifications had to be made to separate traditional alerts from fingerprint log information. + +Snort.conf and classification.config have also been modified. Most notably, an service-fingerprint and os-fingerprint classification type have been added. To increase efficiency, classification.config is now read earlier in snort.conf such that the database output plugin is aware of the fingerprinting data type. (This prevents a classification lookup for every packet logged.) + +Database Schema: + +The MySQL database schema (other DB's not yet supported) has been modified to support fingerprinting. Most notably, the addition of the "fpevent" table was created to separate standard alert events (originally and still in the "event" table) from fingerprint alerts. The fpevent table (and corresponding Snort!database routine functions) have been modified to store only the first and last fingerprint entries for a given IP and port number (OS fingerprints are identified by port 0). It is too impractical to store every fingerprint event. However, given the first and last timestamps, we can answer important questions such as "What new services have appeared on my network in the last 24 hours?" + +Additionally, generic fingerprint events are never replaced by existing specific fingerprint events. The standard Snort! "priority" field is used to identify more specific fingerprint descriptions. For example, a previously identified "specific" Apache Web Server should not be replaced by a "generic" TCP service fingerprint on port 80. Similar to Snort!alert syntax, a lower priority is considered a more specific fingerprint. + +ACID Modifications: + +Two major modifications have been added to ACID. First, the IP query (acid_stat_ipaddr) screen has been modified to include any fingerprints assocatied with the queried address. Second, a "Network Fingerprints" (acid_stat_fingerprints) query has been added to display a list of all fingerprints. Fingerprints can be sorted by address, port, signature, first seen (time), last seen (time), and service description. + +------------ +Installation +------------ + +These are general installation directions. The reader is assumed to +have knowledge of integrating ACID, MYSQL, Apache and Snort! + +1. Download, build and install MYSQL database (www.mysql.com) + +2. Download, build and install Apache httpd (www.apache.org) + +3. Snort! IDS + +3.1 Download the Snort! 2.1.2 source code (www.Snort.org) +3.2 Apply the 2.1.2fp patch + + $ cd snort-2.1.2 + $ patch -Np1 < snort-2.1.2fp.patch + +3.3 Build Snort! with MYSQL DB support enabled + + $ configure --with-mysql[=/mysql/directory/path] + $ make + + Warning(s) that can be safely ignored: + + spo_database.c:2417: warning: second parameter of `va_start' + not last named argument + + # make install + +4. Update MYSQL Schema + + Replace (as in destroy all previous data) MySQL database to support + fingerprinting. + YES, THIS WILL DESTROY ANY OLD DATA, so backup appropriately. + + $ mysql -u root -p < ./contrib/create_mysql_fp + +5. ACID + +5.1 Download, build and install ACID (http://www.andrew.cmu.edu/~rdanyliw/Snort/Snortacid.html, also available in ./contrib directory) + +5.2 Apply the acid-0.9.6b23fp.patch directly in your htdocs/acid directory (patch available in ./contrib directory) + + # cd /usr/local/apache2/htdocs/acid + # patch -Np1 < acid-0.9.6b23fp.patch + +6. Configure snort.conf for MYSQL database support -- be sure to use +the patched snort.conf and classification.conf files + +7. Copy osfp-syn.rules and servicefp.rules from the 2.1.2 patched +directory to your Snort! rules directory. + +8. Start your HTTPD, MYSQL, and Snort! daemons + +9. Browse ACID -- See the "Network Fingerprints" links on main page. + +--- +p2s +--- + +p2s is a conversion utility to convert p0f files to Snort! rules. +See ./contrib/p2s-2.1.tar.gz for more info, including source and README.p2s + +-------------- +TODO/NEED HELP +-------------- + +(1) Complete testing of the p0f Snort! signatures. See README.p2s in the +gzipped archive for testing status. +(2) Test on other platforms. Successfully tested on Red Hat Linux 8.0. +(3) Write DB routines in spo_database.c to support other databases. +Presently, only MYSQL supported. +(4) Write more OS and service signatures! + +------------ +Bugs/Support +------------ + +If you'd like to report a bug or contribute in another way to the Snort!(fp) project, +please contact me directly at sdreed@verizon.net. + +On-On! + + + + diff -Naur snort-2.3.0RC1/etc/classification.config snort-2.3.0RC1fp/etc/classification.config --- snort-2.3.0RC1/etc/classification.config Mon Oct 20 09:03:03 2003 +++ snort-2.3.0RC1fp/etc/classification.config Mon Jan 24 13:46:43 2005 @@ -41,6 +41,10 @@ config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 +# BEGIN ADD SDR +config classification: os-fingerprint,OS Fingerprint,3 +config classification: service-fingerprint,Service Fingerprint,3 +# END ADD SDR # NEW CLASSIFICATIONS config classification: rpc-portmap-decode,Decode of an RPC Query,2 diff -Naur snort-2.3.0RC1/etc/snort.conf snort-2.3.0RC1fp/etc/snort.conf --- snort-2.3.0RC1/etc/snort.conf Thu Nov 18 10:22:09 2004 +++ snort-2.3.0RC1fp/etc/snort.conf Mon Jan 24 13:46:43 2005 @@ -485,6 +485,20 @@ # # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 +# SDR: We need to move classification.config before the output plugins so that +# the database plugin can be initialized correctly for fingerprinting +# +# Include classification & priority settings +# + +include classification.config + +# +# Include reference systems +# + +include reference.config + #################################################################### # Step #3: Configure output plugins # @@ -518,6 +532,8 @@ # See the README.database file for more information about configuring # and using this plugin. # +# SDR: Be sure to enable the mysql output plugin for fingerprinting! +output database: log, mysql, user=[username] password=[password] dbname=snort host=[hostname] # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort @@ -574,16 +590,6 @@ # such as: c:\snort\etc\classification.config # -include classification.config - -# -# Include reference systems -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\etc\reference.config -# - -include reference.config - #################################################################### # Step #4: Customize your rule set # @@ -682,6 +688,12 @@ # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules + +# SDR: We don't want fingerprinting to interfere with IDS functionality, so +# we put the fingerprinting rules last. Of course, we could also disable all other rules +# and configure just a fingerprinting engine... +include $RULE_PATH/servicefp.rules +include $RULE_PATH/osfp-syn.rules # Include any thresholding or suppression commands. See threshold.conf in the # /etc directory for details. Commands don't necessarily need to be diff -Naur snort-2.3.0RC1/rules/osfp-rst.rules snort-2.3.0RC1fp/rules/osfp-rst.rules --- snort-2.3.0RC1/rules/osfp-rst.rules Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/rules/osfp-rst.rules Mon Jan 24 13:46:43 2005 @@ -0,0 +1,55 @@ +# p2s: p0f to Snort rule conversion utility +# (c) Copyright 2004, Stephen D. Reed +# +# Options used to generate this file: +# Input Type: [RST] +# Initial Sid: [210000] +# Revision: [1] +# Source Net: [$HOME_NET] +# Dest Net: [any] +# Generic Rules: [included] + +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0/2.2 (refused)"; length:40; fragbits:!D; ttl:<=255; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210001; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (refused)"; length:40; fragbits:D; ttl:<=64; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210002; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-recent 2.4 (refused)"; length:40; id:0; fragbits:D; ttl:<=64; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210003; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (refused)"; length:40; fragbits:!D; ttl:<=128; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210004; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (refused) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=128; seq:0; ack:!=0; flags:RA+; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210005; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (dropped)"; length:40; fragbits:D; ttl:<=64; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210006; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0/2.2 or IOS 12.x (dropped)"; length:40; fragbits:!D; ttl:<=255; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210007; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-recent 2.4 (dropped)"; length:40; id:0; fragbits:D; ttl:<=64; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210008; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-early 2.4 (dropped)"; length:40; id:0; fragbits:D; ttl:<=255; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210009; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Xylan-OmniSwitch / Linksys WAP11 AP (dropped)"; length:40; fragbits:!D; ttl:<=32; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210010; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetIron-load balancer (dropped)"; length:40; fragbits:D; ttl:<=64; flags:R; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210011; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (dropped 2)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210012; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (1) (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210013; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (2) (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:seqack,nzup; classtype:os-fingerprint; priority:4; sid:210014; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing a lot (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210015; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (?) (dropped) (Generic)"; length:40; fragbits:D; ttl:<=128; flags:R; window:0; classtype:os-fingerprint; priority:5; sid:210016; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Ascend-TAOS or BayTech (dropped 2)"; length:40; fragbits:!D; ttl:<=64; ack:!=0; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210017; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-LocalDirector (dropped 2)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:R; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210018; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.x 'No TCP/No listener' (seldom SunOS 5.x) (dropped)"; length:58; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210019; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.5 'no tcp, reset' (dropped)"; length:53; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210020; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-X 'tcp_close, during connect' (dropped)"; length:65; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210021; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-X 'tcp_disconnect' (dropped)"; length:54; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210022; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP/UX-? 'tcp_fin_wait_2_timeout' (dropped)"; length:62; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210023; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.5 'tcp_disconnect' (dropped)"; length:54; fragbits:D; ttl:<=255; flags:R; window:32768; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210024; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Unknown- 'Go away' device (dropped) (Generic)"; length:63; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:5; sid:210025; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'new data when detached' (1) (dropped)"; length:62; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210026; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'new data when detached' (2) (dropped)"; length:62; fragbits:D; ttl:<=255; flags:R; window:32768; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210027; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'tcp_lift_anchor, can't wait' (dropped)"; length:67; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210028; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP/UX-11.00 'No TCP' (dropped)"; length:46; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210029; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-2.x 'tcp_disconnect' (dropped, lame)"; length:58; fragbits:D; ttl:<=255; ack:!=0; flags:RA+; window:S12; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210030; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AOL-proxy (dropped, lame)"; length:40; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; window:S43; classtype:os-fingerprint; priority:4; sid:210031; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (dropped, lame)"; length:40; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210032; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (?) (dropped, lame)"; length:52; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; tcpopts:nop,nop,time; classtype:os-fingerprint; priority:4; sid:210033; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"3Com-SuperStack II (dropped, lame)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; window:0; quirks:oddflags; classtype:os-fingerprint; priority:4; sid:210034; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Intel-Netport print server (dropped, lame)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210035; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linksys-BEF router (dropped, lame)"; length:40; fragbits:!D; ttl:<=150; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210036; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetWare-??? 'ehnc' (dropped, lame) (Generic)"; length:44; id:0; fragbits:!D; ttl:<=32; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:5; sid:210037; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BayTech-RPC-3 telnet host (dropped, lame)"; length:40; fragbits:!D; ttl:<=64; seq:0; flags:RA+; window:0; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210038; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-IOS/PIX NAT + data (1) (dropped, lame)"; length:>100; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210039; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a + data (dropped)"; length:>100; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210040; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Isolation-Infocrypt accelerator + data (dropped, lame)"; length:>100; fragbits:!D; ttl:<=255; seq:0; ack:!=0; flags:RA+; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210041; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-IOS/PIX NAT + data (2) (dropped)"; length:>100; fragbits:!D; ttl:<=255; ack:!=0; flags:R; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210042; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (?) + data (dropped, lame)"; length:>100; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; tcpopts:nop,nop,time; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210043; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 + data (dropped, lame)"; length:>100; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210044; rev:1; ) diff -Naur snort-2.3.0RC1/rules/osfp-syn.rules snort-2.3.0RC1fp/rules/osfp-syn.rules --- snort-2.3.0RC1/rules/osfp-syn.rules Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/rules/osfp-syn.rules Mon Jan 24 13:46:43 2005 @@ -0,0 +1,206 @@ +# p2s: p0f to Snort rule conversion utility +# (c) Copyright 2004, Stephen D. Reed +# +# Options used to generate this file: +# Input Type: [SYN] +# Initial Sid: [200000] +# Revision: [1] +# Source Net: [$HOME_NET] +# Dest Net: [any] +# Generic Rules: [included] + +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:45046; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200001; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.2 and earlier"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200002; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (1)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200003; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (2)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200004; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (3)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200005; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AIX-5.3 ML1"; length:64; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200006; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:512; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200007; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200008; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:2; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200009; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:64; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200010; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Google crawlbot)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1360,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200011; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (big boy)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S2; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200012; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4.18 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200013; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4/2.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200014; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.5 (sometimes 2.4) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200015; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.5/2.6 (sometimes 2.4) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200016; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2.20 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S20; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200017; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200018; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S11; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200019; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 in cluster"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200020; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (late, uncommon)"; length:60; fragbits:D; ttl:<=64; flags:S; window:T4; tcpopts:mss=1412,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200021; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss=16396,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200022; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S8; tcpopts:mss=3884,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200023; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200024; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200025; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200026; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200027; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-2.0-4.1"; length:44; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200028; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200029; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:1024; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200030; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8 (no RFC1323)"; length:44; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200031; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8"; length:60; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200032; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8-5.1 (or MacOS X 10.2-10.3)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200033; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200034; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200035; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (1)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200036; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (2)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200037; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (3)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200038; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.3"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200039; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6 (Opera) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200040; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200041; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6W-current (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200042; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6X (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200043; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200044; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.3-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200045; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (scrub)"; length:64; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200046; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (Opera) (User Stack/Scanner)"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200047; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (RFC1323 on)"; length:64; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,ws=3,nop,nop,time=0,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200048; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200049; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-2.5 to 7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S17; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200050; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-2.6/7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S6; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200051; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200052; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-9"; length:48; fragbits:D; ttl:<=64; flags:S; window:S34; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200053; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Solaris-7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S44; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200054; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SunOS-4.1.x"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200055; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.4"; length:44; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200056; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.2-6.5"; length:44; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200057; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (1)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200058; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (2)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200059; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (1)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200060; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (2)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200061; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-4.0 (or OS/2 Warp 4)"; length:48; fragbits:D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200062; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-5.0 (or OpenVMS 7.x on Compaq 5.0 stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200063; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-5.1 (no RFC1323) (or QNX 6)"; length:44; fragbits:!D; ttl:<=60; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200064; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Tru64-v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200065; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OpenVMS-7.2 (Multinet 4.3-4.4 stack)"; length:60; fragbits:D; ttl:<=64; flags:S; window:6144; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200066; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.6 classic"; length:48; fragbits:D; ttl:<=255; flags:S; window:S2; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200067; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-7.3-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200068; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-8.1-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,nop,nop,nop,eol; classtype:os-fingerprint; priority:4; sid:200069; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.0-9.2"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200070; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (1) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss=1380,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200071; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (2) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:mss,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200072; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"MacOS-X"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200073; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-3.11 (Tucows)"; length:44; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200074; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-95"; length:64; fragbits:D; ttl:<=64; flags:S; window:S44; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200075; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-95b"; length:64; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200076; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (1)"; length:48; fragbits:D; ttl:<=32; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200077; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (2)"; length:48; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200078; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (13)"; length:48; fragbits:D; ttl:<=64; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200079; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (15)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200080; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200081; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200082; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (3"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200083; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (16)"; length:64; fragbits:D; ttl:<=64; flags:S; window:T30; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200084; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (4)"; length:48; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200085; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (5)"; length:48; fragbits:D; ttl:<=64; flags:S; window:37300; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200086; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (RFC1323)"; length:52; fragbits:D; ttl:<=64; flags:S; window:46080; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200087; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (no sack)"; length:44; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200088; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (6)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200089; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (7)"; length:64; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200090; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (8)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S26; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200091; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (9)"; length:48; fragbits:D; ttl:<=128; flags:S; window:T30; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200092; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (10)"; length:52; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200093; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (11)"; length:48; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200094; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (12)"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,ws=2,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200095; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (1)"; length:44; fragbits:D; ttl:<=128; flags:S; window:T31; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200096; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (2)"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200097; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 (older)"; length:44; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200098; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP1"; length:48; fragbits:D; ttl:<=128; flags:S; window:65535; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200099; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP2+, XP SP1 (seldom 98 4.10.2222)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200100; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S20; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200101; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP 1 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S45; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200102; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4"; length:48; fragbits:D; ttl:<=128; flags:S; window:40320; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200103; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP, 2000 SP2+"; length:48; fragbits:D; ttl:<=128; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200104; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1 (1)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200105; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP Pro SP1, 2000 SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200106; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP3 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200107; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP4 (3)"; length:48; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200108; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 via Cisco"; length:48; fragbits:D; ttl:<=128; flags:S; window:S52; tcpopts:mss=1260,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200109; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP bare-bone"; length:48; fragbits:D; ttl:<=128; flags:S; window:65520; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200110; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-2000 w/ZoneAlarm?"; length:52; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=536,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200111; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-.NET Enterprise Server"; length:40; fragbits:!D; ttl:<=255; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200112; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while downloading (leak!) (User Stack/Scanner)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; quirks:nzup; classtype:os-fingerprint; priority:4; sid:200113; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.10.20 "; length:44; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200114; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP-UX-11.00-11.11"; length:48; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200115; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.11.00 A (RFC1323)"; length:48; fragbits:!D; ttl:<=64; flags:S; window:0; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200116; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70-4.36 (inet 5.04)"; length:68; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200117; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70 inet 4.10"; length:44; fragbits:!D; ttl:<=32; flags:S; window:12288; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200118; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:".-RISC OS"; length:56; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200119; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BSD/OS-3.1-4.3 (or MacOS X 10.2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200120; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NewtonOS-2.1"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1420; classtype:os-fingerprint; priority:4; sid:200121; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NeXTSTEP-3.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S8; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200122; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0-5.1"; length:48; fragbits:!D; ttl:<=255; flags:S; window:1024; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200123; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0.x"; length:44; fragbits:!D; ttl:<=255; flags:S; window:12288; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200124; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R4/R5"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200125; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R3/M0"; length:44; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200126; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R5 + CF67032"; length:60; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200127; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/390-?"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:28672; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200128; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"ULTRIX-4.5"; length:40; fragbits:!D; ttl:<=64; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200129; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"QNX-demodisk"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S16; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200130; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Novell-NetWare 5.0"; length:44; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200131; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Novell-IntranetWare 4.11"; length:44; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200132; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Novell-Netware 6 SP3"; length:52; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss,ws=0,nop,sack,nop,nop; classtype:os-fingerprint; priority:4; sid:200133; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SCO-UnixWare 7.1"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200134; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SCO-OpenServer 5.0"; length:44; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:mss=1380; classtype:os-fingerprint; priority:4; sid:200135; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"DOS-Arachne via WATTCP/1.05"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2048; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200136; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"OS/2-4"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S56; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200137; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"TOPS-20-version 7"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:0; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200138; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AMIGA-3.9 BB2 with Miami stack"; length:56; fragbits:D; ttl:<=64; flags:S; window:S32; tcpopts:mss,nop,nop,sack,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200139; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 1) (Generic)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1460; classtype:os-fingerprint; priority:5; sid:200140; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 2) (Generic)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:5; sid:200141; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"ExtremeWare-4.x"; length:44; fragbits:!D; ttl:<=32; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200142; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Clavister-firewall 7.x"; length:52; fragbits:!D; ttl:<=64; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200143; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Nokia-IPSO w/Checkpoint NG FP3"; length:68; fragbits:!D; ttl:<=64; flags:S; window:S32; tcpopts:mss=512,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200144; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"FortiNet-FortiGate 50"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:ws=0,nop,sack,time,mss=1460; classtype:os-fingerprint; priority:4; sid:200145; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-7200, Catalyst 3500, et"; length:44; id:0; fragbits:!D; ttl:<=255; flags:S; window:4128; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200146; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-12008"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S8; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200147; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Alteon-ACEswitch"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200148; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Nortel-Contivity Client"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1370; classtype:os-fingerprint; priority:4; sid:200149; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-5.2"; length:64; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200150; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200151; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3-5.5"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,nop,sack,nop,ws,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200152; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-4.1"; length:64; fragbits:D; ttl:<=64; flags:S; window:20480; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200153; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"NetCache-Data OnTap 5.x"; length:64; fragbits:D; ttl:<=64; flags:S; window:32850; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200154; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS ?"