Saturday, July 21, 2007

Fl0p - Passive L7 Flow Fingerprinter

Checking back my old posts and I just figured out I have this post in my saved draft and never be posted online. It's all about identifying the flow by fingerprinting the application bytes in packets exchange of the connection stream. Thanks to Michal Zalewski who writes this tool called Fl0p, from the description -

fl0p is a passive L7 flow fingerprinter that examines TCP/UDP/ICMP packet sequences, can peek into cryptographic tunnels, can tell human beings and robots apart, and performs a couple of other infosec-related tricks.

If you are on FreeBSD, you can just install it via package/port system, but for gentoo users, you will have to install via source -


shell>tar xvzf fl0p-devel.tgz

shell>cd fl0p


./Build all
Your system type is: FreeBSD

Please help with p0f 2:

GNU make not found; failing back to regular (BSD?) make.
gcc -g -ggdb -Wall -DUSE_BPF=\"net/bpf.h\" -I/usr/include/pcap -I/usr/local/include/pcap -I/usr/local/include -o fl0p fl0p.c crc32.c -lpcap
strip fl0p 2>/dev/null || true

Running fl0p -

shell>./fl0p -h

Usage: ./fl0p [ -f file ] [ -i device ] [ -s file ] [ -o file ]
[ -u user ] [ -e ms ] [ -T ms ] [ -FUKrqvpdtl ] [ 'filter rule' ]
-f file - read fingerprints from file
-i device - listen on this device
-s file - read packets from tcpdump snapshot
-o file - write to this logfile (implies -t)
-u user - chroot and setuid to this user
-e ms - pcap capture timeout in milliseconds (1)
-q ms - packet timing threshold in milliseconds (400)
-F - disable fuzzy matching on all signatures
-U - display fingerprints for unidentified streams
-K - do not display known signatures (implies -U)
-r - resolve host names (not recommended)
-q - be quiet - no banner
-v - enable support for 802.1Q VLAN frames
-p - switch card to promiscuous mode
-d - daemon mode (fork into background)
-t - add timestamps to every entry
-l - output concise 1-line output

'Filter rule' is an optional pcap-style BPF expression (man tcpdump).

To automatically generate signatures for certain traffics, I decided to run the commands below -

shell>./fl0p -i sk0 -o /nsm/fl0p-logs/smtp-gather -t -l -U -d 'port 25'

shell>./fl0p -i sk0 -o /nsm/fl0p-logs/http-gather -t -l -U -d 'port 80'

shell>./fl0p -i sk0 -o /nsm/fl0p-logs/ssh-gather -t -l -U -d 'port 22'

I'm currently having a lot of signatures collected but having no time to examine about them yet, guess I need some spare time for that.

No comments: