Hi Jeff. On Tue, Jul 01, 2008 at 09:32:47AM -0400, Jeff Garzik (jeff@xxxxxxxxxx) wrote: > It sure would be nice for regular socket applications to have an easy, > unprivileged way to query the OS fingerprint information of a given socket. > > Speaking purely from a userspace application API perspective, it would > be most useful for an app to be able to stop OSF collection, start OSF > collection, and query OSF stats. start/stop would be a refcount that > disables in-kernel OSF when not in use. > > To present a specific use case: I would like to know if incoming SMTP > connections are Windows or not. That permits me to better determine if > the incoming connection is a hijacked PC or not -- it becomes a useful > factor in spamassassin scoring. > > In this case, incoming SMTP is -always- TCP, thus being a TCP-specific > module is not a problem. You cover a huge swath of apps even if the > module is TCP-specific. > > Another use case is validating whether a browser is "lying" about its > OS, when parsing HTTP user-agent info, or in general when any remote > agent is "lying" about its OS. Security software can use that as an > additional red-flag factor. It is possible right now in OSF: it sends a netlink notification to userspace about received and matched packet. We can even think some more about reverse channel - to inform kernel about some steps for this match, it requires root priveledges though. It can also be done via different channel (like running script to install iptables rule). -- Evgeniy Polyakov -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