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200155; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS 1.1"; length:60; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1380,nop,nop,nop,nop,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200156; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Cisco-Content Engine"; length:48; fragbits:!D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200157; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Dell-PowerApp cache (Linux-based)"; length:40; fragbits:!D; ttl:<=128; flags:S; window:27085; classtype:os-fingerprint; priority:4; sid:200158; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Inktomi-crawler"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:nop,ws=1,mss=1460; classtype:os-fingerprint; priority:4; sid:200159; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"LookSmart-ZyBorg"; length:60; fragbits:D; ttl:<=255; flags:S; window:S1; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200160; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Proxyblocker-(what's this?)"; length:40; fragbits:!D; ttl:<=255; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200161; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-Tungsten C"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S9; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200162; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-3/4"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200163; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S4; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200164; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5.3 (Handera)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2948; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200165; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SymbianOS-7"; length:64; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:4; sid:200166; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SymbianOS-6048 (on Nokia 7650?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200167; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"SymbianOS-(on Nokia 9210?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200168; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Zaurus-3.10"; length:60; fragbits:D; ttl:<=64; flags:S; window:5840; tcpopts:mss=1452,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200169; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"PocketPC-2002"; length:64; fragbits:D; ttl:<=128; flags:S; window:32768; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200170; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Contiki-1.1-rc0"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S1; tcpopts:mss=346; classtype:os-fingerprint; priority:4; sid:200171; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast Dreamkey 3.0"; length:44; fragbits:!D; ttl:<=128; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200172; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast HKT-3020 (browser disc 51027)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:T5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200173; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Sony-Playstation 2 (SOCOM?)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200174; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"AXIS-Printer Server 5600 v5.64"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1452; classtype:os-fingerprint; priority:4; sid:200175; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (1) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:1024; classtype:os-fingerprint; priority:4; sid:200176; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (2) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200177; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (3) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:3072; classtype:os-fingerprint; priority:4; sid:200178; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (4) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:4096; classtype:os-fingerprint; priority:4; sid:200179; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200180; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200181; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200182; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200183; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200184; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200185; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200186; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200187; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"p0f-sendsyn utility (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:S; window:12345; classtype:os-fingerprint; priority:4; sid:200188; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Mysterious-port scanner (?) (Generic) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=128; ack:!=0; flags:S; window:56922; classtype:os-fingerprint; priority:5; sid:200189; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Mysterious-NAT device (2nd tstamp) (Generic) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:5792; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:5; sid:200190; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323 no tstamp) (Generic)"; length:52; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200191; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200192; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP (RFC1323, w+) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200193; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-98 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200194; rev:1; ) +log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200195; rev:1; ) diff -Naur snort-2.3.0RC1/rules/servicefp.rules snort-2.3.0RC1fp/rules/servicefp.rules --- snort-2.3.0RC1/rules/servicefp.rules Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/rules/servicefp.rules Mon Jan 24 13:46:43 2005 @@ -0,0 +1,53 @@ +# Sample Service Fingerprint File +# Stephen D. Reed +# +# +# Generic rules should always have a higher priority (less significant) than +# specific rules (more significant). For example, we don't want a correctly +# identified Apache web server to be replaced by a Generic TCP Service on +# port 80. + +# +# TCP Specific Service Rules +# + +# HTTP Servers +log tcp any any -> any any (msg:"NetCache Appliance Web Server Version 5.3.1R4"; flags:A+; content:"Server\: NetCache appliance (NetApp/5.3.1R4)"; classtype:service-fingerprint; priority:2; sid:300001;) +log tcp any any -> any any (msg:"FFE Web Server Version 1.0"; flags:A+; content:"Server\: FFE/1.0"; classtype:service-fingerprint; priority:2; sid:300002;) +log tcp any any -> any any (msg:"GWS Web Server Version 2.0"; flags:A+; content:"Server\: GWS/2.0"; classtype:service-fingerprint; priority:2; sid:300003;) + +log tcp any any -> any any (msg:"Netscape Enterprise Web Server Version 4.1"; flags:A+; content:"Server\: Netscape-Enterprise/4.1"; classtype:service-fingerprint; priority:2; sid:300004;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 6.0"; flags:A+; content:"Server\: Microsoft-IIS/6.0"; classtype:service-fingerprint; priority:2; sid:300005;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 5.0"; flags:A+; content:"Server\: Microsoft-IIS/5.0"; classtype:service-fingerprint; priority:2; sid:300006;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 4.0"; flags:A+; content:"Server\: Microsoft-IIS/4.0"; classtype:service-fingerprint; priority:2; sid:300007;) + +log tcp any any -> any any (msg:"Apache Web Server Version 2.0.x"; flags:A+; content:"Server\: Apache/2.0"; classtype:service-fingerprint; priority:2; sid:300008;) +log tcp any any -> any any (msg:"Apache Web Server Version 1.3.x"; flags:A+; content:"Server\: Apache/1.3"; classtype:service-fingerprint; priority:2; sid:300009;) + +# FTP Servers +log tcp any any -> any any (msg:"WU-FTP Server Version 2.6.x"; flags:A+; content:"Version wu-2.6"; classtype:service-fingerprint; priority:2; sid:300010;) + + +# +# TCP Service Rules +# + +# HTTP Servers +log tcp any any -> any any (msg:"NetCache Appliance Web Server"; flags:A+; content:"Server\: NetCache appliance"; classtype:service-fingerprint; priority:3; sid:300011;) +log tcp any any -> any any (msg:"Netscape Enterprise Web Server"; flags:A+; content:"Server\: Netscape-Enterprise"; classtype:service-fingerprint; priority:3; sid:300012;) +log tcp any any -> any any (msg:"Microsoft IIS Web Server"; flags:A+; content:"Server\: Microsoft-IIS"; classtype:service-fingerprint; priority:3; sid:300013;) +log tcp any any -> any any (msg:"MDN Web Server"; flags:A+; content:"Server\: MDNServer"; classtype:service-fingerprint; priority:3; sid:300014;) +log tcp any any -> any any (msg:"Apache Web Server"; flags:A+; content:"Server\: Apache"; classtype:service-fingerprint; priority:3; sid:300015;) + +# FTP Servers +log tcp any any -> any any (msg:"WU-FTP Server"; flags:A+; content:"Version wu-"; classtype:service-fingerprint; priority:3; sid:300016;) +log tcp any any -> any any (msg:"Web Server"; flags:A+; content:"Server\:"; classtype:service-fingerprint; priority:4; sid:300017;) + +# +# Generic Rules +# + +log udp any any -> any 1:1024 (msg:"UDP Service (Generic)"; classtype:service-fingerprint; priority:6; sid:300018;) +log tcp any any -> any any (msg:"TCP Service (Generic)"; flags:SA+; classtype:service-fingerprint; priority:5; sid:300019;) + + diff -Naur snort-2.3.0RC1/schemas/create_mysql_fp snort-2.3.0RC1fp/schemas/create_mysql_fp --- snort-2.3.0RC1/schemas/create_mysql_fp Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/schemas/create_mysql_fp Mon Jan 24 13:46:43 2005 @@ -0,0 +1,716 @@ +# Copyright (C) 2000-2002 Carnegie Mellon University +# +# Maintainer: Roman Danyliw , +# +# Original Author(s): Jed Pickel (2000-2001) +# Roman Danyliw +# Todd Schrubb +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +use snort; + +# Drop old tables if they exist + +DROP TABLE IF EXISTS schema; +DROP TABLE IF EXISTS event; +DROP TABLE IF EXISTS fpevent; +DROP TABLE IF EXISTS services; +DROP TABLE IF EXISTS signature; +DROP TABLE IF EXISTS sig_reference; +DROP TABLE IF EXISTS reference; +DROP TABLE IF EXISTS reference_system; +DROP TABLE IF EXISTS sig_class; +DROP TABLE IF EXISTS sensor; +DROP TABLE IF EXISTS iphdr; +DROP TABLE IF EXISTS tcphdr; +DROP TABLE IF EXISTS udphdr; +DROP TABLE IF EXISTS icmphdr; +DROP TABLE IF EXISTS opt; +DROP TABLE IF EXISTS data; +DROP TABLE IF EXISTS encoding; +DROP TABLE IF EXISTS detail; + +# Create new tables; + +CREATE TABLE schema ( vseq INT UNSIGNED NOT NULL, + ctime DATETIME NOT NULL, + PRIMARY KEY (vseq)); +INSERT INTO schema (vseq, ctime) VALUES ('106', now()); + +CREATE TABLE event ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + signature INT UNSIGNED NOT NULL, + timestamp DATETIME NOT NULL, + PRIMARY KEY (sid,cid), + INDEX sig (signature), + INDEX time (timestamp)); + +# Here's the new fingerprint event table we need to add + + +CREATE TABLE fpevent (ip_src INT UNSIGNED NOT NULL, + port_src SMALLINT UNSIGNED NOT NULL, + protocol VARCHAR(10) NOT NULL, + signature INT UNSIGNED NOT NULL, + osfp_flag TINYINT UNSIGNED NOT NULL, + sig_priority INT UNSIGNED NOT NULL, + sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + firstseen DATETIME NOT NULL, + lastseen DATETIME NOT NULL, + hopcount INT NOT NULL, + PRIMARY KEY (sid,cid), + INDEX ip (ip_src, osfp_flag, port_src), + INDEX time (lastseen,firstseen)); + + +CREATE TABLE services (name VARCHAR(128) NOT NULL, + port INT NOT NULL, + protocol VARCHAR(10) NOT NULL, + PRIMARY KEY (port,protocol), + INDEX port (port,protocol)); + +CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + sig_name VARCHAR(255) NOT NULL, + sig_class_id INT UNSIGNED NOT NULL, + sig_priority INT UNSIGNED, + sig_rev INT UNSIGNED, + sig_sid INT UNSIGNED, + PRIMARY KEY (sig_id), + INDEX sign_idx (sig_name(20)), + INDEX sig_class_id_idx (sig_class_id)); + +CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL, + ref_seq INT UNSIGNED NOT NULL, + ref_id INT UNSIGNED NOT NULL, + PRIMARY KEY(sig_id, ref_seq)); + +CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + ref_system_id INT UNSIGNED NOT NULL, + ref_tag TEXT NOT NULL, + PRIMARY KEY (ref_id)); + +CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + ref_system_name VARCHAR(20), + PRIMARY KEY (ref_system_id)); + +CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT, + sig_class_name VARCHAR(60) NOT NULL, + PRIMARY KEY (sig_class_id), + INDEX (sig_class_id), + INDEX (sig_class_name)); + +# store info about the sensor supplying data +CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT, + hostname TEXT, + interface TEXT, + filter TEXT, + detail TINYINT, + encoding TINYINT, + last_cid INT UNSIGNED NOT NULL, + PRIMARY KEY (sid)); + +# All of the fields of an ip header +CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + ip_src INT UNSIGNED NOT NULL, + ip_dst INT UNSIGNED NOT NULL, + ip_ver TINYINT UNSIGNED, + ip_hlen TINYINT UNSIGNED, + ip_tos TINYINT UNSIGNED, + ip_len SMALLINT UNSIGNED, + ip_id SMALLINT UNSIGNED, + ip_flags TINYINT UNSIGNED, + ip_off SMALLINT UNSIGNED, + ip_ttl TINYINT UNSIGNED, + ip_proto TINYINT UNSIGNED NOT NULL, + ip_csum SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX ip_src (ip_src), + INDEX ip_dst (ip_dst)); + +# All of the fields of a tcp header +CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + tcp_sport SMALLINT UNSIGNED NOT NULL, + tcp_dport SMALLINT UNSIGNED NOT NULL, + tcp_seq INT UNSIGNED, + tcp_ack INT UNSIGNED, + tcp_off TINYINT UNSIGNED, + tcp_res TINYINT UNSIGNED, + tcp_flags TINYINT UNSIGNED NOT NULL, + tcp_win SMALLINT UNSIGNED, + tcp_csum SMALLINT UNSIGNED, + tcp_urp SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX tcp_sport (tcp_sport), + INDEX tcp_dport (tcp_dport), + INDEX tcp_flags (tcp_flags)); + +# All of the fields of a udp header +CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + udp_sport SMALLINT UNSIGNED NOT NULL, + udp_dport SMALLINT UNSIGNED NOT NULL, + udp_len SMALLINT UNSIGNED, + udp_csum SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX udp_sport (udp_sport), + INDEX udp_dport (udp_dport)); + + +# All of the fields of an icmp header +CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + icmp_type TINYINT UNSIGNED NOT NULL, + icmp_code TINYINT UNSIGNED NOT NULL, + icmp_csum SMALLINT UNSIGNED, + icmp_id SMALLINT UNSIGNED, + icmp_seq SMALLINT UNSIGNED, + PRIMARY KEY (sid,cid), + INDEX icmp_type (icmp_type)); + +# Protocol options +CREATE TABLE opt ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + optid INT UNSIGNED NOT NULL, + opt_proto TINYINT UNSIGNED NOT NULL, + opt_code TINYINT UNSIGNED NOT NULL, + opt_len SMALLINT, + opt_data TEXT, + PRIMARY KEY (sid,cid,optid)); + +# Packet payload +CREATE TABLE data ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + data_payload TEXT, + PRIMARY KEY (sid,cid)); + +# encoding is a lookup table for storing encoding types +CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL, + encoding_text TEXT NOT NULL, + PRIMARY KEY (encoding_type)); +INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex'); +INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64'); +INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii'); + +# detail is a lookup table for storing different detail levels +CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL, + detail_text TEXT NOT NULL, + PRIMARY KEY (detail_type)); +INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast'); +INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full'); + +# Set permissions + +grant update,insert,delete on fpevent to snort; +grant update,insert,delete on iphdr to snort; +grant update,insert,delete on tcphdr to snort; +grant update,insert,delete on udphdr to snort; +grant update,insert,delete on icmphdr to snort; +grant update,insert,delete on opt to snort; +grant update,insert,delete on data to snort; + +grant update,insert on signature to snort; +grant update,insert on sig_reference to snort; +grant update,insert on reference to snort; +grant update,insert on reference_system to snort; +grant update,insert on sig_class to snort; +grant update,insert on sensor to snort; +grant update,insert on encoding to snort; +grant update,insert on detail to snort; +grant update,insert on services to snort; + +# be sure to also use the snortdb-extra tables if you want +# mappings for tcp flags, protocols, and ports +replace services ( name, port, protocol ) values ( 'osfp', 0, 'tcp' ); +replace services ( name, port, protocol ) values ( 'osfp', 0, 'udp' ); +replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'udp' ); +replace services ( name, port, protocol ) values ( 'rje', 5, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rje', 5, 'udp' ); +replace services ( name, port, protocol ) values ( 'echo', 7, 'tcp' ); +replace services ( name, port, protocol ) values ( 'echo', 7, 'udp' ); +replace services ( name, port, protocol ) values ( 'discard', 9, 'tcp' ); +replace services ( name, port, protocol ) values ( 'discard', 9, 'udp' ); +replace services ( name, port, protocol ) values ( 'systat', 11, 'tcp' ); +replace services ( name, port, protocol ) values ( 'systat', 11, 'udp' ); +replace services ( name, port, protocol ) values ( 'daytime', 13, 'tcp' ); +replace services ( name, port, protocol ) values ( 'daytime', 13, 'udp' ); +replace services ( name, port, protocol ) values ( 'qotd', 17, 'tcp' ); +replace services ( name, port, protocol ) values ( 'qotd', 17, 'udp' ); +replace services ( name, port, protocol ) values ( 'msp', 18, 'tcp' ); +replace services ( name, port, protocol ) values ( 'msp', 18, 'udp' ); +replace services ( name, port, protocol ) values ( 'chargen', 19, 'tcp' ); +replace services ( name, port, protocol ) values ( 'chargen', 19, 'udp' ); +replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'udp' ); +replace services ( name, port, protocol ) values ( 'ftp', 21, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ftp', 21, 'udp' ); +replace services ( name, port, protocol ) values ( 'ssh', 22, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ssh', 22, 'udp' ); +replace services ( name, port, protocol ) values ( 'telnet', 23, 'tcp' ); +replace services ( name, port, protocol ) values ( 'telnet', 23, 'udp' ); +replace services ( name, port, protocol ) values ( 'smtp', 25, 'tcp' ); +replace services ( name, port, protocol ) values ( 'smtp', 25, 'udp' ); +replace services ( name, port, protocol ) values ( 'time', 37, 'tcp' ); +replace services ( name, port, protocol ) values ( 'time', 37, 'udp' ); +replace services ( name, port, protocol ) values ( 'rlp', 39, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rlp', 39, 'udp' ); +replace services ( name, port, protocol ) values ( 'nameserver', 42, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nameserver', 42, 'udp' ); +replace services ( name, port, protocol ) values ( 'nicname', 43, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nicname', 43, 'udp' ); +replace services ( name, port, protocol ) values ( 'tacacs', 49, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tacacs', 49, 'udp' ); +replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'tcp' ); +replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'udp' ); +replace services ( name, port, protocol ) values ( 'domain', 53, 'tcp' ); +replace services ( name, port, protocol ) values ( 'domain', 53, 'udp' ); +replace services ( name, port, protocol ) values ( 'whois++', 63, 'tcp' ); +replace services ( name, port, protocol ) values ( 'whois++', 63, 'udp' ); +replace services ( name, port, protocol ) values ( 'bootps', 67, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bootps', 67, 'udp' ); +replace services ( name, port, protocol ) values ( 'bootpc', 68, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bootpc', 68, 'udp' ); +replace services ( name, port, protocol ) values ( 'tftp', 69, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tftp', 69, 'udp' ); +replace services ( name, port, protocol ) values ( 'gopher', 70, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gopher', 70, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'udp' ); +replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'udp' ); +replace services ( name, port, protocol ) values ( 'finger', 79, 'tcp' ); +replace services ( name, port, protocol ) values ( 'finger', 79, 'udp' ); +replace services ( name, port, protocol ) values ( 'http', 80, 'tcp' ); +replace services ( name, port, protocol ) values ( 'http', 80, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos', 88, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kerberos', 88, 'udp' ); +replace services ( name, port, protocol ) values ( 'supdup', 95, 'tcp' ); +replace services ( name, port, protocol ) values ( 'supdup', 95, 'udp' ); +replace services ( name, port, protocol ) values ( 'hostname', 101, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hostname', 101, 'udp' ); +replace services ( name, port, protocol ) values ( 'iso-tsap', 102, 'tcp' ); +replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'tcp' ); +replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'udp' ); +replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'udp' ); +replace services ( name, port, protocol ) values ( 'pop2', 109, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pop2', 109, 'udp' ); +replace services ( name, port, protocol ) values ( 'pop3', 110, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pop3', 110, 'udp' ); +replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'udp' ); +replace services ( name, port, protocol ) values ( 'auth', 113, 'tcp' ); +replace services ( name, port, protocol ) values ( 'auth', 113, 'udp' ); +replace services ( name, port, protocol ) values ( 'sftp', 115, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sftp', 115, 'udp' ); +replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'tcp' ); +replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'udp' ); +replace services ( name, port, protocol ) values ( 'nntp', 119, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nntp', 119, 'udp' ); +replace services ( name, port, protocol ) values ( 'ntp', 123, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ntp', 123, 'udp' ); +replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'udp' ); +replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'udp' ); +replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'udp' ); +replace services ( name, port, protocol ) values ( 'imap', 143, 'tcp' ); +replace services ( name, port, protocol ) values ( 'imap', 143, 'udp' ); +replace services ( name, port, protocol ) values ( 'snmp', 161, 'tcp' ); +replace services ( name, port, protocol ) values ( 'snmp', 161, 'udp' ); +replace services ( name, port, protocol ) values ( 'snmptrap', 162, 'udp' ); +replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'udp' ); +replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'udp' ); +replace services ( name, port, protocol ) values ( 'mailq', 174, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mailq', 174, 'udp' ); +replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'tcp' ); +replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'udp' ); +replace services ( name, port, protocol ) values ( 'nextstep', 178, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nextstep', 178, 'udp' ); +replace services ( name, port, protocol ) values ( 'bgp', 179, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bgp', 179, 'udp' ); +replace services ( name, port, protocol ) values ( 'prospero', 191, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prospero', 191, 'udp' ); +replace services ( name, port, protocol ) values ( 'irc', 194, 'tcp' ); +replace services ( name, port, protocol ) values ( 'irc', 194, 'udp' ); +replace services ( name, port, protocol ) values ( 'smux', 199, 'tcp' ); +replace services ( name, port, protocol ) values ( 'smux', 199, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-echo', 204, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-echo', 204, 'udp' ); +replace services ( name, port, protocol ) values ( 'at-zis', 206, 'tcp' ); +replace services ( name, port, protocol ) values ( 'at-zis', 206, 'udp' ); +replace services ( name, port, protocol ) values ( 'qmtp', 209, 'tcp' ); +replace services ( name, port, protocol ) values ( 'qmtp', 209, 'udp' ); +replace services ( name, port, protocol ) values ( 'z39.50', 210, 'tcp' ); +replace services ( name, port, protocol ) values ( 'z39.50', 210, 'udp' ); +replace services ( name, port, protocol ) values ( 'ipx', 213, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ipx', 213, 'udp' ); +replace services ( name, port, protocol ) values ( 'imap3', 220, 'tcp' ); +replace services ( name, port, protocol ) values ( 'imap3', 220, 'udp' ); +replace services ( name, port, protocol ) values ( 'link', 245, 'tcp' ); +replace services ( name, port, protocol ) values ( 'link', 245, 'ucp' ); +replace services ( name, port, protocol ) values ( 'fatserv', 347, 'tcp' ); +replace services ( name, port, protocol ) values ( 'fatserv', 347, 'udp' ); +replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'udp' ); +replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'udp' ); +replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'tcp' ); +replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'udp' ); +replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'udp' ); +replace services ( name, port, protocol ) values ( 'ldap', 389, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ldap', 389, 'udp' ); +replace services ( name, port, protocol ) values ( 'svrloc', 427, 'tcp' ); +replace services ( name, port, protocol ) values ( 'svrloc', 427, 'udp' ); +replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'udp' ); +replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'udp' ); +replace services ( name, port, protocol ) values ( 'https', 443, 'tcp' ); +replace services ( name, port, protocol ) values ( 'https', 443, 'udp' ); +replace services ( name, port, protocol ) values ( 'snpp', 444, 'tcp' ); +replace services ( name, port, protocol ) values ( 'snpp', 444, 'udp' ); +replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'tcp' ); +replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'udp' ); +replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'udp' ); +replace services ( name, port, protocol ) values ( 'photuris', 468, 'tcp' ); +replace services ( name, port, protocol ) values ( 'photuris', 468, 'udp' ); +replace services ( name, port, protocol ) values ( 'saft', 487, 'tcp' ); +replace services ( name, port, protocol ) values ( 'saft', 487, 'udp' ); +replace services ( name, port, protocol ) values ( 'gss-http', 488, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gss-http', 488, 'udp' ); +replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'udp' ); +replace services ( name, port, protocol ) values ( 'isakmp', 500, 'tcp' ); +replace services ( name, port, protocol ) values ( 'isakmp', 500, 'udp' ); +replace services ( name, port, protocol ) values ( 'gdomap', 538, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gdomap', 538, 'udp' ); +replace services ( name, port, protocol ) values ( 'iiop', 535, 'tcp' ); +replace services ( name, port, protocol ) values ( 'iiop', 535, 'udp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'tcp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'udp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'tcp' ); +replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'udp' ); +replace services ( name, port, protocol ) values ( 'rtsp', 554, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rtsp', 554, 'udp' ); +replace services ( name, port, protocol ) values ( 'nntps', 563, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nntps', 563, 'udp' ); +replace services ( name, port, protocol ) values ( 'whoami', 565, 'tcp' ); +replace services ( name, port, protocol ) values ( 'whoami', 565, 'udp' ); +replace services ( name, port, protocol ) values ( 'submission', 587, 'tcp' ); +replace services ( name, port, protocol ) values ( 'submission', 587, 'udp' ); +replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'tcp' ); +replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'udp' ); +replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'tcp' ); +replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'udp' ); +replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'udp' ); +replace services ( name, port, protocol ) values ( 'ipp', 631, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ipp', 631, 'ucp' ); +replace services ( name, port, protocol ) values ( 'ldaps', 636, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ldaps', 636, 'udp' ); +replace services ( name, port, protocol ) values ( 'acap', 674, 'tcp' ); +replace services ( name, port, protocol ) values ( 'acap', 674, 'udp' ); +replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos-adm', 749, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'tcp' ); +replace services ( name, port, protocol ) values ( 'webster', 765, 'tcp' ); +replace services ( name, port, protocol ) values ( 'webster', 765, 'udp' ); +replace services ( name, port, protocol ) values ( 'phonebook', 767, 'tcp' ); +replace services ( name, port, protocol ) values ( 'phonebook', 767, 'udp' ); +replace services ( name, port, protocol ) values ( 'rsync', 873, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rsync', 873, 'udp' ); +replace services ( name, port, protocol ) values ( 'telnets', 992, 'tcp' ); +replace services ( name, port, protocol ) values ( 'telnets', 992, 'udp' ); +replace services ( name, port, protocol ) values ( 'imaps', 993, 'tcp' ); +replace services ( name, port, protocol ) values ( 'imaps', 993, 'udp' ); +replace services ( name, port, protocol ) values ( 'ircs', 994, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ircs', 994, 'udp' ); +replace services ( name, port, protocol ) values ( 'pop3s', 995, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pop3s', 995, 'udp' ); +replace services ( name, port, protocol ) values ( 'exec', 512, 'tcp' ); +replace services ( name, port, protocol ) values ( 'biff', 512, 'udp' ); +replace services ( name, port, protocol ) values ( 'login', 513, 'tcp' ); +replace services ( name, port, protocol ) values ( 'who', 513, 'udp' ); +replace services ( name, port, protocol ) values ( 'shell', 514, 'tcp' ); +replace services ( name, port, protocol ) values ( 'syslog', 514, 'udp' ); +replace services ( name, port, protocol ) values ( 'printer', 515, 'tcp' ); +replace services ( name, port, protocol ) values ( 'printer', 515, 'udp' ); +replace services ( name, port, protocol ) values ( 'talk', 517, 'udp' ); +replace services ( name, port, protocol ) values ( 'ntalk', 518, 'udp' ); +replace services ( name, port, protocol ) values ( 'utime', 519, 'tcp' ); +replace services ( name, port, protocol ) values ( 'utime', 519, 'udp' ); +replace services ( name, port, protocol ) values ( 'efs', 520, 'tcp' ); +replace services ( name, port, protocol ) values ( 'router', 520, 'udp' ); +replace services ( name, port, protocol ) values ( 'ripng', 521, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ripng', 521, 'udp' ); +replace services ( name, port, protocol ) values ( 'timed', 525, 'tcp' ); +replace services ( name, port, protocol ) values ( 'timed', 525, 'udp' ); +replace services ( name, port, protocol ) values ( 'tempo', 526, 'tcp' ); +replace services ( name, port, protocol ) values ( 'courier', 530, 'tcp' ); +replace services ( name, port, protocol ) values ( 'conference', 531, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netnews', 532, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netwall', 533, 'udp' ); +replace services ( name, port, protocol ) values ( 'uucp', 540, 'tcp' ); +replace services ( name, port, protocol ) values ( 'klogin', 543, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kshell', 544, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'udp' ); +replace services ( name, port, protocol ) values ( 'remotefs', 556, 'tcp' ); +replace services ( name, port, protocol ) values ( 'socks', 1080, 'tcp' ); +replace services ( name, port, protocol ) values ( 'socks', 1080, 'udp' ); +replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'udp' ); +replace services ( name, port, protocol ) values ( 'lotus-notes', 1352, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'udp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'udp' ); +replace services ( name, port, protocol ) values ( 'ica', 1494, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ica', 1494, 'udp' ); +replace services ( name, port, protocol ) values ( 'wins', 1512, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wins', 1512, 'udp' ); +replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'udp' ); +replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'udp' ); +replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'tcp' ); +replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'udp' ); +replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'udp' ); +replace services ( name, port, protocol ) values ( 'kermit', 1649, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kermit', 1649, 'udp' ); +replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'tcp' ); +replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'udp' ); +replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'udp' ); +replace services ( name, port, protocol ) values ( 'hello', 1789, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hello', 1789, 'udp' ); +replace services ( name, port, protocol ) values ( 'radius', 1812, 'tcp' ); +replace services ( name, port, protocol ) values ( 'radius', 1812, 'udp' ); +replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'tcp' ); +replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'udp' ); +replace services ( name, port, protocol ) values ( 'mtp', 