1#
2# p0f - RST+ signatures
3# ---------------------
4#
5# .-------------------------------------------------------------------------.
6# | The purpose of this file is to cover signatures for reset packets       |
7# | (RST and RST+ACK). This mode of operation can be enabled with -A option |
8# | and is considered to be least accurate. Please refer to p0f.fp for more |
9# | information on the metrics used and for a guide on adding new entries   |
10# | to this file. This database is looking for a caring maintainer.         |
11# `-------------------------------------------------------------------------'
12#
13# (C) Copyright 2000-2004 by Michal Zalewski <lcamtuf@coredump.cx>
14#
15# Submit all additions to the authors. Read p0f.fp before adding any
16# signatures. Run p0f -R -C after making any modifications. This file is
17# NOT compatible with SYN or SYN+ACK modes. Use only with -R option.
18#
19#
20# IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND RST+ACKs
21# --------------------------------------------------------------------
22#
23# Some silly systems may copy WSS from the SYN packet you've sent,
24# in which case, you need to wildcard the value. Use test/sendsyn.c for
25# "connection refused" and test/sendack.c for "connection dropped" signatures
26# - both tools use a distinct WSS of 12345, which is an easy way to tell
27# if WSS should be wildcarded.
28#
29# IMPORTANT INFORMATION ABOUT COMMON IMPLEMENTATION FLAWS
30# -------------------------------------------------------
31#
32# There are several types of RST packets you will surely encounter.
33# Some systems, including most reputable ones, are severily brain-damaged
34# and generate some illegal combinations from time to time. This is WAY
35# more common than with other packet types, because a broken RST does not
36# have any immediately noticable consequences; besides, the RFC793 is fairly
37# difficult to comprehend when it comes to this type of responses.
38#
39# P0f will give you a hint on new RST signatures, but it is your duty to
40# diagnose the problem and append the proper description when adding the
41# signature. Below is a list of valid and invalid states:
42#
43# - "Connection refused" message: this is a RST+ACK packet, SEQ number
44#   set to zero, ACK number non-zero. This is a valid response and
45#   is denoted by p0f as "refused" (quirk combination: K, 0, A).
46#
47#   There are some very cases when this is incorrectly sent in response
48#   to an unexpected ACK packet.
49#
50# - Illegal combination: RST+ACK packet, SEQ number set to zero, ACK
51#   number zero. This is denoted by p0f as "invalid-K0" (quirk combination:
52#   K and 0, no A).
53#
54# - Illegal combination: RST+ACK, SEQ number non-zero, ACK number zero
55#   or non-zero. This is denoted by p0f as "invalid-K" and
56#   "invalid-KA", respectively (quirk combinations, K, sometimes A, no 0).
57#
58#   This combination is frequently generated by Cisco routers in certain
59#   configurations in response to ACK (!). Brain dead, by all means, and
60#   usually a result of (incorrectly) setting ACK flag on a valid RST packet.
61#
62# - "Connection dropped": RST, sequence number non-zero, ACK zero or
63#   non-zero. This is denoted as "dropped" and "dropped 2" respectively
64#   (quirk combinations: no K, sometimes A, no 0). While the ACK value should
65#   be zeroed, it is not strictly against the RFC, and some systems either
66#   leak memory there or set it to the value of SEQ.
67#
68#   The latter variant, with non-zero ACK, is particularly common on
69#   Windows.
70#
71# - Ilegal combination: RST, SEQ number zero, ACK zero or non-zero.
72#   Denoted as "invalid-0" and "invalid-0A". Obviously incorrect, and
73#   will not have the desired effect.
74#
75# Ok. That's it. RFC793 does not get much respect nowadays.
76#
77# IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp:
78# ----------------------------------------------------------------
79#
80# - Packet size may be wildcarded. The meaning of wildcard is, however,
81#   hardcoded as 'size > PACKET_BIG' (defined as 100 in config.h). This is
82#   because some stupid devices (including Ciscos) tend to send back RST
83#   packets quoting anything you have sent them in ACK packet previously.
84#   Use sparingly, only if -X confirms the device actually bounces back
85#   whatever you send.
86#
87# - A new quirk, 'K', is introduced to denote RST+ACK packets (as opposed
88#   to plain RST). This quirk is only compatible with this mode.
89#
90# - A new quirk, 'Q', is used to denote SEQ number equal to ACK number.
91#   This happens from time to time in RST and RST+ACK packets, but
92#   is practically unheard of in other modes.
93#
94# - A new quirk, '0', is used to denote packets with SEQ number set to 0.
95#   This happens on some RSTs, and is once again unheard of in other modes.
96#
97# - 'D' quirk is not a bug; some devices send verbose text messages
98#   describing why a connection got dropped; it's actually suggested
99#   by RFC1122. Of course, some systems have their own standards, and
100#   put all kinds of crap in their RST responses (including FreeBSD and
101#   Cisco). Use -X to examine those values.
102#
103# - 'A' and 'T' quirks are not an anomaly in certain cases for the reasons
104#   described in p0fa.fp.
105#
106
107################################
108# Connection refused - RST+ACK #
109################################
110
1110:255:0:40:.:K0A:Linux:2.0/2.2 (refused)
1120:64:1:40:.:K0A:FreeBSD:4.8 (refused)
1130:64:1:40:.:K0ZA:Linux:recent 2.4 (refused)
114
1150:128:0:40:.:K0A:Windows:XP/2000 (refused)
1160:128:0:40:.:K0UA:-Windows:XP/2000 while browsing (refused)
117
118######################################
119# Connection dropped / timeout - RST #
120######################################
121
1220:64:1:40:.:.:FreeBSD:4.8 (dropped)
1230:255:0:40:.:.:Linux:2.0/2.2 or IOS 12.x (dropped)
1240:64:1:40:.:Z:Linux:recent 2.4 (dropped)
1250:255:1:40:.:Z:Linux:early 2.4 (dropped)
1260:32:0:40:.:.:Xylan:OmniSwitch / Linksys WAP11 AP (dropped)
1270:64:1:40:.:U:NetIron:load balancer (dropped)
128
1290:128:1:40:.:QA:Windows:XP/2000 (dropped 2)
1300:128:1:40:.:A:-Windows:XP/2000 while browsing (1) (dropped 2)
1310:128:1:40:.:QUA:-Windows:XP/2000 while browsing (2) (dropped 2)
1320:128:1:40:.:UA:-Windows:XP/2000 while browsing a lot (dropped 2)
1330:128:1:40:.:.:@Windows:98 (?) (dropped)
134
1350:64:0:40:.:A:Ascend:TAOS or BayTech (dropped 2)
136
137*:255:0:40:.:QA:Cisco:LocalDirector (dropped 2)
138
1390:64:1:40:.:A:Hasbani:WindWeb (dropped 2)
140S23:255:1:40:.:.:Solaris:2.5 (dropped)
141
142#######################################################
143# Connection dropped / timeout - RST with description #
144#######################################################
145
1460:255:1:58:.:D:MacOS:9.x "No TCP/No listener" (seldom SunOS 5.x) (dropped)
1470:255:1:53:.:D:MacOS:8.5 "no tcp, reset" (dropped)
1480:255:1:65:.:D:MacOS:X "tcp_close, during connect" (dropped)
1490:255:1:54:.:D:MacOS:X "tcp_disconnect" (dropped)
1500:255:1:62:.:D:HP/UX:? "tcp_fin_wait_2_timeout" (dropped)
15132768:255:1:54:.:D:MacOS:8.5 "tcp_disconnect" (dropped)
1520:255:1:63:.:D:@Unknown: "Go away" device (dropped)
153
1540:255:0:62:.:D:SunOS:5.x "new data when detached" (1) (dropped)
15532768:255:1:62:.:D:SunOS:5.x "new data when detached" (2) (dropped)
1560:255:1:67:.:D:SunOS:5.x "tcp_lift_anchor, can't wait" (dropped)
157
1580:255:0:46:.:D:HP/UX:11.00 "No TCP" (dropped)
159
160# More obscure ones:
161# 648:255:1:54:.:D:MacOS:??? "tcp_disconnect" (dropped)
162# 0:45:1:53:.:D:MacOS:7.x "no tcp, reset" (dropped)
163
164##############################################
165# Connection dropped / timeout - broken RSTs #
166##############################################
167
168S12:255:1:58:.:KAD:Solaris:2.x "tcp_disconnect" (dropped, lame)
169S43:64:1:40:.:KA:AOL:proxy (dropped, lame)
170*:64:1:40:.:KA:FreeBSD:4.8 (dropped, lame)
171*:64:1:52:N,N,T:KAT:Linux:2.4 (?) (dropped, lame)
1720:255:0:40:.:KAF:3Com:SuperStack II (dropped, lame)
173*:255:0:40:.:KA:Intel:Netport print server (dropped, lame)
174*:150:0:40:.:KA:Linksys:BEF router (dropped, lame)
175
176*:32:0:44:.:KZD:@NetWare:??? "ehnc" (dropped, lame)
1770:64:0:40:.:KQ0:BayTech:RPC-3 telnet host (dropped, lame)
178
179#############################################
180# Connection dropped / timeout - extra data #
181#############################################
182
183*:255:0:*:.:KAD:Cisco:IOS/PIX NAT + data (1) (dropped, lame)
1840:255:0:*:.:D:Windows:NT 4.0 SP6a + data (dropped)
1850:255:0:*:.:K0AD:Isolation:Infocrypt accelerator + data (dropped, lame)
186
187*:255:0:*:.:AD:Cisco:IOS/PIX NAT + data (2) (dropped)
188
189*:64:1:*:N,N,T:KATD:Linux:2.4 (?) + data (dropped, lame)
190*:64:1:*:.:KAD:FreeBSD:4.8 + data (dropped, lame)
191
192
193
194