1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
Version 2.0.8:
-------------
More fingerprints, signature cleanup.
p0fping.c and diagnostic queries added.
Socket ownership fix when dropping privs.
Some -O signatures.
Version 2.0.7:
--------------
Added -0 mode for port 0 wildcards in queries.
Added -e option to make p0f work on some boxes.
HDLC support added.
New fingerprints, including Windows Vista betas.
[BUG] Fixed timezone in logs after chroot().
[BUG] Unlikely command-line overflow with VLANs fixed.
Version 2.0.6:
--------------
[BUG] Fixed pcap naming madness.
Support for Cygwin.
More signatures. Plenty of -A sigs from Ryan Kruse.
[BUG] Fix to a command-line parsing snafu with sprintf; shame on me ;-)
Timestamps in masquerade detection.
Write PID to /var/run/p0f.pid
Verison 2.0.5:
--------------
[BUG] OpenBSD compile fix.
Support for 802.1Q.
New signatures.
Speel-chceked teh docuhmentation!
Absolutely experimental support for open connection fingerprinting (-O).
Synced manpage and documentation.
Added several -O signatures.
Verison 2.0.4:
--------------
More signatures.
Improved documentation, mentions of p0f_db, etc.
[BUG] Fixed a minor problem with installation on systems w/o /usr/man/.
[BUG] Fixed a DLT_NULL problem, added a new loopback signature.
Multiple timestamp options, timestamps now read from pcap dumps.
Sync with new Windows port code.
[BUG] Fixed one-line reporting for masquerade detection.
Version 2.0.3:
--------------
Iproved -F.
Masquerade detection code now checks for time going backwards in
timestamps.
Added uptime in query data and p0fq.c.
Added -F fuzzy TTL matching option.
More signatures.
2.0.3 and -M code ported to Windows, Windows port fixes, all thanks to
Kirby Kuehl <kkuehl@cisco.com>.
[BUG] Fixed Windows compilation by ifdefing query_cache.
[BUG] Missing ENDIAN define on SunOS? Added to Makefile. It now
defaults to big endian, perhaps worth auto-detecting in case of
Solaris on x86 or such.
-r now also resolves the target host.
Added -X option, sendsyn added. Better Makefile and p0f*.fp documentation.
Automatic wildcard for WSS of 12345 and size exceeding PACKET_BIG.
Documentation (links) updated.
Sheesh, more cleanup in p0fr.fp explanations and p0f.c RST recognition
code.
test/sendack2.c added.
Added wildcard for packet size; massive ACK probing to diagnose the
payload quoting issue. Many new RST fingerprints for network
devices.
Updated some tos.h signatures.
[BUG] Fixed Solaris makefile to include p0f-query.c
Version 2.0.2:
--------------
Cleanup of the RST mess in p0fr.fp and p0f.c parser.
Added isprint() text preview for -x mode.
[BUG] Fixed packet size reporting and matching for packets over 255 bytes
(_u8 -> _u16).
Extended RST+ACK to also cover plain RST, added some sane explanations
of the purpose of each mode. Clarification of the RST vs RST+ACK
occurences; test/sendack.c added.
Added -R option for RST+ACK fingerprinting. Created an empty database.
Moved databases from /etc to /etc/p0f/
Windows memory leak mystery solved.
No longer using pcap timeouts for anything. They suck. I first wanted
to use SIGALRM with no SA_RESTART, but it's broken on Linux on this
particular syscall. Fortunately, I spotted an mis-documented pcap_fileno
and can now use select(). I just hope it won't break.
Note to self: despite of the documentation saying pcap_open_live with
timeout 0 will simply never timeout (which is irrelevant for
pcap_loop anyway), it does not work on FreeBSD, inhibiting all packet
processing instead. Works fine on Linux. Go figure.
Some minor p0fq fixes to prevent warnings.
Added some SYN+ACK signatures from rfp (p0fa.fp). Hooray!
p0fa.fp is now official. Moved from test/ to ., etc. README updated.
[BUG] Fixed the default TTL for IRIX and Tru64 (60), added a note to
p0f.fp, fixed TTL checker to also support %30 values.
[BUG] Fixed query mode lookup. The old code didn't handle reverse
lookups properly.
Masquerade scoring data is now available via the query interface.
P0fq utility updated to handle this.
Dropped /bin/bash from p0frep, /bin/sh would suffice.
Added a new -c option for -M and -Q cache size scaling, packet ratio
information on Ctrl-C to help estimate the right parameter.
Extra masquerade detection flags: -T for threshold, -V for detailed
flag breakdown; masquerade reporting now recognizes -r.
The new -w option writes all matching packets to a pcap file (regardless
of -K and -U settings).
Added -M option (unix only until p0f-query.c gets ported). This option
enables advanced masquerade detection based on the cyclic buffer
used by -Q. Added - signature flag to the config file. Some
documentation for the new functionality.
[BUG] Cleaned up the -K and -U semantics with -Q.
Replaced some single-character printfs with putchars in signature
reporting code (should be a tad faster). Added signature check
reporting, generic signature count and some other minor tweaks.
The new -x option provides a hexadecimal TCP/IP packet dump. Useful
when comparing two colliding fingerprints to find some differences
not covered by the current quirks set.
PPPoE interface is now handled correctly on NetBSD.
Added a shoddy manpage and updated makefiles.
Removed E quirk and added E to the regular options; removed needless EOL
append code from the parser. Breaks the old signature format in some
rare cases, but the old quirk is still recognized, and the user will be
advised to change it.
[BUG] Fixed ? option parsing bug that prevented RISC OS signature from
working (and would prevent all ? signatures from working, should there
be any other ;-).
New signatures and other database additions, of course.
[BUG] Fixed a very minor parser bug that could cause it to loop over
an unknown option with a declared length of zero. This is not a DoS
condition, because the parser would quit the loop after parsing max. 16
options anyway.
Version 2.0.1 (2003/09/03):
---------------------------
Initial stable release after a complete rewrite; some of the
changes are pointed out in README.
[SECURITY] What was wrong with p0f v1 in terms of security? Other
than its inefficient algorithms, there was a risk of a DoS attack
while parsing badly malformed packets. The risk would be due to
going past end of options, so there is no exploitable condition,
but... the original pcap parser wasn't my work (a contributed code),
and p0f v1 was not quite intended to be used in serious production
systems.
|