1911, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mtp', 1911, 'udp' ); +replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'udp' ); +replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'tcp' ); +replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'udp' ); +replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'udp' ); +replace services ( name, port, protocol ) values ( 'nfs', 2049, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nfs', 2049, 'udp' ); +replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'tcp' ); +replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'udp' ); +replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'tcp' ); +replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'udp' ); +replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'tcp' ); +replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'udp' ); +replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'udp' ); +replace services ( name, port, protocol ) values ( 'venus', 2430, 'tcp' ); +replace services ( name, port, protocol ) values ( 'venus', 2430, 'udp' ); +replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'tcp' ); +replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'udp' ); +replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'tcp' ); +replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'udp' ); +replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'tcp' ); +replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'udp' ); +replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'udp' ); +replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'tcp' ); +replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'udp' ); +replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'tcp' ); +replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'udp' ); +replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'tcp' ); +replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'udp' ); +replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'udp' ); +replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'tcp' ); +replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'udp' ); +replace services ( name, port, protocol ) values ( 'netmon', 2606, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netmon', 2606, 'udp' ); +replace services ( name, port, protocol ) values ( 'corbaloc', 2809, 'tcp' ); +replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'tcp' ); +replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'udp' ); +replace services ( name, port, protocol ) values ( 'mysql', 3306, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mysql', 3306, 'udp' ); +replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'tcp' ); +replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'udp' ); +replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'udp' ); +replace services ( name, port, protocol ) values ( 'krb524', 4444, 'tcp' ); +replace services ( name, port, protocol ) values ( 'krb524', 4444, 'udp' ); +replace services ( name, port, protocol ) values ( 'rfe', 5002, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rfe', 5002, 'udp' ); +replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'udp' ); +replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'udp' ); +replace services ( name, port, protocol ) values ( 'x11', 6000, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'udp' ); +replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'udp' ); +replace services ( name, port, protocol ) values ( 'sd', 9876, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sd', 9876, 'udp' ); +replace services ( name, port, protocol ) values ( 'amanda', 10080, 'tcp' ); +replace services ( name, port, protocol ) values ( 'amanda', 10080, 'udp' ); +replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'tcp' ); +replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'udp' ); +replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'tcp' ); +replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'udp' ); +replace services ( name, port, protocol ) values ( 'bprd', 13720, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bprd', 13720, 'udp' ); +replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'udp' ); +replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'udp' ); +replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'tcp' ); +replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'udp' ); +replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'tcp' ); +replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'udp' ); +replace services ( name, port, protocol ) values ( 'vopied', 13783, 'tcp' ); +replace services ( name, port, protocol ) values ( 'vopied', 13783, 'udp' ); +replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'ucp' ); +replace services ( name, port, protocol ) values ( 'quake', 26000, 'tcp' ); +replace services ( name, port, protocol ) values ( 'quake', 26000, 'udp' ); +replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'udp' ); +replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'tcp' ); +replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'udp' ); +replace services ( name, port, protocol ) values ( 'rtmp', 1, 'ddp' ); +replace services ( name, port, protocol ) values ( 'nbp', 2, 'ddp' ); +replace services ( name, port, protocol ) values ( 'echo', 4, 'ddp' ); +replace services ( name, port, protocol ) values ( 'zip', 6, 'ddp' ); +replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'udp' ); +replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'tcp' ); +replace services ( name, port, protocol ) values ( 'passwd_server', 752, 'udp' ); +replace services ( name, port, protocol ) values ( 'krbupdate', 760, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kpop', 1109, 'tcp' ); +replace services ( name, port, protocol ) values ( 'knetd', 2053, 'tcp' ); +replace services ( name, port, protocol ) values ( 'krb5_prop', 754, 'tcp' ); +replace services ( name, port, protocol ) values ( 'eklogin', 2105, 'tcp' ); +replace services ( name, port, protocol ) values ( 'supfilesrv', 871, 'tcp' ); +replace services ( name, port, protocol ) values ( 'supfiledbg', 1127, 'tcp' ); +replace services ( name, port, protocol ) values ( 'netstat', 15, 'tcp' ); +replace services ( name, port, protocol ) values ( 'linuxconf', 98, 'tcp' ); +replace services ( name, port, protocol ) values ( 'poppassd', 106, 'tcp' ); +replace services ( name, port, protocol ) values ( 'poppassd', 106, 'udp' ); +replace services ( name, port, protocol ) values ( 'smtps', 465, 'tcp' ); +replace services ( name, port, protocol ) values ( 'gii', 616, 'tcp' ); +replace services ( name, port, protocol ) values ( 'omirr', 808, 'tcp' ); +replace services ( name, port, protocol ) values ( 'omirr', 808, 'udp' ); +replace services ( name, port, protocol ) values ( 'swat', 901, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rndc', 953, 'tcp' ); +replace services ( name, port, protocol ) values ( 'rndc', 953, 'udp' ); +replace services ( name, port, protocol ) values ( 'skkserv', 1178, 'tcp' ); +replace services ( name, port, protocol ) values ( 'xtel', 1313, 'tcp' ); +replace services ( name, port, protocol ) values ( 'support', 1529, 'tcp' ); +replace services ( name, port, protocol ) values ( 'cfinger', 2003, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'udp' ); +replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'tcp' ); +replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'udp' ); +replace services ( name, port, protocol ) values ( 'squid', 3128, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'tcp' ); +replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'udp' ); +replace services ( name, port, protocol ) values ( 'postgres', 5432, 'tcp' ); +replace services ( name, port, protocol ) values ( 'postgres', 5432, 'udp' ); +replace services ( name, port, protocol ) values ( 'fax', 4557, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hylafax', 4559, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'tcp' ); +replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'udp' ); +replace services ( name, port, protocol ) values ( 'noclog', 5354, 'tcp' ); +replace services ( name, port, protocol ) values ( 'noclog', 5354, 'udp' ); +replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'tcp' ); +replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'udp' ); +replace services ( name, port, protocol ) values ( 'canna', 5680, 'tcp' ); +replace services ( name, port, protocol ) values ( 'x11-ssh-offset', 6010, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ircd', 6667, 'tcp' ); +replace services ( name, port, protocol ) values ( 'ircd', 6667, 'udp' ); +replace services ( name, port, protocol ) values ( 'xfs', 7100, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tircproxy', 7666, 'tcp' ); +replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'tcp' ); +replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'udp' ); +replace services ( name, port, protocol ) values ( 'webcache', 8080, 'tcp' ); +replace services ( name, port, protocol ) values ( 'webcache', 8080, 'udp' ); +replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'udp' ); +replace services ( name, port, protocol ) values ( 'jetdirect', 9100, 'tcp' ); +replace services ( name, port, protocol ) values ( 'mandelspawn', 9359, 'udp' ); +replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'tcp' ); +replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'udp' ); +replace services ( name, port, protocol ) values ( 'amandaidx', 10082, 'tcp' ); +replace services ( name, port, protocol ) values ( 'amidxtape', 10083, 'tcp' ); +replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'tcp' ); +replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'udp' ); +replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'tcp' ); +replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'udp' ); +replace services ( name, port, protocol ) values ( 'wnn4_Kr', 22305, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn4_Cn', 22289, 'tcp' ); +replace services ( name, port, protocol ) values ( 'wnn4_Tw', 22321, 'tcp' ); +replace services ( name, port, protocol ) values ( 'binkp', 24554, 'tcp' ); +replace services ( name, port, protocol ) values ( 'binkp', 24554, 'udp' ); +replace services ( name, port, protocol ) values ( 'asp', 27374, 'tcp' ); +replace services ( name, port, protocol ) values ( 'asp', 27374, 'udp' ); +replace services ( name, port, protocol ) values ( 'tfido', 60177, 'tcp' ); +replace services ( name, port, protocol ) values ( 'tfido', 60177, 'udp' ); +replace services ( name, port, protocol ) values ( 'fido', 60179, 'tcp' ); +replace services ( name, port, protocol ) values ( 'fido', 60179, 'udp' ); diff -Naur snort-2.3.0RC1/src/decode.c snort-2.3.0RC1fp/src/decode.c --- snort-2.3.0RC1/src/decode.c Tue Oct 5 12:55:18 2004 +++ snort-2.3.0RC1fp/src/decode.c Mon Jan 24 13:46:43 2005 @@ -1842,6 +1842,9 @@ /* lay the IP struct over the raw data */ p->iph = (IPHdr *) pkt; + /* SDR ADDED NEXT LINE */ + p->ip_hop_count = IP_HOP_COUNT_UNDEFINED; + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");); /* do a little validation */ @@ -2096,6 +2099,9 @@ /* lay the IP struct over the raw data */ p->orig_iph = (IPHdr *) pkt; + + /* SDR ADDED NEXT LINE */ + p->ip_hop_count = IP_HOP_COUNT_UNDEFINED; DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeIPOnly: ip header starts at: %p, " "length is %lu\n", p->orig_iph, (unsigned long) len);); diff -Naur snort-2.3.0RC1/src/decode.h snort-2.3.0RC1fp/src/decode.h --- snort-2.3.0RC1/src/decode.h Mon Sep 13 11:44:49 2004 +++ snort-2.3.0RC1fp/src/decode.h Mon Jan 24 13:46:43 2005 @@ -188,6 +188,8 @@ #define IP_MAXPACKET 65535 /* maximum packet size */ #endif /* IP_MAXPACKET */ +#define IP_HOP_COUNT_UNDEFINED -1 /* SDR: Added for fingerprinting */ + #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 @@ -1081,6 +1083,7 @@ IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH family */ u_int32_t ip_options_len; u_int8_t *ip_options_data; + int ip_hop_count; /* SDR ADDED: IP hop count */ TCPHdr *tcph, *orig_tcph; u_int32_t tcp_options_len; diff -Naur snort-2.3.0RC1/src/detection-plugins/Makefile.am snort-2.3.0RC1fp/src/detection-plugins/Makefile.am --- snort-2.3.0RC1/src/detection-plugins/Makefile.am Wed Jun 16 12:49:24 2004 +++ snort-2.3.0RC1fp/src/detection-plugins/Makefile.am Mon Jan 24 13:46:43 2005 @@ -16,6 +16,8 @@ sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \ sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h \ sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h \ -sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h +sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \ +sp_ip_length_check.c sp_ip_length_check.h sp_tcp_option_check.c \ +sp_tcp_option_check.h sp_tcp_quirks_check.s sp_tcp_quirks_check.h INCLUDES = @INCLUDES@ diff -Naur snort-2.3.0RC1/src/detection-plugins/Makefile.in snort-2.3.0RC1fp/src/detection-plugins/Makefile.in --- snort-2.3.0RC1/src/detection-plugins/Makefile.in Thu Nov 18 10:21:24 2004 +++ snort-2.3.0RC1fp/src/detection-plugins/Makefile.in Mon Jan 24 13:46:43 2005 @@ -97,7 +97,9 @@ sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \ sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h \ sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h \ -sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h +sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \ +sp_ip_length_check.c sp_ip_length_check.h sp_tcp_option_check.c \ +sp_tcp_option_check.h sp_tcp_quirks_check.s sp_tcp_quirks_check.h subdir = src/detection-plugins mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs @@ -120,7 +122,8 @@ sp_tcp_win_check.$(OBJEXT) sp_ttl_check.$(OBJEXT) \ sp_clientserver.$(OBJEXT) sp_byte_check.$(OBJEXT) \ sp_byte_jump.$(OBJEXT) sp_pcre.$(OBJEXT) sp_isdataat.$(OBJEXT) \ - sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT) + sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT) sp_ip_length_check.$(OBJEXT) \ + sp_tcp_option_check.$(OBJEXT) sp_tcp_quirks_check.$(OBJEXT) libspd_a_OBJECTS = $(am_libspd_a_OBJECTS) DEFS = @DEFS@ @@ -135,6 +138,8 @@ CCLD = $(CC) LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ CFLAGS = @CFLAGS@ +CCASCOMPILE = $(CCAS) $(AM_CCASFLAGS) $(CCASFLAGS) +CCASFLAGS = @CCASFLAGS@ DIST_SOURCES = $(libspd_a_SOURCES) DIST_COMMON = Makefile.am Makefile.in SOURCES = $(libspd_a_SOURCES) @@ -142,7 +147,7 @@ all: all-am .SUFFIXES: -.SUFFIXES: .c .o .obj +.SUFFIXES: .c .o .obj .s $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) cd $(top_srcdir) && \ $(AUTOMAKE) --foreign src/detection-plugins/Makefile @@ -169,6 +174,12 @@ .c.obj: $(COMPILE) -c `cygpath -w $<` + +.s.o: + $(CCASCOMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< + +.s.obj: + $(CCASCOMPILE) -c `cygpath -w $<` uninstall-info-am: ETAGS = etags diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.c Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.c Mon Jan 24 13:46:43 2005 @@ -0,0 +1,299 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +/* SDR ADDED FILE */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include +#include + +#ifdef HAVE_STRINGS_H +#include +#endif + +#include "rules.h" +#include "decode.h" +#include "plugbase.h" +#include "parser.h" +#include "debug.h" +#include "plugin_enum.h" +#include "util.h" + +typedef struct _IpLengthData +{ + u_int16_t ip_length; + u_int8_t not_flag; + +} IpLengthData; + +void IpLengthCheckInit(char *, OptTreeNode *, int); +void ParseIpLength(char *, OptTreeNode *); +int IpLengthCheckEq(Packet *, struct _OptTreeNode *, OptFpList *); +int IpLengthCheckLT(Packet *, struct _OptTreeNode *, OptFpList *); +int IpLengthCheckGT(Packet *, struct _OptTreeNode *, OptFpList *); + + +/**************************************************************************** + * + * Function: SetupIpLengthCheck() + * + * Purpose: Associate the length keyword with IpLengthCheckInit + * + * Arguments: None. + * + * Returns: void function + * + ****************************************************************************/ +void SetupIpLengthCheck() +{ + /* map the keyword to an initialization/processing function */ + RegisterPlugin("length", IpLengthCheckInit); + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: IpLengthCheck Initialized\n");); +} + + +/**************************************************************************** + * + * Function: IpLengthCheckInit(char *, OptTreeNode *) + * + * Purpose: Setup the length data struct and link the function into option + * function pointer list + * + * Arguments: data => rule arguments/data + * otn => pointer to the current rule option list node + * + * Returns: void function + * + ****************************************************************************/ +void IpLengthCheckInit(char *data, OptTreeNode *otn, int protocol) +{ + /* multiple declaration check */ + if(otn->ds_list[PLUGIN_IP_LENGTH_CHECK]) + { + FatalError("%s(%d): Multiple IP length options in rule\n", file_name, + file_line); + } + + /* allocate the data structure and attach it to the + rule's data struct list */ + otn->ds_list[PLUGIN_IP_LENGTH_CHECK] = (IpLengthData *) + SnortAlloc(sizeof(IpLengthData)); + + /* this is where the keyword arguments are processed and placed into the + rule option's data structure */ + ParseIpLength(data, otn); + +} + + + +/**************************************************************************** + * + * Function: ParseIpLength(char *, OptTreeNode *) + * + * Purpose: Convert the length option argument to data and plug it into the + * data structure + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +void ParseIpLength(char *data, OptTreeNode *otn) +{ + IpLengthData *ds_ptr; /* data struct pointer */ + + /* set the ds pointer to make it easier to reference the option's + particular data struct */ + ds_ptr = otn->ds_list[PLUGIN_IP_LENGTH_CHECK]; + + /* get rid of any whitespace */ + while(isspace((int)*data)) + { + data++; + } + + /* process operator(s) */ + if(data[0] == '!') + { + ds_ptr->not_flag = 1; + } + + /* Locate the operator, and set appropriate handling function */ + + switch (*data) { + case '=': + AddOptFuncToList ( IpLengthCheckEq, otn ); + data++; + break; + case '>': + AddOptFuncToList ( IpLengthCheckGT, otn ); + data++; + break; + case '<': + AddOptFuncToList ( IpLengthCheckLT, otn ); + data++; + break; + default: + /* default to the '=' operator, but don't advance pointer */ + /* in case that 'data' is legal digit */ + AddOptFuncToList ( IpLengthCheckEq, otn ); + break; + } + + /* get rid of any whitespace */ + while(isspace((int)*data)) + { + data++; + } + + + if(index(data, (int) 'x') == NULL && index(data, (int)'X') == NULL) + { + ds_ptr->ip_length = atoi(data); + } + else + { + if(index(data,(int)'x')) + { + ds_ptr->ip_length = (u_char) strtol((index(data, (int)'x')+1), NULL, 16); + } + else + { + ds_ptr->ip_length = (u_char) strtol((index(data, (int)'X')+1), NULL, 16); + } + } + + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"ip length set to %d\n", ds_ptr->ip_length);); +} + + +/**************************************************************************** + * + * Function: IpLengthCheckEq(char *, OptTreeNode *) + * + * Purpose: Test the ip header's length field to see if its value is equal to the + * value in the rule. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int IpLengthCheckEq(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(!p->iph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + if((((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length == + htons(p->iph->ip_len)) ^ (((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->not_flag)) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } + else + { + /* you can put debug comments here or not */ + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); + } + + /* if the test isn't successful, return 0 */ + return 0; +} + +/**************************************************************************** + * + * Function: IpLengthCheckLT(char *, OptTreeNode *) + * + * Purpose: Test the ip header's length field to see if its value is less than the + * value in the rule. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int IpLengthCheckLT(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(!p->iph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + if( ntohs(p->iph->ip_len) < + ((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length ) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } + else + { + /* you can put debug comments here or not */ + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); + } + + /* if the test isn't successful, return 0 */ + return 0; +} + +/**************************************************************************** + * + * Function: IpLengthCheckGT(char *, OptTreeNode *) + * + * Purpose: Test the ip header's length field to see if its value is greater than the + * value in the rule. + * + * Arguments: data => argument data + * otn => pointer to the current rule's OTN + * + * Returns: void function + * + ****************************************************************************/ +int IpLengthCheckGT(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) +{ + if(!p->iph) + return 0; /* if error occured while ip header + * was processed, return 0 automagically. + */ + + if( ntohs(p->iph->ip_len) > + ((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length ) + { + /* call the next function in the function list recursively */ + return fp_list->next->OptTestFunc(p, otn, fp_list->next); + } + else + { + /* you can put debug comments here or not */ + DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n");); + } + + /* if the test isn't successful, return 0 */ + return 0; +} diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.h snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.h --- snort-2.3.0RC1/src/detection-plugins/sp_ip_length_check.h Wed Dec 31 17:00:00 1969 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_ip_length_check.h Mon Jan 24 13:46:43 2005 @@ -0,0 +1,25 @@ +/* +** Copyright (C) 1998-2002 Martin Roesch +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +/* $Id$ */ +#ifndef __SP_IP_LENGTH_CHECK_H__ +#define __SP_IP_LENGTH_CHECK_H__ + +void SetupIpLengthCheck(); + +#endif /* __SP_IP_LENGTH_CHECK_H__ */ diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_ack_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_ack_check.c --- snort-2.3.0RC1/src/detection-plugins/sp_tcp_ack_check.c Mon Oct 20 09:03:32 2003 +++ snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_ack_check.c Mon Jan 24 13:46:43 2005 @@ -38,6 +38,8 @@ typedef struct _TcpAckCheckData { u_long tcp_ack; + u_int8_t not_flag; /* ADDED SDR */ + } TcpAckCheckData; void TcpAckCheckInit(char *, OptTreeNode *, int); @@ -129,6 +131,20 @@ /* set the ds pointer to make it easier to reference the option's particular data struct */ ds_ptr = otn->ds_list[PLUGIN_TCP_ACK_CHECK]; + /* BEGIN ADD SDR */ + ds_ptr->not_flag = 0; + + while(isspace((int)*data)) + { + data++; + } + + if(data[0] == '!') + { + ds_ptr->not_flag = 1; + data++; + } + /* END ADD SDR */ ds_ptr->tcp_ack = strtoul(data, ep, 0); ds_ptr->tcp_ack = htonl(ds_ptr->tcp_ack); @@ -155,7 +171,9 @@ if(!p->tcph) return 0; /* if error appeared when tcp header was processed, * test fails automagically */ - if(((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_ack == p->tcph->th_ack) + /* SDR REPLACED FOLLOWING LINE */ + if((((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_ack == p->tcph->th_ack) ^ + (((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->not_flag)) { /* call the next function in the function list recursively */ return fp_list->next->OptTestFunc(p, otn, fp_list->next); diff -Naur snort-2.3.0RC1/src/detection-plugins/sp_tcp_option_check.c snort-2.3.0RC1fp/src/detection-plugins/sp_tcp_option_check.c --- snort-2.3.0RC1/src/detection-p