p0f-3.01b

sha1: 35720d10593a6f4ab9ffe097ac96d273931fdf35 p0f-3.01b.tgz
mpihelgas · Mar 11, 2012 · 72fba30 · 72fba30
1 parent 154ff59
commit 72fba30
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 4 deletions.
diff --git a/build.sh b/build.sh
@@ -9,7 +9,7 @@
 #
 
 PROGNAME="p0f"
-VERSION="3.00b"
+VERSION="3.01b"
 
 test "$CC" = "" && CC="gcc"
 
@@ -25,6 +25,8 @@ USE_LDFLAGS="-Wl,-z,relro -pie $BASIC_LDFLAGS"
 
 if [ "$OSTYPE" = "cygwin" ]; then
   USE_LIBS="-lwpcap $LIBS"
+elif [ "$OSTYPE" = "solaris" ]; then
+  USE_LIBS="-lsocket -lnsl $LIBS"
 else
   USE_LIBS="-lpcap $LIBS"
 fi
@@ -61,7 +63,7 @@ if [ "$1" = "clean" -o "$1" = "publish" ]; then
       exit 1
     fi
 
-    TARGET="/var/www/lcamtuf/$PROGNAME-$VERSION.tgz"
+    TARGET="/var/www/lcamtuf/p0f3/$PROGNAME-devel.tgz"
 
     echo "[*] Creating $TARGET..."
 

diff --git a/docs/ChangeLog b/docs/ChangeLog
@@ -1,3 +1,16 @@
+Version 3.01b:
+--------------
+
+Bug fixes:
+
+  - 'Date' comparisons for server sigs now work as expected.
+
+  - Bad TS reading now allowed on initial SYN (improves uptime detection).
+
+Improvements:
+
+  - New signatures.
+
 Version 3.00b:
 --------------
 

diff --git a/fp_http.c b/fp_http.c
@@ -116,7 +116,7 @@ void http_init(void) {
 #define HDR_AL  2
 #define HDR_VIA 3
 #define HDR_XFF 4
-#define HDR_DAT 6
+#define HDR_DAT 5
 
   i = 0;
   while (req_optional[i].name) {
@@ -827,6 +827,11 @@ static void score_nat(u8 to_srv, struct packet_flow* f) {
       score  += 4;
       reason |= NAT_APP_DATE;
 
+    } else {
+
+      DEBUG("[#] HTTP 'Date' distance seems fine (%lld in %lld sec).\n",
+             hdr_diff, recv_diff);
+
     }
 
   }

diff --git a/fp_tcp.c b/fp_tcp.c
@@ -1282,7 +1282,14 @@ void check_ts_tcp(u8 to_srv, struct packet_data* pk, struct packet_flow* f) {
 
   if (ffreq < MIN_TSCALE || ffreq > MAX_TSCALE) {
 
-    if (to_srv) f->cli_tps = -1; else f->srv_tps = -1;
+    /* Allow bad reading on SYN, as this may be just an artifact of IP
+       sharing or OS change. */
+
+    if (pk->tcp_type != TCP_SYN) {
+
+      if (to_srv) f->cli_tps = -1; else f->srv_tps = -1;
+
+    }
 
     DEBUG("[#] Bad %s TS frequency: %.02f Hz (%d ticks in %llu ms).\n",
           to_srv ? "client" : "server", ffreq, ts_diff, ms_diff);

diff --git a/p0f.fp b/p0f.fp
@@ -651,6 +651,7 @@ sig   = 1:Host,Accept-Language=[zh-cn],Connection=[close],User-Agent:Accept,Acce
 sig   = 1:Host,Connection=[close],User-Agent,Accept-Language=[zh-cn,zh-tw],Accept-Encoding=[gzip],Accept=[*/*]:Accept-Charset:Baiduspider
 sig   = 1:Host,Connection=[close],User-Agent,Accept-Language=[tr-TR],Accept-Encoding=[gzip],Accept=[*/*]:Accept-Charset:Baiduspider
 sig   = 1:Host,Connection=[close],User-Agent,Accept-Encoding=[gzip],?Accept-Language=[zh-cn,zh-tw],Accept=[*/*]:Accept-Charset:Baiduspider
+sig   = 1:Host,Connection=[close],User-Agent,Accept-Encoding=[gzip],Accept-Language=[tr-TR],Accept=[*/*]:Accept-Charset:Baiduspider
 
 label = s:!:Googlebot:
 sys   = Linux
@@ -729,6 +730,10 @@ sys   = Linux
 sig   = 0:Client-IP,X-Forwarded-For,X-YQL-Depth,User-Agent,Host,Connection=[keep-alive],Via:Accept,Accept-Encoding,Accept-Language,Accept-Charset:Yahoo Pipes
 sig   = 1:Client-IP,X-Forwarded-For,X-YQL-Depth,User-Agent,Host,Via:Connection,Accept,Accept-Encoding,Accept-Language,Accept-Charset:Yahoo Pipes
 
+label = s:!:Google Web Preview:
+sys   = Linux
+sig   = 1:Referer,User-Agent,Accept-Encoding=[gzip,deflate],Host,X-Forwarded-For:Connection,Accept,Accept-Language,Accept-Charset:Web Preview
+
 ; --------------------------------
 ; Command-line tools and libraries
 ; --------------------------------