
fl0p - passive flow fingerprinter (0.0.1-beta)
----------------------------------------------

Copyright (C) 2006 by Michal Zalewski <lcamtuf@coredump.cx>

Fl0p is a tool capable of performing passive fingerprinting of layer 7 
traffic based on the analysis of packet flow characteristics (size ratios, 
delays, ordering) alone, without the inspection of payload signatures or 
port numbers.

This approach differs from the techniques used by most other passive 
sniffers and mappers, and is advantageous in several interesting ways:

  - General flow behavior remains largely unchanged regardless of whether
    cryptographic tunnels or other obfuscation techniques are used. As
    such, backdoors or firewall evasion techniques that for example
    use SSL on port 443, can be told apart from browser traffic, and
    further investigated.

  - General insight into legitimate encrypted sessions can be gained; for
    example, it is possible to remotely tell successful and failed SSH 
    authentication attempts apart, and react accordingly.

  - Human actions can be told apart from automated efforts: it is possible
    to ignore SMTP client programs, but single out humans manually 
    interacting with the server on port 25; similarly, automated SSH
    login attempts can be told apart from human actions.

Well, that's all. Information on what is checked and a primer on how to 
collect new fingerprints is discussed in the supplied fl0p.fp file.
Since this is a beta version, there won't be much documentation, but
feel free to ping me with any questions or comments.

Before someone writes up a "research" paper on this, yeah, fl0p can be
trivially bypassed. It does no stateful stream inspection, so an
RST with invalid checksum, a clever fragmentation scheme, or even
a simple retransmission, may all work fine. Still, the idea is to 
catch as much valuable information as possible, and that will work 
fine.

Since fl0p is derived from p0f codebase, it should compile on Linux,
*BSD, MacOS X, AIX, and within Cygwin; but I haven't verified them all.

Accepted command-line switches:

  -f file   - read fingerprints from file (default is ~/fl0p.fp; on
              unix systems, /etc/fl0p/ is checked in addition to ~).

  -i device - listen on a specified device; modern systems should
              support 'all' for listening on all devices at once, 
              but not all do; also, VLAN tag support may not work
              there.

  -s file   - read packets from a tcpdump snapshot; this is a
              function to facilitate integration of fl0p with other
              packet loggers, for example for forensic analysis.

  -o file   - write output to a specified logfile (implies -t); this
              is required when operating fl0p in daemon mode.

  -u user   - chroot and setuid to this user (unix only); allows fl0p
              to be safely executed with no root privileges.
 
  -e ms     - pcap capture timeout in milliseconds (default: 1);
              useful on some slow systems, should you notice that
              not all packets are being processed by fl0p.

  -q ms     - packet timing threshold in milliseconds (200); packets
              that arrive at intervals below that threshold are
              considered to be automatically generated; when
              this threshold is exceeded, a more sophisticated user
              interaction or program I/O is assumed, and marked in
              the signature. You will want to lower this value for local 
              networks and fast links (where 20-50 should suffice).

  -F        - disable fuzzy matching on all signatures; normally, you
              should control fuzzy matching by adding a special keyword
              to individual signatures; but in some cases, particularly
              when trying to add a new signature for a known variant
              or encapsulation previously covered by a fuzzy hit, this
              option may come handy.

  -U        - display fingerprints for unidentified streams; this is
              necessary if you want to collect new signatures. For
              every closed or timeouted session that had no known
              signatures, a fingerprint is displayed.

  -K        - do not display known signatures (implies -U) - same,
              only more hardcore.

  -r        - resolve host names (not recommended); DNS is slow and
              may introduce security bugs, so don't use it in 
              daemon mode.

  -q        - be quiet - skip banners and statistics.

  -v        - enable support for 802.1Q VLAN frames (Ethernet only).

  -p        - switch card to promiscuous mode; won't do you much
              good in typical switched environments today.

  -d        - daemon mode (fork into background) - best combined with
              -u (unix only).

  -t        - add timestamps to every entry (implied by -d); use
              several times to go through various timestamp modes.

  -l        - output concise 1-line output that can be easily
              processed with shell tools.

  -L        - list all network interaces (Windows only)

  'Filter rule' is an optional pcap-style BPF expression (man tcpdump),
  for example 'not host 1.2.3.4' or 'dst net 1.2.3.0 mask 255.255.255.0'.

